Administrator
Honestly don't know what to tell you except reformat. By continuing to go to System Restore what you are really restoring are corrupted files. Unless you can actually boot to normal mode and do some updating then I have no other suggestions. If you had to manually update your Norton and have not updated drivers lately then the computer probably is not in very good shape anyway. A reformat may be really your best option...IF you have all of your required disks...do you?
Junior Member
I don't have any of the hardware drivers, but I guess as it's quite an old laptop, If I reinstall the current version of XP it should have suitable drivers.
I'll lose the Norton software, but that wasn't really working anymore anyway.
I will probably have to use system restore just to get my files off the machine though. Everything important was backed up, but the sum total of all the unimportant stuff would be a pain to lose. The alternative would be to extract the hardrive and put it into a caddy to plug into my desktop machine - I'm assuming this would be a bad idea though, in case any of the viruses were to propagate to my 'clean' machine.
It may just be coincidence, but Norton and spysweeper both stopped working properly since the problem began and I'm pretty sure that my version of windows isn't 64bit (the supposed reason why I can't install AVG anti-spyware). I also had to set up Spybot to do a proper scan as the default settings had been inversed (i.e. it was only looking for about 50 spybots and none of the other items). I wonder whatever is behind this had changed settings for all of these programs...
Thanks for all the help anyway, it's really useful to get guidance through this and try and learn how to deal with these problems
Administrator
If everything IMPORTANT is all ready backed up then what else is it that you feel you would need to save?Everything important was backed up, but the sum total of all the unimportant stuff would be a pain to lose.
The problem doing it the way you suggest, at least as I see it others may disagree, is IF you again use System Restore and then remove or save some files from this infected machine you may also, unknowingly, also save with those items some of the infected items too as some of those "unimportant" items may also be infected. Then when you go to put them back onto a newly reformatted computer you could also be putting those infections onto the machine and end up right back where you are now. Plus some of those items may also be corrupted by the infections on the computer and you would be installing corrupted files to a computer with NO corrupted files.
Then why did you state that it was? Is this a message you received when trying to install AVG Anti-spy?I'm pretty sure that my version of windows isn't 64bit
No this would not be the case. You must download the drivers, which must be XP compatible, from the manufacturer of each hardware item. If the only thing you have is the XP disk, it probably does not contain hardware drivers. My own computer came with XP installed, the XP disk itself contains...XP. My drivers are on another disk and these are the drivers provided by the manufactures of my hardware...audio, video, modems, etc.I don't have any of the hardware drivers, but I guess as it's quite an old laptop, If I reinstall the current version of XP it should have suitable drivers.
Did this computer come with XP installed or did it have another OS installed and this XP is an upgrade? If it is an upgrade on an old laptop are you absolutely certain that the computer itself could actually have XP installed? It may be, since this is an old laptop that the computer does not meet requirements to even run XP and just meeting the minimum requirements truly isn't enough.I guess as it's quite an old laptop
Did this Norton program come pre-installed on the computer? If so, were annual renewals & upgrades purchased? If not then it probably was never working fully after the trial period. IF annual upgrades and renewals WERE purchased then all you would need are the activation codes and your proof of purchase to download the program again.I'll lose the Norton software, but that wasn't really working anymore anyway.
You originally said your BSOD's were all pointing to NDIS.sys file and were either DRIVER_IRQL_NOT_LESS_OR_EQUAL or Bad Pool Caller...these often times happen due to incorrect drivers, bad ram or even over heating.
Junior Member
First of all this is a brand new virus, I just got it last night and it downloads/installs itself through Internet Explorer and with NO user input. It overwrites your ndis.sys with a hacked copy (you will notice the file size is 200+kb when it is supposed to be 189 normally). first step is to remove the svchots.exe (with a svchoTS.exe not svchost.exe) from your startup (run msconfig and remove it). Because its so new it is overlooked by all antivirus software that ive tried so far.
Check exactly what time the file was modified (the imposter ndis.sys in C:/windows/system32/drivers) and then check in your windows/system32 directory for other files modified around this exact time. Take note of them. next check in windows/system32/drivers for files modified around this time. remove any non-windows files that were modified around this date, replace any windows files that were modified at that same date/time. See below:
Find a proper copy of the ndis.sys file (you can extract it from a windows xp cdrom by typing "expand D:\i386\ndis.sy_ C:\redo\ndis.sys" replacing D: with your cdrom and C: with your OS) and any other files that were modified above. Now restart with a boot disk/hirens cd/winxp setup cd in repair mode/etc and copy the original versions overtop of the modified ones.
Restart and all should be well. I got this virus by surfing on www.torrentazos.com (bit-torrent site for music) with IE7. I got a request to install and without hitting anything the browser froze and my AV went wild. One restart later and it was pooched. I predict they are still running that malicious piece of code on their site if you go there now. be forewarned.
In the future if you dont get to see the BSOD before it restarts, on the next restart, hit F8 before you boot and select the option for "do not automatically reboot on system failure" this will allow you to write down the error message.
Hope this helps.
Last edited by tg989; 05-16-2007 at 10:09 PM.
Member
And this is yet another reason Judy warns against music download sites.In any case thank you for the information,as others will hopefully find it usefull and avoid the same mistakes.
Administrator
Wow! tg989! Who are you and where did you get the info on this? I looked until my eyes crossed!
Junior Member
The laptop is several years old, and did not have XP originally installed. It was an old laptop from a company I used to work for, hence XP pro and what looks like some kind of business style version of Norton, with what seems to be a lifetime licence, as I've always been able to update to the latest definitions without getting any prompts for registration info etc.
As i don't work at the company any more (neither does the guy who set the computer up), so there's no chance for me to get the original hardware driver disks, or the installation files/product key for Norton.
The 64 bit was just a message I got when I tried to install AVG anti spy. I've got XP pro SP2, but as it was installed a couple of years ago I'm guessing it's more likely to be 32 bit.
For the time being I've restarted with the system restore point to start from scratch. If I can somehow finally get it clean I can at least copy the files from it without worrying they may be infected.
I can't find the ndis.sys file though!
There's one in c:\windows\servicepack\i386\ which i assume is a backup copy , but nothing in system32\drivers
I've turned off svchots.exe from the startup in msconfig for now as well.
Administrator
Locate i386
There may be several but the one you need will contain close to 7,000 files, two of which will be winnt.exe and winnt32.exe.
Hopefully, you can find this. If you do write down the FULL Path to this file, which in your case may be c:\windows\servicepack\i386\
Then you can try following the same advice given in this link about using System File Checker
Since you don't have the original CD for XP then try these suggetions;
To run the system file checker press Start, Run, and then type in SFC /scannow
It validates the digital signatures of all of the Windows system files and restores any that it finds are incorrect. It will use the on-disk cache if possible, but SFC may require that you provide your original installation CD or a location with an image thereof.
Typically the "Insert CD" message has only an OK and Cancel button. Press OK, allowing it to fail. The next dialog will typically ask you to provide the location of the CD-ROM; just type in the full path of the I386 directory you discovered above.
Windows remembers. Now that you've told Windows where your installation CD image is it'll remember that. The next time you're in a situation that might require your installation CD Windows will look there first; if it finds what it needs then it won't bother to ask you for it.
Junior Member
I ran the system file checker and it seemed to run ok, but just finished without any kind of dialog box to say what it had done. Does that mean that it didn't find any problems with the system files?
I do have my own copy of XP on CD, but it's an early SP1 version - might there be issues restoring files from this onto an SP2 installation?
Administrator
If it ran ok without any messages then I would guess that all is fine.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote