[SOLVED] Questions regarding Driver Submissions

[blueelvis]

Hello Sysnative ^_^,

I have been doing the driver submissions for quite some time now and I have got some doubts as to why or how could I submit the entry so that the entry I submitted could be approved? I am going to post the driver submissions which have been a dilemma for me to accept into the DRT. The first quote box contains the name of the driver. The second quote box contains the information which I & usasma gathered. And below them are the questions or the doubts I have.

==================================================================================

abyj.sys

No information available. This might be a dynamic driver because when the user searched for this driver on his system, he did not find it. The driver was not present in the Registry as well.

Driver was first seen in this thread - Solved BSOD while playing games ntoskrnl.exe/hall.dll

Anyone else have some information on this driver?
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

AMDAs4.sys

Boildown - AMD AS4 Device Driver

Kindly read this post on how the driver works -
https://semiaccurate.com/forums/showpost.php?p=207383&postcount=962

Now, I found a post in which a guy over the HP Forums on this **LINK** says that the graphics drivers also contain the chipset Drivers for AMD. Now, since I haven't used an ATI driver, I am not sure whether to write OEM as the Update Location for this driver or provide a link to the Generic AMD Driver website.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

amdpsp.sys

Boildown - AMD PSP (Platform Security Processor) Driver

More Info - What is amdpsp.sys ? (id:27509274) | System Explorer

Please ignore the Boildown word. It is just the word me and usasma agreed on initially :lol: .
Now, I was not able to find the drivers for this product and hence I provided the below information in the update field -

OEM (None Found At AMD)
This can also be a part of the Chipset Drivers provided by the OEM.

Could anyone please shed some more light on this?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

AppvStrm.sys

Boildown - Microsoft Application Virtualization Streaming Driver

Since this driver is a part of an add-on, I am not marking this as System(Windows) Driver. If you change this, kindly let me know.

More Info - Malware scan of appvstrm.sys (Microsoft Application Virtualization) 2d36d2fd5ff44d28cca2da7c7ff852dd22a7c072 - herdProtect

Now, there are other drivers as well which are very similar to them. The dilemma I am facing here is that should I mark these drivers as "Windows" drivers and paint them RED or should I just not mark them as Windows drivers because they are a part of the addons to the Operating System. Also, do the addons once installed, are updated via Windows Update? So, what should I provide the update source as well?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

arcctrl.sys

Boildown - ArcSoft Total Media Theatre 6 Driver

The user had installed this software and hence the boildown.

More Info - Malware scan of arcctrl.sys aa3be8e4aeb05558d61f14be55dff2f18a02cb67 - herdProtect

Now, the problem with this driver is that the software with which it comes, no longer exists and hence I have added the below information to the Update field -

Official Support Ended.

Please read - Arcsoft ends support for Total Media Theater - Myce.com

Also, there is no way to download this software officially.

So, what should I have there? Just write Official Support Ended or have it like this only?
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

athw8.sys

Boildown - Qualcomm Atheros Extensible Wireless LAN Device Driver

More info - Malware scan of athw8.sys (Driver for Qualcomm Atheros CB42/CB43/MB42/MB43 Network Adapter) 2ee8f66b112e483d559782b9e576dd90d84f16e2 - herdProtect

Now, I have provided the update source as http://atheroz.cz since they have updated drivers and are usually a lot faster in updating the drivers than Qualcomm. I am asking this because many Qualcomm Entries in the DRT have got this update link whereas on asking John (usasma) recently, he said that it would be good to include the Official Link only. I would love to hear suggestions on this one as well.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

camera.sys

Boildown - Intel Imaging Signal Processor 2400
More Info - What is camera.sys from Intel Corporation? (id:28099641)

