I remove malware everyday from PC’s and whenever I see a trend I’ll usually write about it. This post is about the infection of the Ndis.sys drive (a Windows file which is a component of the Windows networking software). As many of you know I usually use bootable media to remove malware. Since I’m in a bootable environment I’m able to remove ANY infected file on the hard drive (filesystem). As you may have guessed, this can be really dangerous.

Why?

Infected system files in the Windows folder can be easily deleted thus making the Windows OS unbootable or in the case of this example “un-networkable”. So, if you’ve just removed malware with a bootable removal tool and all your network adapters have ! symbols (explanation marks) then you’re probably missing the ndis.sys file (or it’s corrupted).

To replace your Ndis.sys with a non-infected one you have a few options:

1. Copy one from a non infected PC (make sure the OS’s match – do a winver).
2. Copy one (expand) from the OS disc.
3. Type copy “C:\WINDOWS\ServicePackFiles\i386\ndis.sys” “C:\WINDOWS\system32\drivers\ndis.sys”.

   Reboot. After you reboot your networking functionality should be restored.