Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stop Error On Reboot Ntndis.sys


  • Please log in to reply
6 replies to this topic

#1 mclemore1

mclemore1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 26 August 2007 - 11:04 AM

I'm trying to fix a friends computer, When I turn it on I get the following stop error bsod

DRIVER_IRQL_NOT_LESS_OR_EQUAL

STOP 0x000000D1 (0x804E2F08,0x000000FF,0x00000001,0xF97EA90B)

ntndis.sys - Address F97EA90B base at F97EA000, DateStamp 44271923

I did a search for ntndis.sys and found information about W32/Forbot-GI, so I guess this is a worm.

I can't scan the computer to get rid of it because I can't get past the bsod stop error, I tried booting in safe mode but the start menu is gone, along with the system tray. The only thing I can do in safe mode is open task manager. I'm thinking about a complete restore, anyone got any better ideas?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:07 AM

Posted 26 August 2007 - 01:26 PM

IMPORTANT NOTE: ntndis.sys is a Trojan/rootkit component. Backdoor/IRCBot Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

For XP users, the easiest thing is to do a System Restore and choose a restore point with a creation date before the date of infection. In your case it would be easier to use System Restore from a command prompt in Safe Mode.

However, should you decide not to follow that advice, you can try this but we cannot guarantee your PC to be trustworthy.

If you cannot access the Internet, please download SDFix by AndyManchesta and save it to a usb stick.

Transfer it to the infected computer. If all you can use is Task Manager, then you can still work with that. Open Task Manager, select "New Task" at the bottom of the Applications Tab, browse to C:\WINDOWS\explorer.exe, double-click on explorer.exe and then press "OK" to launch Windows Explorer.

Move SDFix from your usb stick to your desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
  • While still in safe mode, open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Note: If this error message is displayed when running SDFix:
The command prompt has been disabled by your administrator.
Press any key to continue...

Please go to Start Menu > Run > and type (copy/paste) the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK and then run SDFix again.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:07 AM

Posted 26 August 2007 - 01:40 PM

Try this to run a scan, open task manager
click the File menu tab
click New Task (Run...)
Enter your Antivirus or click the Browse button to locate and open the Antivirus
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 mclemore1

mclemore1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 26 August 2007 - 05:21 PM

I tried to restore to a different point in safe mode with command prompt but the command is unrecognized as internal or external, yes I checked my spelling. I also tried to load windows explorer in task manager and it will load for 15 seconds and disapear, I tried the sdfix and got it loaded and ran it and then reboot the computer when prompted I did'nt get the bsod but I got a blank screen, it's been 30 min and still waiting for it to ask me to hit any key to load icons. My friend can't find the O/S disk, It's a dell computer with xp home, I have a old dell xp home disk oem, can i use that disk for a reload and use the key on the side of the box?

#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:01:07 AM

Posted 26 August 2007 - 05:40 PM

Some Dells have a built in recovery partition, this is accessed with {CTRL - F11} during bios startup.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#6 mclemore1

mclemore1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 27 August 2007 - 09:04 AM

Is there another way to access the recovery partition, F11 won't work on startup?

#7 mclemore1

mclemore1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:07 AM

Posted 27 August 2007 - 11:40 AM

thanks for everyone's help, i just hit F11, after reading again I used ctr F11. Thanks Guys




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users