Now, I am not sure if this is a part of Windows Operating System or is it available as a separate download on Intel's or OEM's website. I am asking because I checked various support websites of manufacturers and intel's but I was not able to find this driver. Is is possible that this driver is updated via Windows Update or is a part of Chipset drivers?
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

chdrv64.sys

No Information available. OP not responding as well. But could this be a Conexant Driver because there is another very similar driver named "CHRDRT64.sys" for which more info is here :-
Malware scan of CHDRT64.sys (Conexant HDAudio Driver) edef4843976a8d5737b952cb4e0aad65dc670184 - herdProtect

One can find the driver and the log files if needed for research over here - BSOD :system_thread_exception_not_handled(atikmdag.sys)
Anyone have got more information on this driver?
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

CPLMACPI.sys

Capella Micro CPLMACPI Sensor Filter

Now, I beleive this driver is available only from the OEM. For example, after searching a bit, I found this driver on Lenovo Support - Laptops and netbooks :: ThinkPad X Series laptops :: ThinkPad X1 Carbon Type 20A7 20A8 - Lenovo Support (IN)
So, what should be the Update Source? OEM or the Lenovo Support link (Since it is available only from Lenovo) or both?
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

cpuz137_x32.sys

This is a driver present in CPU-Z. It seems that they are incrementing the driver numbers. Should we simply have a generic entry for this or add all of these drivers?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

CSLFD.sys

Boildown - Cirrus Logic HDAudio Lower Filter Driver

More Info - Malware scan of CSLFD.sys (Ciirrus Filter Driver) 2aaf0c7d618ac6687065f3e1b9d23cc12d16bb17 - herdProtect

The drivers available at the Cirrus Logic website are the legacy drivers. Should I include the Cirrus Logic link as well as state that these drivers are available from OEM or simply write OEM?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

fwldapob.sys

This is a dynamic Driver generated by GMER while scanning the system. I stated that this might be a dynamic driver because the driver is located in the Temporary Folder. Kindly check the below post -
WARNING! The page does not support your version of Browser - Am I infected? What do I do?

Each time GMER is run, it is a random driver. Add to the pot that there is no pattern in naming this driver.

Kindly let me know what you think on this.

Any suggestions on this?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

f_ih.sys

Boildown - FASOO DRM (Seen along with Korean Softwares)

After much research and carefully studying dozens of log files, I was not able to find the particular software installing this. One thing I noticed which was common in the Logs is that this is found with Korean Softwares.

Let me know if you find more information on this.
Update Source - Contact Us

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

jwtau64.sys

The only information available on this is over here - Malware scan of jwtau64.sys f9da298664ab89b68a9881faf3d37b965322e69b - herdProtect
I am not able to find the software associated with it . Any more information on this?
Log File - Bsod with PFN_LIST_CORRUPT error
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

LUMDriver.sys

Boildown - IBM LUM (License Use Management). Service named as IBM Central Registry License Server

More Info Malware scan of i4gdb.exe (LUM application) e484969145e8316f9789f6627042be38e1ed018c - herdProtect

I have provided this link as the update link - IBM Support Portal
I just want to verify this entry with everyone.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

ndasscsi.sys

Boildown - Ximeta (Sold to IOCELL Networks)Network direct attached storage controller driver

Seems like both companies went out of business (Ximeta & IOCELL Networks). You can confirm this from the posts on this facebook page (I know it is not solid proof) -
https://www.facebook.com/iocellnetworks

Scroll below and you would see the messages.

More info - https://herdprotect.com/ndasscsi.sys-14c430c782076b63d1f9a9fd1f2fd8f5b05db4b9.aspx

So, what should be the description? Both companies closed?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

netmon_wfp.sys

I am not able to find any information on the company which is responsible for this driver. More Info over here :- What is netmon_wfp.sys ? | System Explorer

If you do a Google Search for "Shefa Media" which is the only name present in the link, it appears that the Founder dissolved the company and there are virtually no tracks which I could find for this driver <_<

Anyone has more information on this?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

nhauemi.sys

Unknown Driver. No Search Results. Asked OP as well but no response.

