Author Topic: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3  (Read 8444 times)

0 Members and 1 Guest are viewing this topic.

iroc9555

  • Guest
VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« on: December 19, 2012, 02:55:08 PM »
This has been reported in the Spanish forum.

VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 as a Win32-Malware-gen in Xp Sp3.

I am posting here because it has more probabilities to be read by an Avast! team member.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #1 on: December 19, 2012, 03:19:41 PM »
What scan detected this ?

I have XP Pro SP3 and no alerts today and I have just scanned it, see image.

Has this file been on the system for a long time and do the creation date and last modified date match (file Properties) ?

Mine has an MD5 hash of 1df7f42665c94b825322fae71721130d
« Last Edit: December 19, 2012, 03:26:28 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #2 on: December 19, 2012, 03:42:27 PM »
According to the OP only if VPS 121219-0 has been installed and the comp rebooted give a BSOD. So I believed must be rootkit scanner.

I told him to get in touch with Avast!. He also said to have a fix similar to the tcpip.sys to last week F/P.

http://forum.avast.com/index.php?topic=111540.msg876263#msg876263


ADDED

ndis.sys 5.1.2600.5512 in CD XP SP3
SHA256: fe0dcb728471465b39a42a7511f4133021fba5df88f88bcb5fe2ff34cfd713f9
https://www.virustotal.com/file/fe0dcb728471465b39a42a7511f4133021fba5df88f88bcb5fe2ff34cfd713f9/analysis/

ndis.sys 5.1.2600.5588 in XP Problem
SHA256: c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4
https://www.virustotal.com/file/c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4/analysis/

David. Mine is like yours. No modification from original.
« Last Edit: December 19, 2012, 04:11:46 PM by iroc9555 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #3 on: December 19, 2012, 04:34:17 PM »
Well the anti-rootkit scan 8 minutes after boot is essentially looking for rootkits and not conventional avast detections like win32:Malware-gen. So I'm not sure that it is the anti-rootkit scan picking this up.

But it certainly needs to be sent to the avast virus labs for further analysis.

I just wonder how/why his copy differs to ours, it may well relate to his prior problem with a modified copy of tcpip.sys ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #4 on: December 20, 2012, 12:04:01 AM »
DavidR.

Well the anti-rootkit scan 8 minutes after boot is essentially looking for rootkits and not conventional avast detections like win32:Malware-gen. So I'm not sure that it is the anti-rootkit scan picking this up.

Yes, I am assumig it is the anti-rootkit scan since the OP said it was a similar detection as tcpip.sys which it was also detected as a win32:Malware-gen eventhough it was supposedly a rootkit.

Hello !
I've just turned on my computer, and after the system has started up a warning message from Avast popped up telling me that "ROOTKIT FOUND".
I think the rootkit has to do with the internet connection, it's named SVC: Tcpip and is located in "C:\Windows\System32\Drivers\tcpip.sys" the name of the rooktit is "Win32:Malware-gen".

I just wonder how/why his copy differs to ours, it may well relate to his prior problem with a modified copy of tcpip.sys ?

He seems to be an IT with some clients so I imagine he likes to tweak things, and you are right he also had the problem with the modified tcpip.sys detected by Avast! last week or so.

BTW there have been no more reports about it in the Spanish forum or here so it might have been only a rare occurrence.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #5 on: December 20, 2012, 01:33:40 AM »
And no reports of the XP SP3 ndis.sys file being detected in the viruses and worms forum either (that I have seen), so somewhat strange.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

germangelv

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #6 on: December 20, 2012, 06:51:40 PM »
Hi all, actually is an antivirus error.

NDIS.SYS 5.1.2600.5588 is the latest update to NDIS for the update: KB952117-v2 http://support.microsoft.com/kb/952117
Download: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=952117
The NDIS VirusTotal analysis is: https://www.virustotal.com/file/c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4/analysis/
All Windows XP SP3 update to KB952117-v2 and antivirus deleted file, endure Ox7E BSOD (805E75C7, F78DA45C, F78DA158).
regards
« Last Edit: December 20, 2012, 06:54:14 PM by germangelv »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #7 on: December 20, 2012, 08:25:48 PM »
So unless an XP user has had this problem and applied this hotfix they won't be any detection.

If you have a sample of the file send it to avast for analysis and correction of the detection as required.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn't hurt.

@@@@
- In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
File System Shield, Expert Settings, Exclusions, Add and
avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the \* to \file_name.exe where file_name.exe is the file you want to exclude.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iroc9555

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #8 on: December 20, 2012, 11:21:34 PM »
Hi all, actually is an antivirus error.
NDIS.SYS 5.1.2600.5588 is the latest update to NDIS for the update: KB952117-v2 http://support.microsoft.com/kb/952117

No it is not an AV error. A F/P may be.
It is not an update. It is a hotfix. Only to install if your PC hangs when put it into hibernation or into standby.
If you do not understand DavidR's instructions, ask me in your Spanish topic, and I will guide you.

germangelv

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #9 on: December 21, 2012, 03:37:44 AM »
My English is horrible.
I understand the explanation. thanks.

Now send the file for review.
The update 121220-0, does not detect it as virus.
I repair technician pc. I suffered a lot these days by avast

crs_seq

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #10 on: December 21, 2012, 03:52:10 AM »
After recovering from BSOD i got virus threat alert saying avast file system had blocked a threat from a malware-gen infected ndis.sys, I scanned the pc but the result was negative. after some time I got another BOSD again I got the same virus threat alert and after scanning the pc again I received a negative virus report. What is going on? please help.
    I have windows xp sp3 operating system and it hasn't been updated nor have I used any hotfixes or patches. (ndis properties shows version number 5.1.2600.5588 and it hasn't been modified since 2008)
« Last Edit: December 21, 2012, 03:58:57 AM by crs_seq »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #11 on: December 21, 2012, 01:04:02 PM »
Follow the instructions in my Reply #7 above to submit the sample ndis.sys to avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

crs_seq

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #12 on: December 21, 2012, 02:34:56 PM »
the threat is blocked before it is executed and doesn't show up in virus chest. what do I do?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #13 on: December 21, 2012, 02:53:28 PM »
You can manually add it to the chest (it is just a copy being added not the original) and then send that for analysis.
 
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

crs_seq

  • Guest
Re: VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3
« Reply #14 on: December 21, 2012, 07:44:39 PM »
Can I just delete the file manually? What are the effects of doing so?