How can I reinstall ndis.sys on a non-booting Windows 7 system?
I have a client's Acer laptop running Windows 7 (64-bit). I removed hundreds of infections (4 viruses, 261 malware, 23 spyware and 18 adware) from it and, once I got it cleaned up, it seemed to run well. I rebooted it a number of times, emptied its temp folders, etc.; all seemed to be going well.
I installed a firewall program (ZoneAlarm, free version) to lower the client's risk of future infection. At the conclusion of the installation process, the software requested a reboot. When I OK'd this and it started shutting down, the system said it was installing Windows updates (it was set to 'automatically download and install Windows updates').
From the moment it restarted, I started getting a BSOD at startup. The error is 0x000000D1 and points to ndis.sys as the crashing driver module. The system will not boot to desktop in any mode.
I have tried running the 'Startup Repair' and 'Use latest settings that worked; neither of these have been effective. When I boot, the laptop boots to the Windows 7 splash screen with a 'Configuring Windows; please wait' message. This is followed by the BSOD (0xD1). The system does the same thing when trying to boot in 'Safe Mode' and 'Safe Mode with Networking'.
The system WILL, however, boot into 'Command Prompt Mode', presumably because the network drivers do not load in this mode.
It would seem that the proper thing to do would be to replace the ndis driver and/or remove and reinstall the Acer network drivers. I don't know how I can do this, though. No recovery discs came with the machine and the client has never made any. Is there a storage repository (like XP's cab files) from which I can extract the ndis.sys file and replace the existing one? Is there some other approach I should use?
It has occurred to me that ZoneAlarm may be a factor, since it clearly interacts with the networking software and this occurred immediately after installing ZoneAlarm. I considered removing it to see if that helps, but I don't know how to remove it from a machine that cannot boot to the desktop. I can't run the 'uninstaller'; any removal method would have to work in 'Command Prompt' mode.
Any help would be gratefully appreciated. If any of my questions/presumptions seem foolish, please pardon me; I'm still trying to internalize Windows 7's inner workings and hidden mechanisms.
Thanks for the time and energy you spent reading this. Have a Great Day!
Byron
I installed a firewall program (ZoneAlarm, free version) to lower the client's risk of future infection. At the conclusion of the installation process, the software requested a reboot. When I OK'd this and it started shutting down, the system said it was installing Windows updates (it was set to 'automatically download and install Windows updates').
From the moment it restarted, I started getting a BSOD at startup. The error is 0x000000D1 and points to ndis.sys as the crashing driver module. The system will not boot to desktop in any mode.
I have tried running the 'Startup Repair' and 'Use latest settings that worked; neither of these have been effective. When I boot, the laptop boots to the Windows 7 splash screen with a 'Configuring Windows; please wait' message. This is followed by the BSOD (0xD1). The system does the same thing when trying to boot in 'Safe Mode' and 'Safe Mode with Networking'.
The system WILL, however, boot into 'Command Prompt Mode', presumably because the network drivers do not load in this mode.
It would seem that the proper thing to do would be to replace the ndis driver and/or remove and reinstall the Acer network drivers. I don't know how I can do this, though. No recovery discs came with the machine and the client has never made any. Is there a storage repository (like XP's cab files) from which I can extract the ndis.sys file and replace the existing one? Is there some other approach I should use?
It has occurred to me that ZoneAlarm may be a factor, since it clearly interacts with the networking software and this occurred immediately after installing ZoneAlarm. I considered removing it to see if that helps, but I don't know how to remove it from a machine that cannot boot to the desktop. I can't run the 'uninstaller'; any removal method would have to work in 'Command Prompt' mode.
Any help would be gratefully appreciated. If any of my questions/presumptions seem foolish, please pardon me; I'm still trying to internalize Windows 7's inner workings and hidden mechanisms.
Thanks for the time and energy you spent reading this. Have a Great Day!
