VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 in XP SP3

This has been reported in the Spanish forum.

VPS 121219-0 detects NDIS.SYS 5.1.2600.5588 as a Win32-Malware-gen in Xp Sp3.

I am posting here because it has more probabilities to be read by an Avast! team member.

What scan detected this ?

I have XP Pro SP3 and no alerts today and I have just scanned it, see image.

Has this file been on the system for a long time and do the creation date and last modified date match (file Properties) ?

Mine has an MD5 hash of 1df7f42665c94b825322fae71721130d

According to the OP only if VPS 121219-0 has been installed and the comp rebooted give a BSOD. So I believed must be rootkit scanner.

I told him to get in touch with Avast!. He also said to have a fix similar to the tcpip.sys to last week F/P.

http://forum.avast.com/index.php?topic=111540.msg876263#msg876263

ADDED

ndis.sys 5.1.2600.5512 in CD XP SP3
SHA256: fe0dcb728471465b39a42a7511f4133021fba5df88f88bcb5fe2ff34cfd713f9
https://www.virustotal.com/file/fe0dcb728471465b39a42a7511f4133021fba5df88f88bcb5fe2ff34cfd713f9/analysis/

ndis.sys 5.1.2600.5588 in XP Problem
SHA256: c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4
https://www.virustotal.com/file/c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4/analysis/

David. Mine is like yours. No modification from original.

Well the anti-rootkit scan 8 minutes after boot is essentially looking for rootkits and not conventional avast detections like win32:Malware-gen. So I’m not sure that it is the anti-rootkit scan picking this up.

But it certainly needs to be sent to the avast virus labs for further analysis.

I just wonder how/why his copy differs to ours, it may well relate to his prior problem with a modified copy of tcpip.sys ?

DavidR.

Yes, I am assumig it is the anti-rootkit scan since the OP said it was a similar detection as tcpip.sys which it was also detected as a win32:Malware-gen eventhough it was supposedly a rootkit.

He seems to be an IT with some clients so I imagine he likes to tweak things, and you are right he also had the problem with the modified tcpip.sys detected by Avast! last week or so.

BTW there have been no more reports about it in the Spanish forum or here so it might have been only a rare occurrence.

And no reports of the XP SP3 ndis.sys file being detected in the viruses and worms forum either (that I have seen), so somewhat strange.

Hi all, actually is an antivirus error.

NDIS.SYS 5.1.2600.5588 is the latest update to NDIS for the update: KB952117-v2 http://support.microsoft.com/kb/952117
Download: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=952117
The NDIS VirusTotal analysis is: https://www.virustotal.com/file/c12c8ff5ae344381faa413fc05e273b856d5d9151c2c69898c54d32b393ee1a4/analysis/
All Windows XP SP3 update to KB952117-v2 and antivirus deleted file, endure Ox7E BSOD (805E75C7, F78DA45C, F78DA158).
regards

So unless an XP user has had this problem and applied this hotfix they won’t be any detection.

If you have a sample of the file send it to avast for analysis and correction of the detection as required.

Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn’t hurt.

@@@@

  • In the meantime (if you accept the risk), add the full path to the file to the exclusions lists (see Note below):
    File System Shield, Expert Settings, Exclusions, Add and
    avast Settings, Exclusions

Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.

Note: When using the Browse button it only goes down to folder level accept that. Now open the entry in the exclusions and change the * to \file_name.exe where file_name.exe is the file you want to exclude.

No it is not an AV error. A F/P may be.
It is not an update. It is a hotfix. Only to install if your PC hangs when put it into hibernation or into standby.
If you do not understand DavidR’s instructions, ask me in your Spanish topic, and I will guide you.

My English is horrible.
I understand the explanation. thanks.

Now send the file for review.
The update 121220-0, does not detect it as virus.
I repair technician pc. I suffered a lot these days by avast

After recovering from BSOD i got virus threat alert saying avast file system had blocked a threat from a malware-gen infected ndis.sys, I scanned the pc but the result was negative. after some time I got another BOSD again I got the same virus threat alert and after scanning the pc again I received a negative virus report. What is going on? please help.
I have windows xp sp3 operating system and it hasn’t been updated nor have I used any hotfixes or patches. (ndis properties shows version number 5.1.2600.5588 and it hasn’t been modified since 2008)

Follow the instructions in my Reply #7 above to submit the sample ndis.sys to avast.

the threat is blocked before it is executed and doesn’t show up in virus chest. what do I do?

You can manually add it to the chest (it is just a copy being added not the original) and then send that for analysis.

Can I just delete the file manually? What are the effects of doing so?

The last thing you want to do is delete it (system driver), windows would possibly have something to say about that if you tried (which you shouldn’t).