Jump to content
whittboy

Troj/Botspa-Gen

Recommended Posts

Hi,

About five days ago my laptop started bringing up an error message when I switched it on. A blue screen appears saying that windows has been closed to avid damaging it. The technical information it gives is as follows:

Ndis.sys - Address F7397244 Base At F736c000 Date Stamp 41107eC3

Then yesterday my anti virus software (Sophos) started flashing up saying that the file C:\CP1041 belongs to the virus Troj/Botspa-Gen. I ran superantispyware and it didnt find anything.

Any advice would be gratefull accepted.

Will

Share this post


Link to post
Share on other sites

Hi and welcome to the SAS forums:)

Unfortunetly your ndis.sys network driver has been patched with malware.

As such being a core system file there is no auto-fix available so my *fix* involves use of a 3rd party tool and manual hack.

If you have'nt already i would recommend that you download and run a full system scan with SAS>>>

https://www.superantispyware.com/

You will need a clean copy of ndis.sys,i can supply this if you PM an email address and which OS/service pack you have installed eg WinXP Pro SP2.

You will then need to follow the instructions in this post>>>

https://forums.superantispyware.com/view ... =2881#2881

Share this post


Link to post
Share on other sites

Hi,

I cant actually see a file called ndis.sys in the windows/system32/drivers file. I have one just called ndis - which apparently was modified on 16th of April, which may be when the problems started (It may be longer than I thought). It is currently 274kb, just wondering if this is the one I should be deleting.

It may be obvious, just Im not brilliant with this sort of thing and didnt want to delete anything without checking

Many Thanks

Will

Share this post


Link to post
Share on other sites
Hi,

I cant actually see a file called ndis.sys in the windows/system32/drivers file. I have one just called ndis - which apparently was modified on 16th of April, which may be when the problems started (It may be longer than I thought). It is currently 274kb, just wondering if this is the one I should be deleting.

It may be obvious, just Im not brilliant with this sort of thing and didnt want to delete anything without checking

Many Thanks

Will

Yep yours is patched,you can tell by the size of the file=274kb when normaly it is between 150-200 range.

If you cam PM me your OS+service pack setup eg WinXP Pro sp2 and a email address to forward a clean copy of the system driver to.

Please rename the file that i sendyou once extracted to " ndis " without the speech quotes :wink: .

This is important for your particular OS setup :!:

and follow the instructions of the following post where ndis is the same as ndis.sys :!:

https://forums.superantispyware.com/view ... =2881#2881

Share this post


Link to post
Share on other sites

i did all this and it seems to have got rid of the virus - thanks very much. however, once i rebooted my computer i could not get online. I checked my network adapters and they are all coming up with errors, any ideas??

Many thanks

Will

Share this post


Link to post
Share on other sites

Fatdcuk asked me to pop in with a few suggestions so here it goes .

First grab a copy of lspfix and winsockfix (obviously from the other system) :

http://cexx.org/lspfix.htm

http://www.softpedia.com/get/Tweak/Netw ... kFix.shtml

Disconnect your enthernet cable .

Click start , run type devmgmt.msc and press enter .

Find network adapters on the list and click the "+" in front of that entry . A list of network adapters will drop down .

Right click each entry one and a time and select uninstall .

If any of them are marked with a yellow mark to start with still follow the instructions to uninstall them .

Run LSPfix and check the box "I know what I am doing" . Highlight each entry one at a time and use the arrow to move each entry from the left to the right . Once all entries are moved click finish .

Click start , run , type ncpa.cpl and press enter .

Right click any remaining network connections and select delete .

Reboot your system and your adapters should reinstall , reboot again .

Now run winsockfix and when prompted allow it to reboot your system .

Try your internet again .

This procedure should have forced your system to reinstall many components (hardware and software) directly related to internet connectivity .

Good luck .

Share this post


Link to post
Share on other sites

Hey,

Thanks alot for this guys, your help is very much apprecieated, Im pretty much crippled without the internet.

Off to try and get everything working, Ill let you know how it turns out.

