Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KIS uninstall causing BSOD


  • Please log in to reply
27 replies to this topic

#1 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 18 October 2011 - 07:37 PM

Hello,

My one-year license just ran out on KIS 2011, so I have decided to remove it and install MSE. However, after trying any one of the three methods below, and restarting the computer, I get a BSOD at the welcome screen with the BCCODE of D1, and calling out ndis.sys as the culprit.

Here are the three methods I've tried:

  • Windows Control Panel
  • Revo Uninstaller
  • Kaspersky Removal Tool

Regular Safe Mode is the only mode I can boot into after the BSOD, and it requires a System Restore to get back into Normal Mode.

Any help would be greatly appreciated.

Best Regards,
oneof4.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 18 October 2011 - 09:01 PM

Please click here to download AppRemover on your desktop.
  • Once done, double click on the icon of AppRemover.exe to run it.
    Vista users, right click on the icon and select "run as administrator"
  • Uncheck "Enable anonymous usage statistics. No personal data will be recorded."
  • Click on the Next button.
  • Click on "Remove Security Application" or "Clean Up a Failed Uninstall" depending on what you want to do.
  • Click on the Next button.
  • A scan begins, please wait. Once done, click on the Next button.
  • Now you should have a list of your security programs, choose the one you want to remove and click on the Next button.
  • Follow the last step and reboot if asked to do so.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 19 October 2011 - 08:10 PM

Hi Broni :)

Thanks for helping me with this, it's about to drive me crazy!

I followed your instructions using AppRemover, it found KIS, went through the removal process, but did not ask me to reboot. So, I went ahead and rebooted anyway, but unfortunately, KIS still appears to be there, unaffected by AppRemover. It's almost as if it wasn't able to perform the uninstall, but I didn't notice any message stating that. I did notice a message when it initially found KIS, that stated that the program had not been tested/verified in removing KIS.

Best Regards,
oneof4.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 19 October 2011 - 08:13 PM

Where exactly do you see KIS still present?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 19 October 2011 - 08:56 PM

Once rebooted, the KIS "Gaget" is present in the upper right corner of the desktop, and I get the popup message about the license being expired. I did not have time to check in the programs list to see if it was present there.

Best Regards,
oneof4.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 19 October 2011 - 08:57 PM

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

Posted Image

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):
Posted Image

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 20 October 2011 - 03:56 PM

Here you go: http://www.filedropper.com/autoruns_1

Best Regards,
oneof4.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 20 October 2011 - 04:12 PM

There is a lot of Kaspersky's entries.
Too risky for manual removal.

I'd try to reinstall Kaspersky over the top and then try to uninstall again.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 20 October 2011 - 05:12 PM

I actually tried that, sorry, I should have mentioned that. I used the original disk that was purchased at Wal-Mart, re-entered the product activation key (even though it was expired). It seemed to install ok, but when I rebooted...BAM! BSOD.

Best Regards,
oneof4.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 20 October 2011 - 05:16 PM

Download BlueScreenView (in Zip file)
No installation required.
Unzip downloaded file and double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 21 October 2011 - 03:39 PM

Here it is, these are from past BSOD's due to having to use SR. The one associated with ndis.sys is what I've been seeing after uninstalling KIS.


==================================================
Dump File : 073011-20451-01.dmp
Crash Time : 7/30/2011 5:36:04 PM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : fffff880`009aaff8
Parameter 2 : 00000000`00000000
Parameter 3 : fffff800`03082900
Parameter 4 : 00000000`00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+7fd00
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.17640 (win7sp1_gdr.110622-1506)
Processor : x64
Crash Address : ntoskrnl.exe+7fd00
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\073011-20451-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 266,576
==================================================

==================================================
Dump File : 030611-19281-01.dmp
Crash Time : 3/6/2011 6:21:59 PM
Bug Check String : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x000000d1
Parameter 1 : 00000000`00000010
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff880`016e35d6
Caused By Driver : ndis.sys
Caused By Address : ndis.sys+2e5d6
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+70740
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\030611-19281-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7600
Dump File Size : 291,696
==================================================

Best Regards,
oneof4.


#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 21 October 2011 - 03:48 PM

Try here: http://www.vistax64.com/tutorials/281450-bsod-netio-sys-ndis-sys-fix.html
It's for Vista, but it should work with Win 7.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 22 October 2011 - 12:02 PM

Hey Broni :)

Unfortunately, it did not work. I tried both methods given (Registry change & unchecking QoS in Network Properties).
I did notice in the Network Properties, that Kaspersky has an "NDIS 6 Filter" in the list. I unchecked this as well, ran Kaspersky's Removal Tool, but still no joy. :(
After the recent BSOD that followed, I ran the BluescreenView, and have pasted the log below, just in case something in it might be useful.

==================================================
Dump File : 102211-17674-01.dmp
Crash Time : 10/22/2011 12:22:28 PM
Bug Check String : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x000000d1
Parameter 1 : 00000000`00000010
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000000
Parameter 4 : fffff880`016c3a26
Caused By Driver : ndis.sys
Caused By Address : ndis.sys+2fa26
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+7cc40
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\102211-17674-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 291,640
==================================================

Best Regards,
oneof4.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:28 AM

Posted 22 October 2011 - 12:10 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :filefind
    ndis.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 oneof4

oneof4
  • Topic Starter

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:10:28 AM

Posted 22 October 2011 - 12:18 PM

Here it is:

SystemLook 30.07.11 by jpshortstuff
Log created at 13:17 on 22/10/2011 by Sound Booth
Administrator - Elevation successful

========== filefind ==========

Searching for "ndis.sys"
C:\Windows\System32\drivers\ndis.sys --a---- 951680 bytes [22:00 23/06/2011] [13:33 20/11/2010] 79B47FD40D9A817E932F9D26FAC0A81C
C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_03bc1d6e35c013bf\ndis.sys --a---- 947776 bytes [23:21 13/07/2009] [01:48 14/07/2009] CAD515DBD07D082BB317D9928CE8962C
C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7601.17514_none_05ed313632ae9759\ndis.sys --a---- 951680 bytes [22:00 23/06/2011] [13:33 20/11/2010] 79B47FD40D9A817E932F9D26FAC0A81C

-= EOF =-

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users