The Log files could be found over here - BSOD :system_thread_exception_not_handled(atikmdag.sys)
Any information on this?
--------------------------------------------------------------------------------------------------------------------------------------------------------------------

PECKP_X64.sys

File nameECKP_x64.sys
Publisher:CSII (signed by Client Server International. Inc. Beijing Branch)
ProductOWERENTER
DescriptionowerEnter Keyboard Protector


This is probably some undocumented software which the employees of the Shanghai Pudong Bank Use. This causes issues according to a chineese blog of which translation is over here :-

Google Translate

More Info :- Malware scan of PECKP_x64.sys (POWERENTER) 8ff062143de8eb1d81f5cf1b146987479ed96d41 - herdProtect
Log Files - Windows 8.1 Crashes without BSOD

Cannot find anything over the Shanghai Pudong Bank and the website of CSII. So, what should be the description and update URL for this one be?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

protectora.sys

Publisher:ÊÖ¹¤²Æ»áʵѵÊÒ|ÊÖ¹¤»á¼ÆʵÑéÊÒ|²Æ»áÄ£ÄâʵѵÊÒ-ÉϺ£¶¥°î¹«Ë¾ (signed by Bank of China Limited)
Product:KeyboardProtection driver module

I am not able to think of any Boildown for this one as I checked the website but it links to China's education helpers website.

This could be also in the software used by the Shanghai Bank?

More Info :- Malware scan of protectora.sys (KeyboardProtection driver module) cbdd68470e361026ee628e45049dc69a7c3725bc - herdProtect
Log Files - Windows 8.1 Crashes without BSOD

I was not able to find any update source for this one.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

RDPUDD.dll

Boildown - UMRDP Display Driver (Part of Windows Operating System)

I just wish to confirm this entry.

More info - What is rdpudd.dll ? | System Explorer

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

rikvm_99E320F5.sys

Boildown - Part of Cyberlink Products

Multiple posts confirm that this is part of Cyberlink Products. Check this - Is this a virus RIKVM_38F51D56.SYS ? | Norton Community

Now, since this is not concrete proof, I am confused whether to accept this driver or not.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

SurfaceAccessoryDevice.sys

Windows Update

But, I am not sure if this should be included or not - Download Surface Pro 3, Surface Pro 2, and Surface Pro firmware and driver packs from Official Microsoft Download Center

Also, I am not sure if I should mark this as System Driver or not. Let me know what you think.

The above information provided is from the Update Field. Now, me and John are confused about the Microsoft Surface Drivers. We are not able to decide whether these should be marked as Windows System Drivers or not. Also, what should be the update source?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

tcubs.sys

Now, this driver was submitted by an unknown person and I am not able to find any information on this. Furthermore, the Source link provided is "System". Is it possible that this is a SPAM submission?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

TMP****.tmp

Boildown - Part of the WinRing Libraries which is part of any different programs that center around the using of the WinRing libraries (RealTemp, Corsair Link2 (known BSOD issues w/Win8), Razer GameBooster, Fusiontweaker (Google Code), etc). Dynamic Driver which starts with TMP followed by random 4 letters and extension of TMP.

These are the drivers which we discussed some time ago.

I have provided the update source as below -

OEM - none at http://www.python.org/emacs/winring

I would love some more guidelines on this.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

ubhf.sys

No information available on this driver anywhere just some random strings which match and are present in a malware executable.

I will ask the OP to check whether he could find this system in his machine.
Log Files - BSODs after update to Win 8.1 & while using Chrome - Page 2

Anyone have information on this driver?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

usbglcs1100301.sys

This driver is related to either a Keyboard/Mouse.

Check this post as well - BSODS while playing games ntoskrnl.exe/hall.dll - Windows Forums

More Info on this - What is usbglcs1100301.sys ? (id:24803561) | System Explorer

Now, what should be the Update Field?

Unable to determine as uassoft.com does not exist

It used to exist: Driver Reference Table - KMWDFilter.SYS

So, what should be the Update field?
-----------------------------------------------------------------------------------------------------------------------------------------------------------

wiasken64.sys

No information available. I checked the logs as well but there is no such driver in them. So, maybe a dynamic driver?

