pcidump.sys is a filename that has appeared recently in several infections of a Trojan Horse Virus, which has following characteristics. 1) creats a startup entry 2) Downloads other harmful files from internet. 3) Creates more files on the computer 4) Modifies Hosts file 5) Modifies acpiec.sys in the %system%\drivers folder This article provides thorough detection and removal instructions. All the tools/ software mentioned in this article are freeware.
|
Aliases: There are several aliases which you can find listed on this link
|
Delete Files: The place where pcidump.sys could be found is %System%\drivers\pcidump.sys , there are other files added by the virus as well, these files are different in different variation of the virus
1) C:\WINDOWSupdate.dll
%Temp%\318125.txt
%System%\killkb.dll see report
(it modifies the file %System%\drivers\acpiec.sys) 2) %System%\WinHelp32.exe see report
3) %Windir%\ravcopy.exe see report
4) %Windir%\domlaun.exe see report
5)%Temp%\175765.txt
%Windir%\update.dll
%System%\killkb.dll see report
Modifies %System%\drivers\acpiec.sys (creates a kernel mode driver)
Modifies Hosts file.
6) %System%\updater.exe see report
If your computer has pcidump.sys and you did not locate any of the files above, you can search these reoprts for additional files %System% refers to the System folder. By default C:\Windows\System (in Windows 95/98/Me), C:\Winnt\System32 (in Windows NT/2000), or C:\Windows\System32 (in Windows XP and Vista).
%Temp% is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)
%Windir% is C:\Windows or C:\Winnt |
| View Hidden Files: Before you could delete pcidump.sys , and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders Click here to read more... |
| Boot in safe mode: Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them. Click here to read more... |
| End Process in the Task Manager: If you find pcidump.sys running in the Task Manager, you can select it and press End process button, that will help you to delete it from the hard disk later. Click here to read more... |
Remove entry from Windows Startup: Look in the windows startup, by opening the system configuration utility and remove the entry of pcidump.sys if found. Click here to read more...
|
| Unable to open Task Manager: If that happens, you can try these free tools to enable the task manager again. Click here to read more... |
| Run CCleaner : If you manage to find pcidump.sys and associated files and delete it, even then there will be associated entries in the windows registry. If you run a free temp files/registry cleaner called CCleaner, that will help you to automatically clean the registry from the virus entries. Click here to read more... |
Block the sites: Keep yourself protected by using a stadalone firewall software, you can see the logs of the firewall to see if there is any suspicious communication from your computer which you are not aware of. The virus communincates with one of the following sites.
dzstream.com
atentomultiservices.com |
Run system file chekcer: Windows has a built in tool called system file checker. It scans the computer to see if any of the windows system files are corrupt/missing and replaces them with a good copy. you should run this tool so that it will replace the modified system file. Click here to read more...
|
| Hosts file modification: This malware adds entries in the Hosts file, adding URL to IP mapping which result into redirecting of those legitimate sites to a malicious ip address. You can see the actual Hosts files modification on this link. The easiest way to eliminate this problem, is to open the Hosts file from this location (
C:\Windows\System32\drivers\etc\hosts) . Open the file in Notepad. If you find the contents changed. Delete all the entries in it except "127.0.0.1 localhost" which is the default entry of this file, and save it and close it. |
Delete the registry keys manually: If you are brave enough to do so. You can edit the registry by using the windows built in registry editor. Click here to read more... You can find the registry entries created by this malware in the reports given in the Delete Files section above. Best of Luck reference with permission from Threatexpert |