Cheers

Will

Share this post


Link to post
Share on other sites

Whatever infected your system did some collateral damage to your network drivers . This is very rare and have only seen it a few times .

If you can please post the information on the network adapters that you are trying to reinstall (information from the device manager or information that Microsoft gives when it mentions that it can't install your drivers) . Also post the make and model of your system .

Share this post


Link to post
Share on other sites

Its not that the drivers dont reinstall but they just come back automatically with errors. I am trying to locate the CD with the drivers on so I can install them from there.

I am using a Dell inspiron 6400 running windows xp, service pack 2.

Many thanks

Will

Share this post


Link to post
Share on other sites

Hi,

Sorry bout the vagueness of some of my replies, Im having to give the info to someone else who is then writing my replies from their system.

The drivers which I have which are as follows: All show errors,

1394 Net Adapter

Broadcom 440x 10/100 Integrated Controller

Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport

Direct Parrallel

Intel ® Pro/Wireless 3945ABG Network Conection

Intel ® Pro/Wireless 3945ABG Network Conection - Packet Scheduler Miniport

WAN Miniport (ATW)

WAN Miniport (IP)

WAN Miniport (IP) - Packet Schedler Miniport

WAN Miniport (L2TP)

WAN Miniport (PPOE)

WAN Miniport (PPTP)

The Intel ® Pro/Wireless driver shows an error message saying "Adapter state not found in registry".

Every other driver shows an error message of "Windows cannot load the device driver for this hardware - The driver may be corrupted or missing (Code 39)".

When I tried to uninstall the drivers as per your earlier message, many of them would not uninstall, most of the WAN Miniports and the direct parallel as they said they were nessisery for the system to boot up.

The only drivers I can download from the Dell website are the Broadcom 440x and the Intel Pro/Wireless. I will try installing these, although I assume that simply replacing these two will not fix the problem.

I have also tried simple things such as roll back drivers and system restore but it says no restore points have been saved, which I find odd.

All of the other files, programmes etc on the system are working perfectly and neither SAS or Sophos has detected any viruses for the past couple of days so the good thing is that maybe Ive got rid of what was causing the damage in the first place.

Again many thanks for your help.

Will

Share this post


Link to post
Share on other sites

EDIT: Nevermind, I got the ndis.sys from my laptop...duh....didn't even occur to me. Thanks for you help though, you helped me save my computer from reformat and reinstall!

Hey guys, I was wondering if you would send me or tell me where I can get a copy of the NDIS.SYS file? I have the same problem as above, I can't log into my XP Pro SP2 normally, only through safe mode and my 275Kb ndis.sys file was modified just this morning.

I'm a moderator on other sites (not computer related) so I know what it's like when some dude shows up and wants some help and will be gone after his problem is solved, so I can understand if you get irritated at my request to send me the file...but if you could just point me in the right direction, I'd certainly be appreciative (for example, if I can just extract it from my XP disk?)

Bill Gates may have created Windows, but it's guys like you that keep him in business. :wink:

Sincerely,

T.E.

Share this post


Link to post
Share on other sites
EDIT: Nevermind, I got the ndis.sys from my laptop...duh....didn't even occur to me. Thanks for you help though, you helped me save my computer from reformat and reinstall!

Hey guys, I was wondering if you would send me or tell me where I can get a copy of the NDIS.SYS file? I have the same problem as above, I can't log into my XP Pro SP2 normally, only through safe mode and my 275Kb ndis.sys file was modified just this morning.

I'm a moderator on other sites (not computer related) so I know what it's like when some dude shows up and wants some help and will be gone after his problem is solved, so I can understand if you get irritated at my request to send me the file...but if you could just point me in the right direction, I'd certainly be appreciative (for example, if I can just extract it from my XP disk?)

Bill Gates may have created Windows, but it's guys like you that keep him in business. :wink:

Sincerely,

T.E.

Hi and welcome to the SAS forums :)

You might have a clean copy located in Windows/System32/DLL folder,if that one is present then give it a quick upload to VT service for mal checking.

http://www.virustotal.com/en/indexf.html

If its present and clean then you have your *fix* copy to hand,If its not present or also patched then you can PM me an email addy to forward a clean copy to if you want :)

Share this post


Link to post
Share on other sites

Hi again.