The closest match I found in the MSINFO32 report was of "wiaserv". I don't know if that is significant or not.
Log Files - Bsod with PFN_LIST_CORRUPT error

Anyone have more information on this?
------------------------------------------------------------------------------------------------------------------------------------------------------------

WPRO_40_1340.sys

Boildown - WinPcap Packet Driver

I checked the logs and found this driver entry in driver_status.txt.

In the below log, DDS has identified this driver as WinPCAP Driver.

More info - https://forums.malwarebytes.org/index.php?/topic/58635-rootkit-problem/#entry291438

Would this be significant to include? So, what to do?
------------------------------------------------------------------------------------------------------------------------------------------------------------

X6va019.sys

This has been one of my first submissions. I had submitted the below description -

This driver is possibly a rootkit service and variants are the same filenames except ending in :-
12,13,16,17 & 19.

More information regarding them as considered being rootkits can be found on this forum :-
Windows 7: Verdacht auf Keylogger - Seite 2 - Trojaner-Board

Check the first FRST log and you will see the report. Furthermore, the fixing part of FRST also removes this service.

Now, I am not able to identify this driver. Below is the update field -

Should be removed, possible rootkit service.

This is not a rootkit - I recall it's a part of either a sound or webcam driver - JOHN

The last line was written by usasma.
-------------------------------------------------------------------------------------------------------------------------------------------------------------

yllfok.sys

No information available

I checked logs as well but was not able to find anything. Let me know if you find something ^_^
Log Files - BSOD Multiple Times from BAD_POOL_HEADER

===============================================================================

I really appreciate the feedback :)

-Pranav

 

[jcgriff2]

Be sure to check the "WHERE" text file output from the Sysnative/jcgriff2 app as it often contains additional clues.

Same with msinfo32.

 

[blueelvis]

Be sure to check the "WHERE" text file output from the Sysnative/jcgriff2 app as it often contains additional clues.

Same with msinfo32.

Unfortunately, most of these drivers are from EF and the log utility used there does not contain that. I have already scraped the MSINFO32, Event Logs, DriverStatus, Drivers, Uninstall etc and there hasn't been a trace of them of most of them.

Even if there is little information like a service getting started or like that, the service name is also not searchable

 

[usasma]

amdpsp.sys - I found this on the HP support website a while back
Try looking at the AMD embedded chipset website (don't have a link right now). You'll have to register as a developer to get access to their chipset downloads (I did it a long time ago, but have lost the login credentials).

 

[blueelvis]

amdpsp.sys - I found this on the HP support website a while back
Try looking at the AMD embedded chipset website (don't have a link right now). You'll have to register as a developer to get access to their chipset downloads (I did it a long time ago, but have lost the login credentials).

I just checked out the AMD Developer Sign Up form over here - http://wwwd.amd.com/amd/devsite.nsf/registrationprocess?openform#
And they say that the application would first be reviewed and only then approved if deemed worthy.
Unfortunately, I don't have a company and other details. Could you please try finding your login details in your mail?


Anyone else has got login with AMD Developer?

 

[niemiro]

amdpsp.sys - I found this on the HP support website a while back
Try looking at the AMD embedded chipset website (don't have a link right now). You'll have to register as a developer to get access to their chipset downloads (I did it a long time ago, but have lost the login credentials).

I just checked out the AMD Developer Sign Up form over here - http://wwwd.amd.com/amd/devsite.nsf/registrationprocess?openform#
And they say that the application would first be reviewed and only then approved if deemed worthy.
Unfortunately, I don't have a company and other details. Could you please try finding your login details in your mail?


Anyone else has got login with AMD Developer?

You could try to signing up yourself if you wanted. After all, there is a "Company Information" free field textbox. Be completely honest about who you are. Explain that you work here and detail precisely how you would use the access. At the end of the day it's at their discretion so if you're open and honest - and they like what it is you'd do with the information - they'd likely put aside the "company" requirement on their form.

