Archive for the 'Driver' Category

What is svc.exe, How to remove svc.exe

Sunday, July 25th, 2010

svc.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: svc
Filename: svc.exe
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETLOG

Command: %WinDir%\svc.exe
Startup Type: Driver
DDS/Combofix/RSIT Line Line:

R3 NetLog;NetLog;c:\windows\svc.exe

Description: trojan also known as Suspicious.MH690 [Symantec], New Malware.n [McAfee], Mal/EncPk-BW, Mal/EncPk-BW [Sophos], Trojan-Banker.Win32.Banker [Ikarus], Packed/Upack [AhnLab], packed with UPack [Kaspersky Lab]
Notes: installed with l84alx.exe, msgciutr.dll, wmiprves

How to remove: use the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:services
NetLog

:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“tcyz46″=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“tghlig”=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“wmiprves”=-

:files
C:\WINDOWS\system32\msgciutr.dll

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is klmdb.sys, How to remove klmdb.sys

Thursday, May 20th, 2010

klmdb.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: klmdb
Filename: klmdb.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys

Command: C:\WINDOWS\system32\drivers\klmdb.sys
Startup Type: Driver
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]
S4 klmdb;klmdb; C:\WINDOWS\system32\drivers\klmdb.sys [2010-05-14 36488]

Description: trojan-rootkit

How to remove: use Malwarebytes` Anti-malware + Kaspersky virus removal tool or manually instructions below.

Download Avenger from here and unzip to your desktop. Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
klmdb

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys

Files to delete:
C:\WINDOWS\system32\drivers\klmdb.sys

Then click on ‘Execute’.

What is PRAGMAd.sys, How to remove PRAGMAd.sys

Tuesday, April 13th, 2010

PRAGMAd.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: PRAGMAd
Filename: PRAGMAd.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMA{random}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMAd.sys

Command:

C:\WINDOWS\system32\drivers\PRAGMA{random}.sys
C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

Startup Type: hidden driver
RootRepeal shows infection:

Hidden Services
——————-
Service Name: PRAGMAd.sys
Image Path C:\WINDOWS\system32\drivers\PRAGMAewxhsvitbd.sys

Service Name: PRAGMArchxnseqxn
Image Path C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

GMER shows infection:

Service system32\drivers\PRAGMAewxhsvitbd.sys (*** hidden *** ) [SYSTEM] PRAGMAd.sys <-- ROOTKIT !!! Service C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMArchxnseqxn <-- ROOTKIT !!!

Description: new variant of TDSS trojan

How to remove: use these TDSS trojan removal instructions.

What is _VOIDd.sys, How to remove _VOIDd.sys

Thursday, March 4th, 2010

_VOIDd.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: _VOID[random]
Filename: _VOID[random].sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\_VOIDd.sys

Command: %WinDir%\system32\drivers\_VOID[random].sys
Startup Type: Hidden driver
RootRepeal log line:

Service Name: _VOIDd.sys
Image Path: C:\WINDOWS\system32\drivers\_VOIDaabmetnqbf.sys

Description: variant of TDSS trojan

How to remove: use the TDSS trojan removal instructions.

What is ndisdrv.sys, How to remove ndisdrv.sys

Sunday, January 10th, 2010

ndisdrv.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ndisdrv
Filename: ndisdrv.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ndisdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndisdrv

Command: c:\windows\system32\ndisdrv.sys
Startup Type: Driver
DDS/Combofix/RSIT Line:

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys –> c:\windows\system32\ndisdrv.sys [?]

Description: trojan-rootkit also known as Mal/Rootkit-Q [Sophos]

How to remove:

Download OTM by OldTimer from here
Run OTM.
Copy, then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:services
ndisdrv

:files
c:\windows\system32\ndisdrv.sys

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. When the tool is finished, it will produce a report for you.
Download and run Malwarebytes` Anti-malware

What is H8SRT.sys, How to remove H8SRT.sys

Thursday, December 24th, 2009

H8SRT.sys is a harmful driver.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Driver name: H8SRT.sys
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\H8SRTd.sys

Command: C:\WINDOWS\system32\drivers\H8SRT[random].sys
Startup Type: Driver
Description: trojan-rootkit also known as Rootkit.TDSS.

How to remove: use these H8SRT trojan removal instructions.

What is tdidis32.sys, How to remove tdidis32.sys

Friday, November 13th, 2009

tdidis32.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: tdidis32
Filename: tdidis32.sys
Command: C:\WINDOWS\system32\tdidis32.sys
Startup Type: driver
Combofix/RSIT Line:

S1 tdidis32.sys;tdidis32.sys; \??\C:\WINDOWS\system32\tdidis32.sys []

Description: trojan agent also known as Rootkit.Win32.Pakes

How to remove: use SUPERAntiSpyware

fio32.sys is a trojan

Tuesday, September 29th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: fio32
Filename: fio32.sys
Command: C:\Windows\system32\drivers\fio32.sys
Startup Type: Driver
Combofix/RSIT Line:

R1 fio32;fio32; \??\C:\Windows\system32\drivers\fio32.sys [2009-09-23 37632]

Description: trojan that installed by worm koobface

How to remove: use Malwarebytes` Anti-malware

NDISRD.sys is trojan

Monday, September 28th, 2009

NDISRD.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: NDISRD
Filename: NDISRD.sys
Registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDISRD

Command: C:\WINDOWS\system32\drivers\NDISRD.sys
Startup Type: Driver
Combofix/RSIT Line:

S1 NDISRD;NDISRD; C:\WINDOWS\system32\drivers\NDISRD.sys [2009-06-22 24576

Description: trojan also known as TrojanDownloader, it installed with Alpha Antivirus rogue antispyware program

How to remove: use these Alpha Antivirus removal instructions

dwshd.sys is trojan Win32.Agent

Sunday, September 20th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: dwshd
Filename: dwshd.sys
Command: C:\WINDOWS\System32\drivers\dwshd.sys
Startup Type: Driver
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dwshd.sys]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []

Description: trojan also known as trojan.Win32Agent.

How to remove: use Kaspersky virus removal tool