Byron
Boot from the installation DVD, and go to repair console. FixBoot
If that doesn't work, boot from the DVD again, go to repair console, and FixMBR
If that doesn't work, boot from the DVD again, go to repair console, and FixMBR
At cmd prompt run " chkdsk /r " and "sfc /scannow"
Boot back into "repair your computer"
When it fails launch system restore and restore back to before ZA was installed
When it fails launch system restore and restore back to before ZA was installed
ASKER
Thank you all for your suggestions. We had a power outage here, yesterday, and I couldn't read or act on these suggestions until now.
gderwell, I tried the file restoration first. I didn't know where to look for the backup driver files in Windows 7. I tried the command you suggested:
copy "C:\WINDOWS\ServicePackFil
The system returned a 'directory not found' error. When I checked the "C:\Windows" directory, there was no 'ServicePackFiles' directory in it. Where else can I look for the backed-up 'ndis.sys' file? And will it be named 'ndis.sys' (as opposed to XP's 'filename.sy_' nomenclature)?
==========================
centery, When I tried to run sfc, it initially said that the utility had to be run in console mode (even though I was in Safe Mode with Command-Prompt). In looking around for the 'ServicePackFiles' directory, I changed the directory context to C:\Windows\system32 folder. When I noticed the sfc command in this directory, I attempted to run it again and this time it ran. It reported that it had found no violations of system file integrity. When I rebooted, it repeated the BSOD (0xD1) syndrome. Now, though, it is crashing even when attempting to boot into Safe Mode with Command Prompt. The only way I can get a command-prompt window is to boot into 'Repair' option at startup and then go to 'advanced options' and choose 'Command Prompt'
I had wanted to run the system file checker but decided to heed your suggestion and run chkdsk first. When I booted to Safe Mode and attempted to run chkdsk, the system denied me access (though I logged in to an administrator profile with no password status), saying that I needed to run the program in elevated mode. I rebooted and logged in as another user (administrator with password) and it ran. It did not display any obvious problems (like rebuilding indexes, etc.) but for a number of restarts after this, it kept attempting to run chkdsk each time it started up. It doesn't appear to be doing this now, but then I can't really boot into any mode without the BSOD (except for the repair option's command-prompt window, as explained above).
==========================
lfrankow, trying the disk/file system repairs had crossed my mind but I have no installation DVD, so cannot do this.
=========================
Optoma, I had tried using System Restore but the client had never set one; the only restore point there is is the one created by the Windows Update from hell.
=========================
Again, thanks for your help. If you can think of any other measures I might try, I'd be most grateful.
Have a Great Day!
gderwell, I tried the file restoration first. I didn't know where to look for the backup driver files in Windows 7. I tried the command you suggested:
copy "C:\WINDOWS\ServicePackFil
The system returned a 'directory not found' error. When I checked the "C:\Windows" directory, there was no 'ServicePackFiles' directory in it. Where else can I look for the backed-up 'ndis.sys' file? And will it be named 'ndis.sys' (as opposed to XP's 'filename.sy_' nomenclature)?
==========================
centery, When I tried to run sfc, it initially said that the utility had to be run in console mode (even though I was in Safe Mode with Command-Prompt). In looking around for the 'ServicePackFiles' directory, I changed the directory context to C:\Windows\system32 folder. When I noticed the sfc command in this directory, I attempted to run it again and this time it ran. It reported that it had found no violations of system file integrity. When I rebooted, it repeated the BSOD (0xD1) syndrome. Now, though, it is crashing even when attempting to boot into Safe Mode with Command Prompt. The only way I can get a command-prompt window is to boot into 'Repair' option at startup and then go to 'advanced options' and choose 'Command Prompt'
I had wanted to run the system file checker but decided to heed your suggestion and run chkdsk first. When I booted to Safe Mode and attempted to run chkdsk, the system denied me access (though I logged in to an administrator profile with no password status), saying that I needed to run the program in elevated mode. I rebooted and logged in as another user (administrator with password) and it ran. It did not display any obvious problems (like rebuilding indexes, etc.) but for a number of restarts after this, it kept attempting to run chkdsk each time it started up. It doesn't appear to be doing this now, but then I can't really boot into any mode without the BSOD (except for the repair option's command-prompt window, as explained above).
