Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Rootkit and/or Trojan

Posted on 2009-04-11
Medium Priority
Last Modified: 2013-12-06
I've been working on this PC for several days and thought I had it clean. Installed AVG which is showing C:|windows\system32\drivers\ndis.sys infected with Trojan Horse Rootkit-Agent.DI. ndis.sys is a legit Windows file and part of the OS (part of network driver). I tried submitting to Jotti for verification but upload hangs.

What I have been able to determine is that C:\windows\drivers\restore.exe runs on boot and then deletes itself. ndis.sys in infected at that time. There is a registry entry HKLM\CurrentControlSet\Services\Restore which apparently initiates the infector. I have tried deleting the registry image file location but restore.exe is still running on boot. Of course, it is not listed as a service (services.msc). ndis.sys is not always flagged as infected by AVG. I think the infector may have also dropped C:\Windows\temp\BNA.tmp but am not sure.

ComboFix log is attached. There are a number of entries in recently added (30 day) files section that are strangely named but legitimate. Those are in C:\windows\system32\dllcache folder. I had to run SFC and re-install video driver to get PC back in usable condition. I didn't save a copy of initial ComboFix run log -- wish I had.

BlackLight did not detect any root kits and neither does ComboFix.

Two MBAM logs and a HJT log are also attached. MBAM does identify the  HKLM\CurrentControlSet\Services\Restore registry entry.

Question by:willcomp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
LVL 47

Accepted Solution

rpggamergirl earned 1600 total points
ID: 24124804
Hi willcomp,

ndis.sys failed the sigcheck so that's probably patched or maybe sality or virut is present there... I would just replaced that just to be sure.

I did not check those files in the dllcache folder(asuming they're all legit)....but some nasties can also hide in dllcache and i386 folders... the most likely going on here is a file infector.  Snapshot is also showing some filesize discrepancy.

If it's virut a reformat and reinstall would be the quickest and safest solution as depending on how long the system has been infected it takes time and patience to remove and replaced corrupted files. And even then we can not guarantee that the system is virus-free or error-free afterwards.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
c:\program files\Common Files\omykon.vbs
c:\documents and settings\Owner\Application Data\iwyn.bin
c:\documents and settings\All Users\Application Data\ocisib.dll
c:\program files\Common Files\befydyz.scr
c:\program files\Common Files\tavosep.sys
c:\program files\Common Files\ehexigetiw.exe
c:\documents and settings\Owner\Application Data\yhyn.vbs
c:\documents and settings\All Users\Application Data\lipaf.bat
c:\documents and settings\Owner\Application Data\ziqylalisa.dll
c:\documents and settings\Owner\Application Data\jydocatyja.exe
c:\program files\Common Files\hozusur.inf
c:\documents and settings\Owner\Application Data\yzare.sys
c:\program files\Common Files\emakutik.dl

c:\program files\temp01

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Also run ATF Cleaner or CCleaner:
Download and run ATF Cleaner by Atribune.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.
LVL 32

Author Comment

ID: 24125709
rpg -- thanks for the response. Ran ComboFix script and log is attached.

ndis.sys is still infected -- surprise! surprise!

I run CCleaner to clean both files and registry as a matter of course, so that had already been done. Reran to be safe but nothing suspicious was deleted (only a few log files left to delete). I also delete files in \Documents and Settings\%username%\Local Settings\Temp folder(s). Learned years ago that was a favorite malware hiding place and neither CCleaner nor ATF Cleaner clean those folders.

It's Easter Sunday morning here so I won't be working on PC again until later in the day. Will upadte as I have more info.
LVL 32

Author Comment

ID: 24125732
Forgot to add -- verified those files in dllcache folder were MS signed files.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 15

Assisted Solution

greyknight17 earned 400 total points
ID: 24127213
Download the Flash Disinfector at and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Go to and follow the instructions on how to install the Recovery Console using ComboFix. You may skip the part with using a CD to do it and go straight to the Microsoft website to download it instead.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text below into Notepad:

File::c:\program files\temp01FCopy::c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
LVL 32

Author Comment

ID: 24127653
@greyknight17 -- thanks, but I have already deleted ndis.sys and "expanded" a new copy from XP CD.

FYI -- that link to Flash Disinfector is no longer valid. This one still works:

LVL 15

Expert Comment

ID: 24129636
Are you still having any signs of infection now? If not, go to Start > Run and type in combofix /u to remove it. Please read the below for guides on how to help prevent infections:

1. TonyKlein's article "So how did I get infected in the first place?"
2. "Simple and easy ways to keep your computer safe and secure on the Internet"
3. "miekiemoes' "How to prevent Malware"
LVL 32

Author Comment

ID: 24129946
@greyknight17 -- I'm very familiar with ComboFix including its removal. No matter what software I install and how much I advise customers, they continue to let their kids have full access to the internet. Could be because the parents are dependent on the kids for using the PC. They also aren't good about updating and/or renewing AV and anti-spyware software. Although I configure automatic updates, they won't leave PCs turned on when not in use.

I do occasionally need a Combofix script or peer input. I haven't attended Malware U yet and rely on the good folks here that have.

Some friendly advice -- when the questioner is a qualified expert, you might want to check their profile.
LVL 15

Expert Comment

ID: 24133044
You didn't mention that the issue was resolved, so I wasn't sure if the issue was remaining.

Will take that advice and view the profile for those who are qualified experts in the future. But I don't see how that would help out in this case.
LVL 32

Author Comment

ID: 24133128
The jury is still out on whether the problem is resolved. Believe it is but waiting to see.

Without checking profiles, it's hard to determine one's level of expertise. I do appreciate your responding, but there's no need to provide basic information where it's not needed.

Did you update your link for Flash Disinfector? When you have "canned" responses or a list of links, it's good to validate links periodically.
LVL 47

Expert Comment

ID: 24133425
Yes, the techsupportforum link hasn't been working for awhile...
Here's the working link that I've been using;
Thanks for that link willcomp, :) I'll add that to my canned in case one link stops working.
LVL 32

Author Comment

ID: 24134163
No reinfections so far. Restore service is still not in registry and ndis.sys is still clean. I'll monitor for a while longer and then uninstall Combofix and call it cured.

Thanks for your help.
LVL 32

Author Closing Comment

ID: 31569264
Appreciate the help. It seems to be clean. I'll monitor for another day and then uninstall ComboFix and pronounce it cured.
LVL 15

Expert Comment

ID: 24142474
Been meaning to update the link but keep forgetting. Will try to do it now. Thanks.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question