Jump to content

Recommended Posts

I have a topic here: http://www.techspot.com/vb/topic165862.html

The computer in question had pci.sys file rootkited.

That was cured by TDSSKiller and re-confirmed by 2nd TDSSKiller run.

Little bit later, the user ran MBAM, which removed pci.sys file, making the computer unbootable.

Eventually, I was able to replace the file and the computer is fine, but....what happened?

Link to post
Share on other sites

  • Staff

I got the file from the post.

i scanned it on VT

http://www.virustotal.com/file-scan/report.html?id=222920f3d16d61b2d42c062d860c33b535c1b3049b0c5ebb40fd53e534bee736-1306977711

Looks like it was still present there. This file in the quaritine was definately tdss..

Can you get the scan log?

Anyways we worked around it for now so it wont kill anymore systems.

Link to post
Share on other sites

  • Staff

Read the post some more..

2011/05/31 17:04:33.0703 3744 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 1e575703eead3ddf0ead9ba6324e9d01, Fake md5: a219903ccf74233761d92bef471a07b1

2011/05/31 17:04:35.0984 3744 Backup copy not found, trying to cure infected file..

2011/05/31 17:04:35.0984 3744 Cure success, using it..

2011/05/31 17:04:36.0031 3744 C:\WINDOWS\system32\DRIVERS\pci.sys - will be cured after reboot

Seems tdsskiller if cant find a backup just disables but leaves the tdss part inside the file.

If you notice the VT report you will see there is no version info=Tdss code replaces this..

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.