 

[usasma]

I got access by describing my work with BSOD's, and chatting with a guy named Bill
While they weren't encouraging, they did grant me access.

This was all back in 2012 - and my login doesn't seem to work any longer.
I've submitted a request for a password reset - so we'll see how that goes.

PS - my company was named Putz Enterprises (my dog's name).
Feel free to use it.

 

[blueelvis]

I got access by describing my work with BSOD's, and chatting with a guy named Bill
While they weren't encouraging, they did grant me access.

This was all back in 2012 - and my login doesn't seem to work any longer.
I've submitted a request for a password reset - so we'll see how that goes.

PS - my company was named Putz Enterprises (my dog's name).
Feel free to use it.

Let's see what happens. I will submit the form tomorrow once I am back from college.

You could try to signing up yourself if you wanted. After all, there is a "Company Information" free field textbox. Be completely honest about who you are. Explain that you work here and detail precisely how you would use the access. At the end of the day it's at their discretion so if you're open and honest - and they like what it is you'd do with the information - they'd likely put aside the "company" requirement on their form.

Yes, I will do just that. Isn't there any other mode of communication like you just email someone for details?


-Pranav

 

[blueelvis]

Oh yes. While removing the duplicate EDIT entries from the table, I saw the below drivers for the Application Virtualization -
Driver Reference Table

Now, some are marked as System Drivers while the others are not. So, what should I do with the above entries and the present entries (Should I modify them as well and change according to the decision taken on the above App-V drivers?)


-Pranav

 

[usasma]

Well Pranav - you sure can ask some hard questions!
You're making me think a lot - and it hurts my brain! (just kidding!)

I don't know the reason why they're different.
I presume when they were added, that some were found to be available through Windows Update and some weren't (maybe at different times?).

The point of the Windows Update drivers are:
- so they don't show up in the BSOD app output
- to show users that the way to update them is through Windows Update

So we need to figure out what the primary method for updating Application Virtualization drivers is.
If it's through Windows Update, then they should be red (and labeled as Windows Update)
If it through the Microsoft Download Center, then they shouldn't be red and should not be labeled as Windows Update.

As for the App-V stuff, a bit of research shows me that it is related to Server side installations.
There's nothing (that I could find) definitive about where these drivers are updated from.

But, if drivers are crashing in a user's system - should we be directing the user to their own IT department?

Also, we do at times offer help to IT folks trying to troubleshoot their own problems.
This raises the problem of how we address these drivers in the DRT
And also, do we need to update the drivers on the user's system?

Looking at this from a viewpoint of helping a user, then the drivers shouldn't be Windows drivers - as we won't be helping with them if they are Windows drivers.
Unfortunately, if Windows Update is the primary update source for these drivers - we may be just causing extra work for the user and the person helping them.

The workaround here is to have the helpers scanning the stack and 97 text files - to see if these virtualization drivers are involved in the crashes.
If that's the case, then they can advise the user to visit Windows Update
Then if Windows Update doesn't fix anything, then they could try the Microsoft Download Center

Do we have any folks familiar with App-V on staff here? Maybe their input would help us to decide how to treat these?

 

[jcgriff2]

PS - my company was named Putz Enterprises (my dog's name).

:lol:

 

[blueelvis]

You could try to signing up yourself if you wanted. After all, there is a "Company Information" free field textbox. Be completely honest about who you are. Explain that you work here and detail precisely how you would use the access. At the end of the day it's at their discretion so if you're open and honest - and they like what it is you'd do with the information - they'd likely put aside the "company" requirement on their form.

I just completed the registration. Seems like there is a special consideration for students/professors/academic institutions. I have applied as a student. They said that I would get a response in 1-3 working days. Let's see what happens.

Well Pranav - you sure can ask some hard questions!
You're making me think a lot - and it hurts my brain! (just kidding!)

I don't know the reason why they're different.
I presume when they were added, that some were found to be available through Windows Update and some weren't (maybe at different times?).

