Another persistent ndis.sys infection.

Now let's use ComboFix to replace the infected files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\MGtools\temp\SPF\ndis.sys | c:\windows\system32\drivers\ndis.sys
C:\MGtools\temp\SPF\ndis.sys | c:\windows\system32\dllcache\ndis.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please try running it again. It appears as though it did not run the script. Then I want you to run this:

* Please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Attach both the TDSS log and the new Combo log.

 

Well, that is just annoying!!

Go to C:\MGTools\temp\SPF\ndis.sys and copy the ndis.sys file directly to your C:\ drive. So you have:
C:\ndis.sys.
Now do it again, but rename it to ndis1.sys and save to the C:\ drive to have:
C:\ndis1.sys

Now lets try Avenger. Download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now go to the c:\windows\system32\dllcache\ndis1.sys and rename it to c:\windows\system32\dllcache\ndis.sys.


Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

​

Now re-run Combo and attach both logs:
* C:\ComboFix.txt
* C:\Avenger.txt

 

Yes, I just notice that folder is missing. Now download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the .exe. Attach the new C:\MGLogs.zip.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  ndis.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Reminder for TimW: This folder and file is not created by MGtools. It is created by one of the special downloads we have for each service pack. Since you did not have the user download and run any of these, the folder and file does not exist.

 

Yes, do that, but also go to start / run / and type:
sfc /scannow and have your os cd handy. Maybe it will find the bad files and replace them.

 

Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\MGtools\temp\ndis.sysmg | c:\windows\system32\drivers\ndis.sys
C:\MGtools\temp\ndis.sysmg | c:\windows\system32\dllcache\ndis.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You could try doing a system restore to a point before this happened, but we would still need to re-run the scans to make sure there was no malware in that restore point.

Or we can try using Avenger again. You would need to go to
C:\MGtools\temp\ndis.sysmg and copy the ndis.sysmg to your C: drive. Then rename it to just
C:\ndis.sys

Repeat that so you have a second copy on the C: drive ---> C:\ndis.sysmg and rename to C:\ndis.sys1

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now go to c:\windows\system32\dllcache\ndis.sys1 and rename it to c:\windows\system32\dllcache\ndis.sys.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

 

What do you mean? What happens when you try to copy it to your C: drive?

 

Hummm......then find the C:\MGtools\temp\ndis.sysmg file and copy it to the C: drive and rename it to:
C:\1234.sys.
Do it again and this time rename it to C:\5678.sys.

Now try to run Avenger again:

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Does that work?

 

Crap. The only other options I can think of are either a system restore to a point before this happened or doing a repair installation if you have your OS CD.

 

You don't have an OS cd? If you have the install code on a sticker on the system, you could perchance borrow one as long as it is the same version of what you have. You could also try contacting the manufacturer and see if they wouldn't send you an install cd. Often they will for either free or a very nominal amount.

 

Does it have a restore partition on it? The option should show when you first boot up.

 

The recovery console is pretty useless if you dont have a cd player. How were you planning on reformating? How were you going to do a clean installation?

 

Did we not already look for a clean copy of ndis? It should also exist in the i386 folder.
But you said this>:
I do have one copy from another computer .......

Have you tried using that file to replace the other two? Where did you get it from? The fact it is from an XP pro version shouldnt matter.

 

You need not rename it. You should be able to just right click it and choose copy and then paste it into the
c:\windows\system32\drivers\ folder. It should then ask if you want to replace it with that copy and of course you would chose yes.

 

Can you right click and delete the original infected ndis.sys file? You should then be able to rename the other file.

 

Your kind of stuck. I don't see any alternative then to try to find a usb external cd drive and OS CD in order to do a repair install or even to get into the recovery console.

 

Looks like the only way to replace it is going to be from a cd using the recovery console. What I suggest you do is post in the software forum so that others who may be more experienced in doing this can assist you. Both the drivers\ndis.sys and the dllcache\ndis.sys need replacing.

 

The copy in the MG's folder is useless if your system wont allow it to be copied. We tried both Combo and Avenger to copy them, but neither worked. I am of the belief that you can only replace it in the RC.
Do post in software. Maybe someone has a better idea. The thing that has me wondering is what effect the corrupt file is having on your system. After all, it is only Combo that reports it. You might try running an online scan to see what it reports:

Using BitDefender Online Scan.

 

It probably is the reason it can't be overwritten when XP is running, which is why I think it has to be done through the RC.

 

Yes, I think that is exactly what you need to do....copy a clean file from the installation disc in the Recovery Console. It would be this way ( depending on what drive letter windows assigns to the external CD player):

Type following commands and hit <Enter> key (please proceed one by one).

D: (if D: is label of the CD-ROM, change if other)
cd i386
expand ndis.sy_ C:\Windows\system32\drivers

exit

- Restart your computer and boot your Windows normally.

Then do it again for the C:\Windows\system32\dllcache\

 

Sweet!! Very good to know. I have been thinking about your situation for a few days now, so am very glad you were able to access the RC.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks with Geek Wear!

 

You are most welcome!! Safe surfing!!