How to fix ntndis.sys and ipsecndis.sys in Windows XP

by Phil Jones
June 2010

Problem

Malwarebytes' Anti-Malware found two items that wouldn't go away:

C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

On running Malwarebytes after reboot, the same items were found again. I could not find ntndis.sys or ipsecndis.sys using Windows Explorer or the command prompt, even with "Show hidden files" on and "Hide protected operating system files" off. I tried booting from a live CD such as Knoppix and still couldn't find them. In Windows XP Safe Mode, Malwarebytes didn't find the infected objects, but in normal mode, the malware items were found.

Answer

What's going on?

The malware patched three Windows system files:

C:\WINDOWS\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\ipsec.sys
C:\WINDOWS\system32\drivers\ndis.sys

These system files seemed to create the infected objects identified by Malwarebytes - only while Windows was running. Furthermore, the infected objects are invisible to Windows' regular file management tools. The files atapi.sys, ipsec.sys and ndis.sys are system files that can't be repaired normally. How to know which are the affected system files? I ran GMER and it immediately indicated that atapi.sys and ipsec.sys had "suspicious modification".

How I fixed it

Booted using a Windows XP install CD. The version and service pack level must be the same. My infected system was Windows XP Media Center Edition Service Pack 2. I booted using a Windows XP Home SP2 OEM CD. Pressed 'R' for recovery console. Recovered good copies of the three patched system files using the extract command. Example, after logging on to the recovery console, assuming the CD is drive F:
cd windows\system32\drivers
rename atapi.sys atapi.old
rename ipsec.sys ipsec.old
rename ndis.sys ndis.old
extract f:\i386\atapi.sy_
extract f:\i386\ipsec.sy_
extract f:\i386\ndis.sy_

Follow up

Installing Windows XP Service Pack 3 failed with "C:\WINDOWS\system32\drivers\ndis.sys is in use". It looked like ndis.sys was still infected, although it hadn't been identified by GMER. I extracted a fresh copy of ndis.sys using Recovery Console and then the Service Pack installed OK. During the installation of SP3, AVG Free Edition found something (not sure what it was, sorry) and "Move to Vault" worked normally. Microsoft Malicious Software Removal Tool found "C:\WINDOWS\system32\drivers\ipsec.old" and deleted it.

Job done

Quick Scan with Malwarebytes' Anti-Malware, database version 4192, result: "No malicious items were detected".