You are here: Home > No Internet after Virus Removal – Ndis.sys

No Internet after Virus Removal – Ndis.sys

By on July 21, 2009 in Anti-Malware HowTo, Post Malware Cleanup

I remove malware everyday from PC’s and whenever I see a trend I’ll usually write about it. This post is about the infection of the Ndis.sys drive (a Windows file which is a component of the Windows networking software). As many of you know I usually use bootable media to remove malware. Since I’m in a bootable environment I’m able to remove ANY infected file on the hard drive (filesystem). As you may have guessed, this can be really dangerous.

Why?

Infected system files in the Windows folder can be easily deleted thus making the Windows OS unbootable or in the case of this example “un-networkable”. So, if you’ve just removed malware with a bootable removal tool and all your network adapters have ! symbols (explanation marks) then you’re probably missing the ndis.sys file (or it’s corrupted).

To replace your Ndis.sys with a non-infected one you have a few options:

  1. Copy one from a non infected PC (make sure the OS’s match – do a winver).
  2. Copy one (expand) from the OS disc.
  3. Type copy “C:WINDOWSServicePackFilesi386ndis.sys” “C:WINDOWSsystem32driversndis.sys”.

    Reboot. After you reboot your networking functionality should be restored.


Please +1 this post if you like me :)

About malwarekilla

View all posts by malwarekilla

, , , , , , , ,

  • sandra

    very help full.

  • james

    This fix worked momentarily, but quickly switched back to the internal IP Address (169.254.).

  • JJ

    Matt,

    Thanks for the great info. Every posting of yours is helpful.

    With the confidence your comments and videos have given me I worked a laptop BSOD issue this week. Worked a lot of your anti-malware techniques and upgraded some drivers. Then I finally I uninstalled NIS 2009. Problem solved! BTW, I am not a computer expert, just a tinkerer.

    Now the computer works great with Avira and Geswall for protection. Wouldn’t have tried those without this site and your Youtube channel.

    I know this is way off topic but I Just wanted to offer thanks and explain why.

  • http://www.youtube.com/antivirushelp evgeny

    no words

  • Johnny5

    This is what I did to remove an NDIS.sys piece of malware. But now it’s thrown me off the internet. How do I fix that?

    The problem happened because the xp pro disk is sp1a, my comps been updated to sp2, and the only other pc I have access to has SP3, and is a home version.

  • Johnny5

    Nevermind, I did the ndis from disk but lost internet, but then updated from the service packs folder as suggested, and I have net again, and so far looks like all traces of the virus are gone.

    It was a services.exe virus that kept reinstalling from an ndis.bad file that replaced the original.

    Trojan_Agent2.het is what avg kept calling it. Prevx 3.0 called it the ndis.bad virus.

    I wasn’t left much recourse since prevx 3.0 wanted me to buy their app to fix it. So thank you tons! You just saved me 30 bucks for an app I only needed once!

  • Iggy

    Thank you!
    I have had a serious problem with ndis.sys, it was infected with what was identified by Avira and Sophos as a rootkit. It was sending out data on various IP’s as soon as I got connected to internet(acompanied with random clicking sound in the background). I could see sometimes that those were smtp servers from hotmail, live.mail and what not! Number of svchost.exe processes went up (to about six). But as you said: if I remove it -there goes internet with it ! So I removed ndis.sys completely, copied the same file from the machine with the same windows on it (used an ubuntu live cd to avoid not being able to copy the file for any reason!?) and baaaaam!
    Everything OK!
    After 3 days of mayhem, my comp is no longer spam-machine, number of svchost.exe processes went down to 3 (usual number on my comp.), strange clicking sound disappeared, rootkits are no longer detected in system32. Thx a bunch! :)

  • Ben

    Hey, I just followed your video on Youtube about Malware. I downloaded Malbytes and it detected two infections. I swept them, but i can’t get my internet connection back. I have a wireless connection. It says its connected but internet explorer displays a can’t display page. If you could help me out i would appriciate it. Thanks.

  • ahsan

    well yeah, im having a serois prblm aswell, avast detected ndis.sys on a boot scan and it removed all three files, i searched for it and it was not thear, so if im rite i thnk i have to copy the file from a clean windoes or a windows cd, but will i have to copy it to all three locations!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  • clint

    I’m having an interesting issue with mine, I have 3 computers running on the same network, in which case my fathers computer (the primary internet host) was badly infected. Since then I’ve cleaned most of the infections out and replaced the ndis.sys file. The interesting part is that the internet works for every application except web browsers. I’ve tried reinstalling 4 different ones and I have the same problem on all computers except the host. any thoughts?

    • malwarekilla

      @clint – make sure the proxy settings are turned off in IE.


Remove-Malware Traffic Stats