Rootkit and/or Trojan

Posted on 2009-04-11
Medium Priority
Last Modified: 2013-12-06
I've been working on this PC for several days and thought I had it clean. Installed AVG which is showing C:|windows\system32\drivers\ndis.sys infected with Trojan Horse Rootkit-Agent.DI. ndis.sys is a legit Windows file and part of the OS (part of network driver). I tried submitting to Jotti for verification but upload hangs.

What I have been able to determine is that C:\windows\drivers\restore.exe runs on boot and then deletes itself. ndis.sys in infected at that time. There is a registry entry HKLM\CurrentControlSet\Services\Restore which apparently initiates the infector. I have tried deleting the registry image file location but restore.exe is still running on boot. Of course, it is not listed as a service (services.msc). ndis.sys is not always flagged as infected by AVG. I think the infector may have also dropped C:\Windows\temp\BNA.tmp but am not sure.

ComboFix log is attached. There are a number of entries in recently added (30 day) files section that are strangely named but legitimate. Those are in C:\windows\system32\dllcache folder. I had to run SFC and re-install video driver to get PC back in usable condition. I didn't save a copy of initial ComboFix run log -- wish I had.

BlackLight did not detect any root kits and neither does ComboFix.

Two MBAM logs and a HJT log are also attached. MBAM does identify the  HKLM\CurrentControlSet\Services\Restore registry entry.

Question by:willcomp
  • 7
  • 4
  • 2
LVL 47

Accepted Solution

rpggamergirl earned 1600 total points
ID: 24124804
Hi willcomp,

ndis.sys failed the sigcheck so that's probably patched or maybe sality or virut is present there... I would just replaced that just to be sure.

I did not check those files in the dllcache folder(asuming they're all legit)....but some nasties can also hide in dllcache and i386 folders... the most likely going on here is a file infector.  Snapshot is also showing some filesize discrepancy.

If it's virut a reformat and reinstall would be the quickest and safest solution as depending on how long the system has been infected it takes time and patience to remove and replaced corrupted files. And even then we can not guarantee that the system is virus-free or error-free afterwards.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
c:\program files\Common Files\omykon.vbs
c:\documents and settings\Owner\Application Data\iwyn.bin
c:\documents and settings\All Users\Application Data\ocisib.dll
c:\program files\Common Files\befydyz.scr
c:\program files\Common Files\tavosep.sys
c:\program files\Common Files\ehexigetiw.exe
c:\documents and settings\Owner\Application Data\yhyn.vbs
c:\documents and settings\All Users\Application Data\lipaf.bat
c:\documents and settings\Owner\Application Data\ziqylalisa.dll
c:\documents and settings\Owner\Application Data\jydocatyja.exe
c:\program files\Common Files\hozusur.inf
c:\documents and settings\Owner\Application Data\yzare.sys
c:\program files\Common Files\emakutik.dl

c:\program files\temp01

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Also run ATF Cleaner or CCleaner:
Download and run ATF Cleaner by Atribune.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
LVL 32

Author Comment

ID: 24125709
rpg -- thanks for the response. Ran ComboFix script and log is attached.

ndis.sys is still infected -- surprise! surprise!

I run CCleaner to clean both files and registry as a matter of course, so that had already been done. Reran to be safe but nothing suspicious was deleted (only a few log files left to delete). I also delete files in \Documents and Settings\%username%\Local Settings\Temp folder(s). Learned years ago that was a favorite malware hiding place and neither CCleaner nor ATF Cleaner clean those folders.

It's Easter Sunday morning here so I won't be working on PC again until later in the day. Will upadte as I have more info.
LVL 32

Author Comment

ID: 24125732
Forgot to add -- verified those files in dllcache folder were MS signed files.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

LVL 15

Assisted Solution

greyknight17 earned 400 total points
ID: 24127213
Download the Flash Disinfector at http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console using ComboFix. You may skip the part with using a CD to do it and go straight to the Microsoft website to download it instead.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text below into Notepad:

File::c:\program files\temp01FCopy::c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
LVL 32

Author Comment

ID: 24127653
@greyknight17 -- thanks, but I have already deleted ndis.sys and "expanded" a new copy from XP CD.

FYI -- that link to Flash Disinfector is no longer valid. This one still works:  http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

LVL 15

Expert Comment

ID: 24129636
Are you still having any signs of infection now? If not, go to Start > Run and type in combofix /u to remove it. Please read the below for guides on how to help prevent infections:

1. TonyKlein's article "So how did I get infected in the first place?"
2. "Simple and easy ways to keep your computer safe and secure on the Internet"
3. "miekiemoes' "How to prevent Malware"
LVL 32

Author Comment

ID: 24129946
@greyknight17 -- I'm very familiar with ComboFix including its removal. No matter what software I install and how much I advise customers, they continue to let their kids have full access to the internet. Could be because the parents are dependent on the kids for using the PC. They also aren't good about updating and/or renewing AV and anti-spyware software. Although I configure automatic updates, they won't leave PCs turned on when not in use.

I do occasionally need a Combofix script or peer input. I haven't attended Malware U yet and rely on the good folks here that have.

Some friendly advice -- when the questioner is a qualified expert, you might want to check their profile.
LVL 15

Expert Comment

ID: 24133044
You didn't mention that the issue was resolved, so I wasn't sure if the issue was remaining.

Will take that advice and view the profile for those who are qualified experts in the future. But I don't see how that would help out in this case.
LVL 32

Author Comment

ID: 24133128
The jury is still out on whether the problem is resolved. Believe it is but waiting to see.

Without checking profiles, it's hard to determine one's level of expertise. I do appreciate your responding, but there's no need to provide basic information where it's not needed.

Did you update your link for Flash Disinfector? When you have "canned" responses or a list of links, it's good to validate links periodically.
LVL 47

Expert Comment

ID: 24133425
Yes, the techsupportforum link hasn't been working for awhile...
Here's the working link that I've been using;
Thanks for that link willcomp, :) I'll add that to my canned in case one link stops working.
LVL 32

Author Comment

ID: 24134163
No reinfections so far. Restore service is still not in registry and ndis.sys is still clean. I'll monitor for a while longer and then uninstall Combofix and call it cured.

Thanks for your help.
LVL 32

Author Closing Comment

ID: 31569264
Appreciate the help. It seems to be clean. I'll monitor for another day and then uninstall ComboFix and pronounce it cured.
LVL 15

Expert Comment

ID: 24142474
Been meaning to update the link but keep forgetting. Will try to do it now. Thanks.

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question