Archive for the 'Rootkit' Category

What is ndisdrv.sys, How to remove ndisdrv.sys

Sunday, January 10th, 2010

ndisdrv.sys is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ndisdrv
Filename: ndisdrv.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ndisdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndisdrv

Command: c:\windows\system32\ndisdrv.sys
Startup Type: Driver
DDS/Combofix/RSIT Line:

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys –> c:\windows\system32\ndisdrv.sys [?]

Description: trojan-rootkit also known as Mal/Rootkit-Q [Sophos]

How to remove:

Download OTM by OldTimer from here
Run OTM.
Copy, then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:services
ndisdrv

:files
c:\windows\system32\ndisdrv.sys

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. When the tool is finished, it will produce a report for you.
Download and run Malwarebytes` Anti-malware

What is H8SRT.sys, How to remove H8SRT.sys

Thursday, December 24th, 2009

H8SRT.sys is a harmful driver.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Driver name: H8SRT.sys
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\H8SRTd.sys

Command: C:\WINDOWS\system32\drivers\H8SRT[random].sys
Startup Type: Driver
Description: trojan-rootkit also known as Rootkit.TDSS.

How to remove: use these H8SRT trojan removal instructions.

Msqpdxserv.sys is trojan W32.Tidserv

Saturday, May 2nd, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: Msqpdxserv
Filename: Msqpdxserv.sys
Registry key:

HKEY_LOCAL_MACHINE\System\Controlset001\Enum\legacy_msqpdxserv.sys

Startup Type: hidden driver
Description: Trojan msqpdxserv.sys blocks user access to security websites, web pages have a “VIMAX” ad, Google, Yahoo, MSN search results redirect you to other non related sites. Also trojan msqpdxserv.sys trojan changes the DNS server to 85.255.115.x or 85.255.112.x

How to remove: use these instructions How to remove msqpdxserv.sys trojan

TDSSserv.sys is trojan TDSSserv

Tuesday, April 28th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: TDSSserv
Filename: TDSSserv.sys
Registry key:

HKEY_LOCAL_MACHINE\System\Controlset001\Enum\legacy_TDSSserv.sys

Startup Type: Hidden driver
Description: TDSSserv.sys is Trojan.TDSSserv also known as Trojan Backdoor.Tidserv that uses rootkit-specific techniques designed to hide itself.

How to remove: use the instructions How to remove trojan TDSSserv (TDSSserv.sys), clbdriver.sys and seneka.sys

UACd.sys is a trojan

Sunday, April 26th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: UACd
Filename: UACd.sys
Registry key:

HKEY_LOCAL_MACHINE\System\Controlset001\Enum\legacy_UACd.sys

Startup Type: hidden driver
Description: trojan that uses rootkit-specific techniques designed to hide itself.
How to remove: use the instruction How to remove windowsclick.com redirect [UACd.sys trojan]

gaopdxserv.sys is a trojan, variant of TDSSserv trojan

Sunday, April 26th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: gaopdxserv
Filename: gaopdxserv.sys
Registry key:

HKEY_LOCAL_MACHINE\System\Controlset001\Enum\legacy_gaopdxserv.sys

Startup Type: hidden driver
Description:variant of TDSSserv trojan (uses rootkit-specific techniques designed to hide the software presence in the system.)

How to remove: use the instruction How to remove Google searches redirect/vimax ads [gaopdxserv.sys trojan]

gxvxcserv.sys is a troajn w32.Tidserv

Saturday, April 25th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: gxvxcserv
Registry key:

HKEY_LOCAL_MACHINE\System\Controlset001\Enum\legacy_gxvxcserv.sys
HKEY_LOCAL_MACHINE\System\Controlset003\Enum\legacy_gxvxcserv.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gxvxcserv.sys

Command: command
Startup Type: Hidden driver
Description: troajn w32.Tidserv. The trojan uses rootkit techniques designed to hide the software presence in the system.

How to remove: use the instructions How to remove gxvxcserv.sys trojan (Google redirect virus)

gaopdxqltiqmuy.sys is a rootkit/trojan

Sunday, February 8th, 2009

This is an harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: gaopdxqltiqmuy
Filename: gaopdxqltiqmuy.sys
Command: c:\windows\system32\drivers\gaopdxqltiqmuy.sys
Startup Type: Hidden driver
Description: Rootkit/trojan component

How to remove: How to remove trojan TDSSserv (TDSSserv.sys), clbdriver.sys and seneka.sys

tcpsr.sys

Sunday, January 18th, 2009

This is an harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: tcpsr
Filename: tcpsr.sys
Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr
Command: C:\WINDOWS\System32\drivers\tcpsr.sys
Startup Type: services
RSIT/Combofix log line: S3 tcpsr;tcpsr; \??\C:\WINDOWS\System32\drivers\tcpsr.sys []
Description: Rootkit.MailGrab also known as TROJ_PANDEX.CHL, looks here

How to remove: Use SDFix free trojan remover tool