Tonight I uploaded the Norton Bootable Removal Tool 2011 edition review. I tested the NBRT against a computer that was so infected it wouldn’t even boot. Thanks for watching and please leave those wonderful comments! Also, please share this post using the social buttons at the bottom of this post!
Tag Archives | removal tool
I remove malware everyday from PC’s and whenever I see a trend I’ll usually write about it. This post is about the infection of the Ndis.sys drive (a Windows file which is a component of the Windows networking software). As many of you know I usually use bootable media to remove malware. Since I’m in a bootable environment I’m able to remove ANY infected file on the hard drive (filesystem). As you may have guessed, this can be really dangerous.
Infected system files in the Windows folder can be easily deleted thus making the Windows OS unbootable or in the case of this example “un-networkable”. So, if you’ve just removed malware with a bootable removal tool and all your network adapters have ! symbols (explanation marks) then you’re probably missing the ndis.sys file (or it’s corrupted).
To replace your Ndis.sys with a non-infected one you have a few options:
- Copy one from a non infected PC (make sure the OS’s match – do a winver).
- Copy one (expand) from the OS disc.
- Type copy “C:\WINDOWS\ServicePackFiles\i386\ndis.sys” “C:\WINDOWS\system32\drivers\ndis.sys”.
Reboot. After you reboot your networking functionality should be restored.
Since I started reviewing Anti-Malware applications (I’ve reviewed OneCare, Kaspersky and NOD32) I’ve discovered one scary trend…Virtumonde is beating the pants off commercial anti-malware applications and not much is being done about it.
Here are some quick facts on Virtumonde:
- Virtumonde is adware, horribly pernicious adware that displays a stream of popunder advertising.
- It resides on your PC as a .dll (usually random letters and numbers like: yayVNDuT.dll)
- Virtumonde is often injected into winlogon.exe making cleaning difficult. Winlogon.exe often runs at 20-40 percent cpu usage when Virtumonde is present.
Malware authors are being paid very well to change Virtumonde multiple times a days, sometimes dozens of times each day to avoid detection. Commercial anti-malware applications can prevent and remove some of these Virtumonde variants, however most are not ever caught and removal has a very slim success rate.
Below is a quote from the NOD32 forum administrator
Join Date: Nov 2002
Re: NOD can’t get rid of VirtuMonde!
I’d suggest removing the Virtumonde dlls using Undll.
So, the NOD32 forum admin tells us to manually remove Virtumonde using their manual dll removal tool (which is very good and does work)…but what about the 90% of those who don’t know what a dll is much less how to even find the right dll to remove (nod32 doesn’t detect every variant)???
The basic pc user is left feeling they just got ripped off because their commercial anti-malware application claimed it could remove adware. Anti-Malware applications bought online or at the store should say that their products remove SOME of the adware on your PC.