==========================
lfrankow, trying the disk/file system repairs had crossed my mind but I have no installation DVD, so cannot do this.
=========================
Optoma, I had tried using System Restore but the client had never set one; the only restore point there is is the one created by the Windows Update from hell.
=========================
Again, thanks for your help. If you can think of any other measures I might try, I'd be most grateful.
Have a Great Day!
Boot into "safe mode with command prompt"
Type "explorer"
Then go to programs and features and uninstall ZA
Type "explorer"
Then go to programs and features and uninstall ZA
ASKER
Optoma - I cannot now do that.
After running chkdsk and sfc, the system now BSOD's even in 'Safe Mode with Networking'. Further, in the wake of running chkdsk, the system has started running chkdsk each time it reboots, even though it completes each time and issues the 'done' message prior to rebooting. Weird.
In hindsight, I wish I HAD launched explorer and tried to uninstall ZA, first thing. Unfortunately, I didn't and now I can't. The 'Repair Computer' environment does provide a command prompt window but you can't run programs in the C: drive from there.
Thanks, though, for a great suggestion; it's one I shall not forget in future. Is there any other way I can remove ZA? I could remove the drive, connect it to another computer and at least gain access to the drive and its files, but I don't know if that would help (and there may be file permissions issues with this approach as well).
I'm tempted to try copying the ndis.sys file but I don't know where to copy it from and, since ZA might well be the culprit (or part of the problem, anyway) I'm not sure that a replacement of the ndis.sys file would work anyway.
Any ideas would be helpful and greatly appreciated.
Thanks!
After running chkdsk and sfc, the system now BSOD's even in 'Safe Mode with Networking'. Further, in the wake of running chkdsk, the system has started running chkdsk each time it reboots, even though it completes each time and issues the 'done' message prior to rebooting. Weird.
In hindsight, I wish I HAD launched explorer and tried to uninstall ZA, first thing. Unfortunately, I didn't and now I can't. The 'Repair Computer' environment does provide a command prompt window but you can't run programs in the C: drive from there.
Thanks, though, for a great suggestion; it's one I shall not forget in future. Is there any other way I can remove ZA? I could remove the drive, connect it to another computer and at least gain access to the drive and its files, but I don't know if that would help (and there may be file permissions issues with this approach as well).
I'm tempted to try copying the ndis.sys file but I don't know where to copy it from and, since ZA might well be the culprit (or part of the problem, anyway) I'm not sure that a replacement of the ndis.sys file would work anyway.
Any ideas would be helpful and greatly appreciated.
Thanks!
Should have been more specific. Chkdsk will run till it completes the repair.
Use the install win7 dvd or repair disc to boot from. Choose repair option.
See what drive letter is assigned to win7. Use cmd to launch chkdsk and sfc.
You may need to specify the drive letter for windows installation. May not be the same as as in windows. Run chkdsk to repair and retrive lost files.
It will run for a long time depending on your drive size. About an hour for an 80 GB
Commands would be chkdsk /r /f /c: and sfc /scannow /c:
Use the install win7 dvd or repair disc to boot from. Choose repair option.
See what drive letter is assigned to win7. Use cmd to launch chkdsk and sfc.
You may need to specify the drive letter for windows installation. May not be the same as as in windows. Run chkdsk to repair and retrive lost files.
It will run for a long time depending on your drive size. About an hour for an 80 GB
Commands would be chkdsk /r /f /c: and sfc /scannow /c:
ASKER
The problem has been that each time the system starts up, it runs chkdsk; at the conclusion, it says that it is done and will restart. When it does ... it runs chkdsk again. If I strike a key to abort it, the system continues, only to BSOD (0xD1).
Could I effectively run chkdsk and sfc from the 'System Recovery Options' panel? I CAN access that, by F8'ing and choosing 'Repair Computer' and then invoking the Command Prompt tool. The system drive is renamed 'D:' in this environment but I can access it.
I don't have a Windows 7 disk on-hand though I will in a day or two. If, however, the repair can be done properly from the 'System Recovery Options' panel I would, for the sake of expedience, do it.
Thanks Again!
Could I effectively run chkdsk and sfc from the 'System Recovery Options' panel? I CAN access that, by F8'ing and choosing 'Repair Computer' and then invoking the Command Prompt tool. The system drive is renamed 'D:' in this environment but I can access it.
I don't have a Windows 7 disk on-hand though I will in a day or two. If, however, the repair can be done properly from the 'System Recovery Options' panel I would, for the sake of expedience, do it.
Thanks Again!
I think you've exausted that option.
Any win7 disc will do and any win7 machine can make a boot repair disc as well as iso downloaded if it's an option.
Any win7 disc will do and any win7 machine can make a boot repair disc as well as iso downloaded if it's an option.
ASKER
Thanks, centery and to all of you. I'll pick up a W7 disk and use it.
Best Wishes!
Best Wishes!
I can't remember if you can run programs.
Try this command in that mode to see if it launchs Programs and features
appwiz.cpl
or
rundll32.exe shell32.dll,Control_RunDLL
>If that dosn't work, slave the drive and look for these ZA files but just rename them with .old at the end
http://www.wilderssecurity.com/showthread.php?t=44147
Try this command in that mode to see if it launchs Programs and features
appwiz.cpl
or
rundll32.exe shell32.dll,Control_RunDLL
>If that dosn't work, slave the drive and look for these ZA files but just rename them with .old at the end
http://www.wilderssecurity.com/showthread.php?t=44147
ASKER
Thanks, Optoma; I'll try these this morning, in the order you've listed them.
ASKER
Friends,
I apologize for letting this thread lie fallow for almost two weeks; several other problems and client emergencies and a new client (a real estate agency) that needed a network setup from scratch have taken up most of my time. I've been pecking away at this machine in the moments I could spare with the following results:
As of my last post, the system was in "cyclical chkdsk hell"; the system would fail during startup (with the BSOD of error: 0xD1) and reboot and perform a disk check. It would say it was done, then it would reboot and ... do it all over again. And again and again and again. At that time, I could not run the system file checker, since 'an event has been scheduled on this system. Please reboot and try running SFC again'. The cyclical disk check would not allow the sfc to be run.
Since I was gone from the office much of the time, I finally decided to let the system run in the hopes that it would eventually figure out that it had run chkdsk; after over 24 hours, it did, eventually, figure out that this was the case and stopped running each time. This allowed me to proceed with the exploration of other alternatives:
1) I could now run sfc, which I ran (from C:) but it did not report any violations or resolve the original problem.
2) I was now able to use optoma's advice and start the 'App Wizard'; I used it to remove ZoneAlarm; the program was successfully removed but this had no effect on the problem.
By this time I had the Windows 7 Professional install DVD and attempted to perform repairs with it:
3) I tried booting from the DVD and running the system file checker from DVD; it found no violations but this did not solve the problem
4) I ran the 'Startup Repair' tool from the DVD; this did not help either.
5) I booted into the Command console from the DVD with the idea of copying the 'ndis.sys' file from the DVD to the hard drive using the 'copy' command, as gdewrell suggested, but there is no ndis.sys file at the root level, neither is there any folder that I can find that has this file in it, nor is there the sort of 'ndis.sy_' file that one might find in the 'i386' folder of an XP install disk.
I performed a search of the install DVD, searching for any file with the string 'ndis' in its name; the search returned the following results (all on the D: drive, of course):
/sources/ndiscompl.dll
/sources/dlmanifests/ndis-
/sources/dlmanifests/micro
/sources/replacementmanife
These, of course, are dll's, not system driver files, and I don't see how these become '.sys' files unless they are, in some way, transformed or built upon installation. Is there some way that one of these can be used to replace the 'ndis.sys' file? If not, I can think of only one or two alternatives.
My own office machine had developed RAID problems which, when diagnosed, turned out to involve a defective mainboard (one of the problems mentioned above), and, after a two-week wait, I just got the warranty replacement (refurbished) mobo today.
It occurred to me that I might rebuild that machine, install Windows 7 on it, find the 'ndis.sys' in the installed system and copy it to the client system's drive to see if that would work. I performed the installation, but the replacement mobo is exhibiting some odd behaviours and if I could find some way that did not depend upon solving these other problems, I'd be a happier guy. My client is quite justifiably antsy and I'm beginning to think that the best path is to simply copy all user documents (which I've already done, just to be on the safe side), format the drive and reinstall.
I considered performing a repair install, but checking several articles on Windows 7 repair installation, it seems that "you can only do a repair install from within Windows 7, you cannot do a repair install at boot or in Safe Mode. You must be logged into Windows 7 in an administrator account to be able to do a repair install." (http://www.sevenforums.com/tutorials/3413-repair-install.html).
(Parenthetically, that is, in my opinion, a major step backward from Windows XP; the ability to perform repair installs at boot and from Safe Mode has saved many a client the trouble and expense of having the system completely reinstalled and the hassle of reinstalling all of their user-installed apps.)
But it seems that, since I cannot boot into ANY account, administrator or not, in any mode but 'Safe Mode with Command Prompt', I cannot use the 'Repair Install' option.
Can you think of any way out of the quandary I find myself in? Any alternatives would, believe me, be greatly appreciated!
Thank you all for your help and a double thanks for the time and energy you spent reading all of this.
Byron
I apologize for letting this thread lie fallow for almost two weeks; several other problems and client emergencies and a new client (a real estate agency) that needed a network setup from scratch have taken up most of my time. I've been pecking away at this machine in the moments I could spare with the following results:
As of my last post, the system was in "cyclical chkdsk hell"; the system would fail during startup (with the BSOD of error: 0xD1) and reboot and perform a disk check. It would say it was done, then it would reboot and ... do it all over again. And again and again and again. At that time, I could not run the system file checker, since 'an event has been scheduled on this system. Please reboot and try running SFC again'. The cyclical disk check would not allow the sfc to be run.
Since I was gone from the office much of the time, I finally decided to let the system run in the hopes that it would eventually figure out that it had run chkdsk; after over 24 hours, it did, eventually, figure out that this was the case and stopped running each time. This allowed me to proceed with the exploration of other alternatives:
1) I could now run sfc, which I ran (from C:) but it did not report any violations or resolve the original problem.
2) I was now able to use optoma's advice and start the 'App Wizard'; I used it to remove ZoneAlarm; the program was successfully removed but this had no effect on the problem.
By this time I had the Windows 7 Professional install DVD and attempted to perform repairs with it:
3) I tried booting from the DVD and running the system file checker from DVD; it found no violations but this did not solve the problem
4) I ran the 'Startup Repair' tool from the DVD; this did not help either.
5) I booted into the Command console from the DVD with the idea of copying the 'ndis.sys' file from the DVD to the hard drive using the 'copy' command, as gdewrell suggested, but there is no ndis.sys file at the root level, neither is there any folder that I can find that has this file in it, nor is there the sort of 'ndis.sy_' file that one might find in the 'i386' folder of an XP install disk.
I performed a search of the install DVD, searching for any file with the string 'ndis' in its name; the search returned the following results (all on the D: drive, of course):
/sources/ndiscompl.dll
/sources/dlmanifests/ndis-
/sources/dlmanifests/micro
/sources/replacementmanife
These, of course, are dll's, not system driver files, and I don't see how these become '.sys' files unless they are, in some way, transformed or built upon installation. Is there some way that one of these can be used to replace the 'ndis.sys' file? If not, I can think of only one or two alternatives.
My own office machine had developed RAID problems which, when diagnosed, turned out to involve a defective mainboard (one of the problems mentioned above), and, after a two-week wait, I just got the warranty replacement (refurbished) mobo today.
It occurred to me that I might rebuild that machine, install Windows 7 on it, find the 'ndis.sys' in the installed system and copy it to the client system's drive to see if that would work. I performed the installation, but the replacement mobo is exhibiting some odd behaviours and if I could find some way that did not depend upon solving these other problems, I'd be a happier guy. My client is quite justifiably antsy and I'm beginning to think that the best path is to simply copy all user documents (which I've already done, just to be on the safe side), format the drive and reinstall.
