Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ndis.sys file corrupt and cannot replace it without blue screening


  • Please log in to reply
13 replies to this topic

#1 dannymac

dannymac

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 23 July 2009 - 11:04 AM

A week ago my computer (Windows XP Home Compaq Presario 1500 Laptop) blew up with a virus with reader_s.exe as one of the files. Did all the known things running all the best software tools and restored most everything to working order, then all my network adaptors stopped working giving the yellow I as seen in device manager, and WAN Miniports showed up with the yellow I. The event log states that the CBTNDIS5 NDIS protocol driver service failed to start, and thus other files failed to start.

The ndis.sys file is now in 4 locations in the drivers section listed in size as about 80kb (which it is supposed to be about 179kb). It is 179 kb in the other 3 locations in dllcache, ServicePackFiles\i386, and ServicePackUnistalls. It is now in the QooBox folder twice showing it came from the dllcache (179kb) and drivers (80kb) section and is listed as quarantined by Combofix as ndis.sys.vir. I have swapped out this file using Combofix and run a command line in c: prompt. Each time the machine starts to open Windows XP and then blue screens and starts over again. I can restore booting into Safe Mode.

I have noticed Neprodoor seems to be the problem I am having. Not sure how to restore this file or find any other file that keeps it from being successfully swapped out, or if there is any other problem. One file I did find was bcm42rly.exe found in the System32 and drivers folders of Windows. This file showed up at the exact time the ndis.sys problem started.

I did find a number of registry entries in the 5603 folder of the ACMru folder found in HKEY_USERS, S-1-5-21-45..., Software, Microsoft, Search Assistant. In my other laptop it only has default. In this it shows under data ndis.sys, c.exe, iswizard.exe, thumbs, desktop, gpedit.msc, smartdrv.exe. I deleted these. I just checked again and now the ndis.sys has returned in this registry folder.

I have run Combofix, Hijackthis, Malwarebytes, Spybot, and Avast.

Any ideas?

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:13 PM

Posted 23 July 2009 - 11:36 AM

Hello dannymac and :thumbsup: to BleepingComputer. I wish it were under better circumstances that you joined our community. I'm afraid I have some bad news. reader_s.exe is characteristic of one of the nastiest infections out there, one that is usually uncleanable. Please read the below information.


Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:If you have any questions feel free to ask them here and I will be glad to answer them for you.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 dannymac

dannymac
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 23 July 2009 - 11:59 AM

Thanks for the bad news...but good news. Quick question...if I do not use saved passwords in Internet Explorer is there a possibility to have these hijacked anway since I do online banking?

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:13 PM

Posted 23 July 2009 - 12:04 PM

Yes. . . a keylogging program could have been present on your machine that recorded all your keystrokes and sent a transcript elsewhere. There's no way to know for sure in these situations. My recommendation is to consider all information on that machine to be compromised.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 dannymac

dannymac
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 23 July 2009 - 06:42 PM

One more comment. I just found out that the downloaded version of Malwarebytes is what caused the virus to attack the ndis.sys. I just opened Malwarebytes on my other laptop the same thing happened. It was the same file I used on my other laptop. I knew I had used the software about the same time it happened, but failed to tie it together. Not sure if it is the software downloaded off of the internet, or if opening it sends the virus into attack mode. Not sure where I downloaded the file from...thought it was from their site or download.com where I usually try to stay.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,785 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:06:13 PM

Posted 23 July 2009 - 11:21 PM

Virut infects executable files. When infected executable files are run, Virut runs as well and more executables are infected. My guess is that the Malwarebytes download was infected by Virut, which was already present on your system. When you moved the download to the other laptop and ran it, you unknowingly released the virus as well. This is a perfect example of why Virut is so hard to kill. It only takes one overlooked infected file to cause a relapse.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#7 stranger17

stranger17

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 11 October 2009 - 12:46 PM

I have seen this problem arise on a few computers lately and although there are quite a lot of posts about it on the Internet, I hadn't had any luck finding a solution.

Hopefully this might help people having this problem who do not wish to carry out a full re-installation.

