Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Replacing NDIS.SYS -> BSOD


  • Please log in to reply
1 reply to this topic

#1 kaegee

kaegee

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 26 April 2010 - 09:38 AM

Hi there,

I have a Compaq HEL81 running WinXP with SP2.
I use Intel PROset Wireless.

A few days ago I had an unprovoked trojan attack (I had not downloaded or opened anything when it happened).
I ran spybot S&D, Adaware, Malwarebytes, which detected various trojans, rootkits and backdoors which I chose to remove.
Then I ran Kaspersky Tool and removed some threats, while others were unremoveable. I then ran Combofix, and my Intel PROset Wireless stopped working.
I checked my device manager, and all network devices have a code 39 error.
I read online about replacing NDIS.SYS file in the System32/drivers folder with the one from the ServicePackFiles folder, to fix the problem, but then my computer would get stuck in a boot-up/BSOD loop, unable to get to Windows.
I then deleted NDIS.SYS from my System32/Drivers folder by way of the command prompt, as it was the only way to get back into Windows.

I still have the code 39 error on my network devices, but the pop-ups from the trojans are gone. I attempted to do a system restore, but it won't work (posibly because my HD has been very full).

I would really appreciate it if anyone can give me a clue as how to proceed.

Thanks very much,
Kaegee

EDIT: Moved from XP forum to Am I Infected, more appropriate ~ Hamluis.

Edited by kaegee, 26 April 2010 - 09:51 AM.


BC AdBot (Login to Remove)

 


#2 Lurking

Lurking

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 19 September 2010 - 04:35 AM

...but then my computer would get stuck in a boot-up/BSOD loop, unable to get to Windows.
I then deleted NDIS.SYS from my System32/Drivers folder by way of the command prompt, as it was the only way to get back into Windows.


You need to re-import the NDIS registry keys from another known good computer running Win XP.

After the import, copy NDIS.SYS back to C:\WINDOWS\SYSTEM32\DRIVERS and reboot.



Here are the keys from my WinXPProSP3:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS]
"DisplayName"="NDIS System Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS Wrapper"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\MediaTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters]
"ProcessorAffinityMask"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Enum]
"0"="Root\\LEGACY_NDIS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS]
"DisplayName"="NDIS System Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS Wrapper"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS\MediaTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS\Parameters]
"ProcessorAffinityMask"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS\Enum]
"0"="Root\\LEGACY_NDIS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDIS]
"DisplayName"="NDIS System Driver"
"ErrorControl"=dword:00000001
"Group"="NDIS Wrapper"
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDIS\MediaTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NDIS\Parameters]
"ProcessorAffinityMask"=dword:ffffffff




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users