NDIS.SYS Disappeared

Hello and welcome. Give me a few minutes to put the kettle on, and then I will go through your logs and post back with a fix.

 

1. Combo-Fix.exe <--- rename back to combofix.exe

2. What are all these? Something you created? If you don't know then just delete them.

• C:\1.reg
• C:\2.reg
• C:\4.reg
• C:\5.reg
• C:\6.reg
• C:\WINDOWS\1.reg

3. Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:
  
  Code:

  c:\windows\system32\drivers\keilmlxi.sys

• At the upload site, click the browse button.
• Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
• Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
• Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

4. Could you please get this: keilmlxi.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

• log retrievable @ C:\collect.zip

5. Please download HelpAsst_mebroot_fix.exe by noahdfear and save it to your Desktop

• Double click HelpAsst_mebroot_fix.exe to run it and follow any prompts.
  • If the tool detects an mbr infection
    • please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes after bootup, and then click Start>Run and type the following bolded command, then hit Enter.
      • helpasst -mbrt
    • Make sure you leave a space between helpasst and -mbrt
    • When it completes, a log will open.
    • Attach this log to your next message.
  • If the tool DOES NOT detect an mbr infection and completes running:
    • Click Start>Run and type the following bolded command, then hit Enter.
      • mbr -f
    • Make sure you leave a space between mbr and the -f
    • Now, please do the Start>Run>mbr -f command a second time.
    • Now shut down the computer (do not restart, you must shut it down), wait a few minutes then start it back up.
    • Give it about 5 minutes after the bootup and then click Start>Run and type the following bolded command, then hit Enter.
      • helpasst -mbrt
    • Make sure you leave a space between helpasst and -mbrt
    • When it completes, a log will open.
    • Attach this log to your next message.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!


6. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

SecCenter::
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}

Fcopy::
c:\windows\$NtServicePackUninstall$\ndis.sys | c:\windows\System32\drivers\ndis.sys

File::
c:\documents and settings\NetworkService\Application Data\ohipmn.dat
c:\windows\system32\config\systemprofile\Application Data\ohipmn.dat
C:\WINDOWS\TEMP\PR6.tmp
C:\WINDOWS\TEMP\PRD5.tmp

FileLook::
c:\windows\system32\drivers\keilmlxi.sys

DirLook::
c:\documents and settings\Administrator\Application Data\Aneqi
c:\documents and settings\Administrator\Application Data\Esgai
C:\Documents and Settings\Administrator\My Documents\Tdss
C:\Program Files\Common Files\InfoWatch

Folder::
C:\Documents and Settings\HelpAssistant
C:\Documents and Settings\Administrator\Local Settings\temp\4.tmp

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

7. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Also answer any questions that I asked, include the results from jotti, and the collect.zip, and finally the log from HelpAsst_mebroot_fix.exe.

Let me know how things are running so far.

 

OK, not sure how far combofix got but we will repeat some of my last fix this time using avenger.

Without clicking on any of the contents please tell me what is inside each of these folders:

• c:\documents and settings\Administrator\Application Data\Aneqi
• c:\documents and settings\Administrator\Application Data\Esgai
• C:\Documents and Settings\Administrator\My Documents\Tdss
• C:\Program Files\Common Files\InfoWatch
  [*]

File copy

Please do the following:

1. Click on the Start button, then click on Run...

2. In the empty "Open:" box provided, type cmd and press Enter

• This will launch a Command Prompt window (looks like DOS).

3. Copy the entire bold text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

4. In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

5. Press Enter.

6. When successful, you should get the below message within the Command Prompt:

• "1 file(s) copied"

7. IMPORTANT NOTE: If you didn't get this message, stop and tell me first. Executing any following instructions (with avenger) are dependent upon this file being successfully copied.

8. Exit the Command Prompt window.


Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Address my questions regarding those folders!!

How are things running for you now?

 

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  ndis.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\i386\ndis.sys | C:\WINDOWS\system32\drivers\ndis.sys

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Can you boot into the Recovery Console? ( You may need to enter the bios and set the boot up order to the cd first). If so, then type this:
copy C:\i386\ndis.sys c:\windows\system32\drivers\ndis.sys

Then exit and reboot. Tell me if that works.

