How to fix ntndis.sys and ipsecndis.sys in Windows XP
by Phil Jones
June 2010
Problem
Malwarebytes' Anti-Malware found two items that wouldn't go away:
C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete
on reboot.
C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on
reboot.
On running Malwarebytes after reboot, the same items were found again. I
could not find ntndis.sys or ipsecndis.sys using Windows Explorer or the command
prompt, even with "Show hidden files" on and "Hide protected operating
system files" off. I tried booting from a live CD such as Knoppix and
still couldn't find them. In Windows XP Safe Mode, Malwarebytes didn't
find the infected objects, but in normal mode, the malware items were
found.
Answer
What's going on?
The malware patched three Windows system files:
C:\WINDOWS\system32\drivers\atapi.sys
C:\WINDOWS\system32\drivers\ipsec.sys
C:\WINDOWS\system32\drivers\ndis.sys
These system files seemed to create the infected objects
identified by Malwarebytes - only while Windows was running.
Furthermore, the infected objects are
invisible to Windows' regular file management tools. The files
atapi.sys, ipsec.sys and ndis.sys are system files that can't be
repaired normally. How to know which are the affected system files? I
ran GMER and it immediately
indicated that atapi.sys and ipsec.sys had "suspicious modification".
How I fixed it
Booted using a Windows XP install CD. The version and
service pack level must be the same. My infected system was
Windows XP Media Center Edition Service Pack 2. I booted using a
Windows XP Home SP2 OEM CD. Pressed 'R' for recovery console. Recovered
good copies of the three patched system files using the extract
command. Example, after logging on to the recovery console, assuming
the CD is drive F:
cd windows\system32\drivers
rename atapi.sys atapi.old
rename ipsec.sys ipsec.old
rename ndis.sys ndis.old
extract f:\i386\atapi.sy_
extract f:\i386\ipsec.sy_
extract f:\i386\ndis.sy_
Follow up
Installing Windows XP Service Pack 3 failed with
"C:\WINDOWS\system32\drivers\ndis.sys is in use". It looked like
ndis.sys was still infected, although it hadn't been identified by
GMER. I extracted a fresh copy of ndis.sys using Recovery Console and
then the Service Pack installed OK. During the installation of SP3, AVG
Free Edition found something (not sure what it was, sorry) and "Move to
Vault" worked normally. Microsoft Malicious Software Removal Tool found
"C:\WINDOWS\system32\drivers\ipsec.old" and deleted it.
Job done
Quick Scan with Malwarebytes' Anti-Malware, database version 4192,
result: "No malicious items were detected".