Can't get rid of ntndis.sys and ipsecndis.sys

[IndiGenus]

One more virus scan in order I think. And a security update check.

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[surfboarder]

Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, July 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, July 11, 2010 21:02:59
Records in database: 4232635
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
R:\

Scan statistics:
Objects scanned: 66508
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:03:03


File name / Threat / Threats count
C:\WINDOWS\system32\dllcache\ndis.sys Infected: Virus.Win32.Protector.f 1
C:\WINDOWS\system32\drivers\etc\hosts.20090531-021030.backup Infected: Trojan.Win32.Qhost.mcf 1

Selected area has been scanned.

---------------------------------------------------------------------------

Security Check log:

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Adobe Flash Player 10.1.53.64
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VirusScan Enterprise Mcshield.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise SHSTAT.EXE
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[IndiGenus]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  ndis.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[surfboarder]

Can't do it now - out for 6 hrs.

[surfboarder]

Also, just after the log popped up, McAfee on-access alert indicated that it cleaned the ndis.sys file.
McAfee log:
The file C:\WINDOWS\system32\dllcache\ndis.sys contained W32/Cutwail.a!rootkit Virus. The file was successfully cleaned with Scan engine version 5400.1158 DAT version 6040.0000.

-------------------------------------------------------------------------

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:14 on 12/07/2010 by asmuthw (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.sys"
C:\WINDOWS\$NtServicePackUninstall$\ndis.sys --a--c 182912 bytes [11:25 20/06/2008] [03:14 04/08/2004] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\ERDNT\cache\ndis.sys --a--- 182656 bytes [02:00 11/07/2010] [03:50 05/07/2010] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\ServicePackFiles\i386\ndis.sys --a--- 182656 bytes [11:34 20/06/2008] [04:50 14/04/2008] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\dllcache\ndis.sys --a--c 210816 bytes [01:53 03/07/2010] [01:53 03/07/2010] 1DF7F42665C94B825322FAE71721130D
C:\WINDOWS\system32\drivers\ndis.sys --a--- 182656 bytes [03:14 04/08/2004] [03:50 05/07/2010] 1DF7F42665C94B825322FAE71721130D

-=End Of File=-

[IndiGenus]

Let's make sure it was cleaned. The dllcache folder essentially contains backups of system files, in case something happens to a system file it automatically gets replaced. Hate to have that happen with an infected file down the road.

Please go to http://www.virustotal.com/en/indexf.html
click on Browse, and upload the following file for analysis:

C:\WINDOWS\system32\dllcache\ndis.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see. Or you can copy the link to the VT results page if that is easier.

You can also delete that old hosts file backup.

C:\WINDOWS\system32\drivers\etc\hosts.20090531-021030.backup

[surfboarder]

seems the directory and file no longer exist on this machine...I did delete the backup file, though.