I've been working on this PC for several days and thought I had it clean. Installed AVG which is showing C:|windows\system32\driver
infected with Trojan Horse Rootkit-Agent.DI. ndis.sys is a legit Windows file and part of the OS (part of network driver). I tried submitting to Jotti for verification but upload hangs.
What I have been able to determine is that C:\windows\drivers\restore
.exe runs on boot and then deletes itself. ndis.sys in infected at that time. There is a registry entry HKLM\CurrentControlSet\Ser
ore which apparently initiates the infector. I have tried deleting the registry image file location but restore.exe is still running on boot. Of course, it is not listed as a service (services.msc). ndis.sys is not always flagged as infected by AVG. I think the infector may have also dropped C:\Windows\temp\BNA.tmp but am not sure.
ComboFix log is attached. There are a number of entries in recently added (30 day) files section that are strangely named but legitimate. Those are in C:\windows\system32\dllcac
he folder. I had to run SFC and re-install video driver to get PC back in usable condition. I didn't save a copy of initial ComboFix run log -- wish I had.
BlackLight did not detect any root kits and neither does ComboFix.
Two MBAM logs and a HJT log are also attached. MBAM does identify the HKLM\CurrentControlSet\Ser
ore registry entry.