I just want to add that having looked through my files today there really is nothing on their that I cant live without, if theres any way to simply restore the system to its original factory state, Im all for it. I spoke to someone last night who said they had to do this when they got infected with a virus in the past.

Only problem is I dont have the OS on disk as the lap top came with XP already installed, so obviously I couldnt lose that.

I dont know if this is possible, just in the interest of saving you guys any more time and effort, and getting me back on-line I thought Id suggest it.

Many Thanks

Will

Share this post


Link to post
Share on other sites
Hi again.

I just want to add that having looked through my files today there really is nothing on their that I cant live without, if theres any way to simply restore the system to its original factory state, Im all for it. I spoke to someone last night who said they had to do this when they got infected with a virus in the past.

Only problem is I dont have the OS on disk as the lap top came with XP already installed, so obviously I couldnt lose that.

I dont know if this is possible, just in the interest of saving you guys any more time and effort, and getting me back on-line I thought Id suggest it.

Many Thanks

Will

Hi Will

Not having the OEM OS install disk is one major headache.Without that disk we cannot guide you through either a *repair OS install* or the full flatten and pave(Reformat and reinstall) from CD.

Did you buy the computer new,the reason i ask is that usually a new computer comes supplied with OEM install disk or it has rollback OS copy installed in a seperate partition for recovery(and/or offers the option to burn a recovery install disk when first used).

Don't give up yet,we will try are best to get you back online again!

Share this post


Link to post
Share on other sites

Yes i bought the laptop brand new but it did not come with the XP disk. I have the instruction manual which says

"PC restall restores your hard drive to the operating state it was in when you purchased the computer".

Does this mean I will still have everything on that I had when I purchased it, ie windows XP??

Share this post


Link to post
Share on other sites
Yes i bought the laptop brand new but it did not come with the XP disk. I have the instruction manual which says

"PC restall restores your hard drive to the operating state it was in when you purchased the computer".

Does this mean I will still have everything on that I had when I purchased it, ie windows XP??

If the computer was purchased with XP and has the restore feature then yes it is rolling back to purchased state.

By restoring you will lose any data/settings and softwares installed/effected since taking ownership of the computer.

So if you have purchased any softwares you will need to collect all lic keys and details before rolling back,so when you start afresh you can reinstall thoes softwares and activate them.

If you have any files that you do not want to lose then you can export them(burn to a CD etc) and reload onto the fresh system too.

If possible i would advise exporting any security tools(Firewall,AV,ASW etc)installers to a CD so when you have your fresh system the first thing you can do is set up your security solution for that PC before going online :!:

Once you are back on the internet immediately update all the security softwares and next visit M$ website to grab all available updates and patch's to secure the OS.

:!: This is crucially important since you can have the best anti-whatever on your system but if you leave doors open sooner or later something will walk in and bypass them.So close the doors it is the best security practice :wink:

R&R is normaly a last resort for most folks but take something positive from the experience,you get a fresh OS install and a chance to secure it properly from day1 8)

Wishing you all the best Will but having a *inhouse* automated R&R on a machine is not quite as daunting as doing if from a live CD :)

Share this post


Link to post
Share on other sites

Hey guys,

Just to let you know Im back online :D , the restore worked fine. Ive already installed the antivirus stuff and downloaded the latest updates.

Just want to say thanks for voluntarily helping me with the whole situation, some people would charge a fortune for this kind of help but its great that you guys are willing to help folk for free.

Thanks again,

Will

Share this post


Link to post
Share on other sites

Hi Will :)

Glad you back up and running.Just a little bit of final advice i would reccomend you read through the following article and maybe reinforce your computer security solution and review your practice's>>>

http://wiki.castlecops.com/Malware_Prev ... -infection

The sole reason i suggest it is because whatever you were doing before has brought you to this problem in the first place :wink:

Safe surfing Will!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×