 

Let's try again with the RC:

D: (if D: is label of the CD-ROM, change if other)
cd i386
expand ndis.sy_ C:\Windows\system32\drivers

enter, then type exit and reboot.

 

Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

When I said this in message #6:

Did you indeed get the message "1 file copied"??

 

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The fix did not run properly.

Are you doing any other fixes on your own or working on this problem anywhere else. Previously your dllcache\ndis.sys file was okay. Now it has been corrupted and the last fix was not doing anything with the file in dllcache. You must make sure you are not doing anything else except what we ask.

Please reboot your PC into safe boot mode and shutdown any protection software that may be running, and then run the same fix I previously gave with Avenger again and attach new logs.

 

Also uninstall Kaspersky PURE

 

Seems you have some additional problems with either you Windows Operating System or with other malware. Something is stopping this tools from running properly. I do see that you still have at least left overs from an MBR infection that HelpAssist_Mebroot_fix did not resolve. Do you have your Windows Boot CD just in case we wind up needing it?


Please download NDISfix and save it to your Desktop. Then double click the NDISfix.bat file to run it. Let me know if you receive any error messages at all.


Now click Start, Run and paste the below command into the run box and click OK.

net stop RDSessMgr

Now repeat the above by entering each of the below into the run box:
net stop TermService
net user HelpAssistant /active:no
net localgroup Administrators HelpAssistant /delete


Now Reboot your PC.

After reboot, delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Administrator\Local Settings\Temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes.

I see that you installed the Recovery Console on your PC ( probably when 1st running ComboFix ), see if you can boot to the Recovery Console when your PC starts up by hitting the up/down arrow keys to select it when you see the boot options that appear for just a couple seconds. If you can get it to boot, then just type exist at the command prompt and go back to Windows. I need to know if you can run it first before I create the next fix.

If you can boot to the Recovery Console, we may be able to fix this missing ndis.sys files from there.

 

Okay boot to the Recovery Console and enter the below command. Note the space before each C:

copy C:\WINDOWS\system32\dllcache\ndis.sys C:\WINDOWS\system32\drivers\ndis.sys


Take note that you see a 1 file copied type message and tell me whether you get this or note. In fact.... enter the below command and see if the ndis.sys file shows up.

dir C:\WINDOWS\system32\drivers\ndis.sys

Then type exit to reboot to Windows and re-run the C:\MGtools\GetLogs.bat program and attach the new C:\MGlogs.zip file.

 

Okay that's better. ndis.sys is now back where it belongs. Can your PC now get a connection? It does not look like it based on your MGlogs.zip file. It actually looks like there are no drivers for your network interface card being loaded since no card appears to be detected. You make need to reinstall drivers. Check Device Manager to see if you have a Network Adapter detected and whether it shows an error ( a yellow exclamation point ).

Based on your new log, you never uninstalled Kaspersky PURE as requested in msg # 23.

Now open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

sc stop AVP
sc delete AVP
sc stop keilmlxi
sc delete keilmlxi


Also Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


NOTE: This PC does not have enough memory to properly run Windows XP and other software. Your logs show the below

Code:

Total Physical Memory 512.00 MB 
Available Physical Memory 68.64 MB

 

See if it will run in safe boot mode. If not, you should probably consider a reinstall since it is looking more and more like you have serious damage to your Windows Operating System.

No! That's exactly what I showed you and that is the amount of memory in your PC and you only had 68.64 MB free. Windows cannot run like this.


Did you run the other steps I asked you to run with the sc command? Did you uninstall Kaspersky?

 

All normal and required by Windows.

 

You would need to stop running any unnecessary processes that you are loading at startup; however, even if you do this, your PC is still going to be slow. 512 MB is just not enough memory to properply run Windows XP anymore. 1 GB is the minimum we suggest but you really need to consider having 2 GB which is 4 times what you have.

Yes this would be best since your PC seems to be very unstable. It will improve the performance too, but if you do not upgrade to more memory, it will get slower and slower as you get all updates installed, protection installed.....etc.

You cannot just copy the Windows DVD to a USB stick. You need to have bootable drive. Thus you would need to make a bootable memory stick and make sure your PC allows booting from the USB port. This is something you would need to discuss in the Software Forum.