The point of the Windows Update drivers are:
- so they don't show up in the BSOD app output
- to show users that the way to update them is through Windows Update

So we need to figure out what the primary method for updating Application Virtualization drivers is.
If it's through Windows Update, then they should be red (and labeled as Windows Update)
If it through the Microsoft Download Center, then they shouldn't be red and should not be labeled as Windows Update.

As for the App-V stuff, a bit of research shows me that it is related to Server side installations.
There's nothing (that I could find) definitive about where these drivers are updated from.

But, if drivers are crashing in a user's system - should we be directing the user to their own IT department?

Also, we do at times offer help to IT folks trying to troubleshoot their own problems.
This raises the problem of how we address these drivers in the DRT
And also, do we need to update the drivers on the user's system?

Looking at this from a viewpoint of helping a user, then the drivers shouldn't be Windows drivers - as we won't be helping with them if they are Windows drivers.
Unfortunately, if Windows Update is the primary update source for these drivers - we may be just causing extra work for the user and the person helping them.

The workaround here is to have the helpers scanning the stack and 97 text files - to see if these virtualization drivers are involved in the crashes.
If that's the case, then they can advise the user to visit Windows Update
Then if Windows Update doesn't fix anything, then they could try the Microsoft Download Center

Do we have any folks familiar with App-V on staff here? Maybe their input would help us to decide how to treat these?

The thing with such drivers is that some of them (Take an example of Malicious Software Removal Tool) are available both via Windows Update and the regular update downloads from the Microsoft Support (Just like the other Windows Updates which are available via Windows Update as well as via separate downloads on Microsoft Support Website).

I found this for the App-V - Step-by-step guide for upgrading your App-V 5.0 infrastructure to Service Pack 3 - The Official Microsoft App-V Team Blog - Site Home - TechNet Blogs
But, I am not sure if this is enough for taking a decision on what to do with these drivers.

How about we list both the update sources (If we are able to find sources other than the Windows Update)? It would be similar to the decision to include both the Downloads & Support link wherever possible in the DRT Entries. That way, the user can check both. Although Windows Update should be listed first and then the link.

Directing the users to the IT Department would be the choice of the helper. If he/she sees it fit, then why not?

Also, what about the Surface Drivers? Do they also get similar treatment?


-Pranav

 

[blueelvis]

And request to the AMD Chipset downloads has been declined -_-

They said that I did not provide a company email address even though I mentioned that I am a student <_<.

 

[usasma]

Let's not worry about the AMD website right now. Even though I had access, i never really used it.
Also, it wouldn't be a good place to link to for the DRT.

My concern with the App-V drivers is if they're listed as Windows Drivers they won't appear in the 98/template output of the BSOD app
Drivers such as Microsoft mouse and keyboard drivers and Microsoft antivirus/antimalware drivers have been listed as non-Windows drivers so that they would appear in the output files.
Let's do App-V that way, and we can then list the 2 sources

 

[blueelvis]

Let's not worry about the AMD website right now. Even though I had access, i never really used it.
Also, it wouldn't be a good place to link to for the DRT.

My concern with the App-V drivers is if they're listed as Windows Drivers they won't appear in the 98/template output of the BSOD app
Drivers such as Microsoft mouse and keyboard drivers and Microsoft antivirus/antimalware drivers have been listed as non-Windows drivers so that they would appear in the output files.
Let's do App-V that way, and we can then list the 2 sources

That sounds good.
I will update and push the driver entries in the morning.

 

[blueelvis]

Added the App-V drivers and I kept only the Windows Update. I found this blog post which says that App-V is not publicly available for download and you need to be a SA customer of Microsoft.

App-V FAQ: Where can I download App-V? | Aaron Parker

I have also edited out the other App-V entries to reflect this change.

 

[blueelvis]

The above set of drivers has been dealt with. Most of them are deleted and the rest are approved.


Marked this thread as solved...



Regards,
Pranav