PROBLEM:

The antivirus removes/quarantines the infected NDIS.sys and once you replace it with a known good copy the operating system fails with a blue screen during normal startup.

SOLUTION:

I compared the relevent registry entries on a working machine with a problem machine (previously infected with the Virut virus).

On the machine with the problem, the following registry key was not present:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS

Once this key was restored along with its data, the machine booted up fine again.

The data for the key is given below (.reg format). It was taken from an XP Pro SP2 machine and isn't necessarily correct for all other verisions of Windows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS]
"DisplayName"="NDIS System Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS Wrapper"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\MediaTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters]
"ProcessorAffinityMask"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Enum]
"0"="Root\\LEGACY_NDIS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

#8 cookem

cookem

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 14 October 2009 - 01:42 PM

I found references to this problem all over the Internet and this registry fix was the only thing that worked on a SP3 machine.

Thanks :)

#9 Magnus Holm

Magnus Holm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 02 November 2009 - 04:01 PM

Just thought I'd add that you may have to restore the NDIS legacy registry values as well:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDIS]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDIS\0000]
"Service"="NDIS"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000020
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="NDIS System Driver"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDIS\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDIS\0000\Control]
"ActiveService"="NDIS"

Magnus

#10 rickwookie

rickwookie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 12 November 2009 - 07:10 AM

I have seen this problem arise on a few computers lately and although there are quite a lot of posts about it on the Internet, I hadn't had any luck finding a solution.

Hopefully this might help people having this problem who do not wish to carry out a full re-installation.

PROBLEM:

The antivirus removes/quarantines the infected NDIS.sys and once you replace it with a known good copy the operating system fails with a blue screen during normal startup.

SOLUTION:

I compared the relevent registry entries on a working machine with a problem machine (previously infected with the Virut virus).

On the machine with the problem, the following registry key was not present:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS

Once this key was restored along with its data, the machine booted up fine again.

The data for the key is given below (.reg format). It was taken from an XP Pro SP2 machine and isn't necessarily correct for all other verisions of Windows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS]
"DisplayName"="NDIS System Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS Wrapper"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\MediaTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters]
"ProcessorAffinityMask"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Enum]
"0"="Root\\LEGACY_NDIS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Stranger17, you are a god. I've been searching high and low for this solution, well done. I've spread the word (lining back to your post) to a couple of other forums where the question head been asked and not resolved, hope you don't mind.

#11 kaic

kaic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 09 May 2010 - 07:23 PM

just registed ,in order to say thanks to 'stranger17'

#12 HighTechGeek

HighTechGeek

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 14 June 2010 - 12:34 AM

NDIS registry entries were missing. Stranger17's suggestion worked great. No more bluescreen after restoring those registry entries. Thanks!

Additional Info: The computer I was working on was badly infected and there was also some kind of conflict between MalwareBytes and Tune Up Utilities 2009. I ended up removing both, and using Microsoft Security Essentials, but the ndis.sys file and reg entries got deleted during some part of the "fix". I could boot into safe mode and/or recovery console and replace the ndis.sys file, but it would blue-screen. ComboFix also alerted me to the missing ndis.sys file. ChkDsk, sfc and combofix wouldn't fix the blue-screen. I didn't know about the missing reg entries until I Googled "ndis.sys missing" and saw Stranger17's post. Thanks again. :thumbsup:

#13 pezcado

pezcado

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 29 June 2010 - 09:45 AM

Just wanted to say this reg script also saved me and it is amazing that I was able to find this. Thank you for writing it great computer genius!!

#14 HighTechGeek

HighTechGeek

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 30 June 2010 - 06:12 AM

Follow-up: My former post indicates full success with this. In the interest of full disclosure, this process did resolve the missing ndis.sys specific issue, but after fixing this and continuing to repair/upgrade the computer, it turned out to have so many other files missing and/or corrupted that I ended up wiping the hard drive and starting over.

Whatever process deleted the ndis.sys entries did additional damage as well, but thanks for getting me further along with the diagnosis.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users