I considered performing a repair install, but checking several articles on Windows 7 repair installation, it seems that "you can only do a repair install from within Windows 7, you cannot do a repair install at boot or in Safe Mode. You must be logged into Windows 7 in an administrator account to be able to do a repair install." (http://www.sevenforums.com/tutorials/3413-repair-install.html).
(Parenthetically, that is, in my opinion, a major step backward from Windows XP; the ability to perform repair installs at boot and from Safe Mode has saved many a client the trouble and expense of having the system completely reinstalled and the hassle of reinstalling all of their user-installed apps.)
But it seems that, since I cannot boot into ANY account, administrator or not, in any mode but 'Safe Mode with Command Prompt', I cannot use the 'Repair Install' option.
Can you think of any way out of the quandary I find myself in? Any alternatives would, believe me, be greatly appreciated!
Thank you all for your help and a double thanks for the time and energy you spent reading all of this.
Byron
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Optoma; I'll do it! Will report tomorrow.
ASKER
Friends,
I removed the drive and connected it to my temporary office system (running XP; still haven't had a chance to rebuild my principal system). I performed a virus scan (AVG; latest version; fully updated) checking all files, including 'non-infectable' files. No infections were found.
Then I searched the drive for the 'ndis.sys' driver file. The search turned up two instances of it:
F:/Window/System32/drivers
F:/Windows/winsxs/amd64_mi
This laptop has an Intel (Pentium) CPU, not an AMD. I carefully compared the two files' size, creation dates, modification dates, product versions and file versions; in every respect they are identical, right down to the number of bytes (947,776). Nonetheless I was concerned; the size might well be identical even though the data within the file varied.
So I attempted to rename the existing 'ndis.sys' file (the one in the drivers folder) to 'ndis.old' with the thought of then copying the one in the 'winsxs' folder and pasting it into the drivers folder and then testing to see if the system worked.
To my dismay, the system wouldn't allow either the rename OR the paste operation, telling me that 'Access denied: Make sure the disk is not full or write protected and that the file is not currently in use.'
Bear in mind that the drive upon which these files are located is currently connected to another computer using a USB interface, so the system is not running either of these files. I tried setting the 'Sharing & Security' privileges for the enclosing folders to share and allow users to edit files, but got the same message. This behaviour occurs in both occurrences of this file.
Is there something I am missing or is it time to format and reinstall?
Thanks again for your time, energy and assistance!
Byron
I removed the drive and connected it to my temporary office system (running XP; still haven't had a chance to rebuild my principal system). I performed a virus scan (AVG; latest version; fully updated) checking all files, including 'non-infectable' files. No infections were found.
Then I searched the drive for the 'ndis.sys' driver file. The search turned up two instances of it:
F:/Window/System32/drivers
F:/Windows/winsxs/amd64_mi
This laptop has an Intel (Pentium) CPU, not an AMD. I carefully compared the two files' size, creation dates, modification dates, product versions and file versions; in every respect they are identical, right down to the number of bytes (947,776). Nonetheless I was concerned; the size might well be identical even though the data within the file varied.
So I attempted to rename the existing 'ndis.sys' file (the one in the drivers folder) to 'ndis.old' with the thought of then copying the one in the 'winsxs' folder and pasting it into the drivers folder and then testing to see if the system worked.
To my dismay, the system wouldn't allow either the rename OR the paste operation, telling me that 'Access denied: Make sure the disk is not full or write protected and that the file is not currently in use.'
Bear in mind that the drive upon which these files are located is currently connected to another computer using a USB interface, so the system is not running either of these files. I tried setting the 'Sharing & Security' privileges for the enclosing folders to share and allow users to edit files, but got the same message. This behaviour occurs in both occurrences of this file.
Is there something I am missing or is it time to format and reinstall?
Thanks again for your time, energy and assistance!
Byron
Look here
http://remove-malware.com/antimalware/anti-malware-howto/no-internet-after-virus-removal-%E2%80%93-ndis-sys/
I would download a virus boot disc and check it.
http://remove-malware.com/antimalware/anti-malware-howto/no-internet-after-virus-removal-%E2%80%93-ndis-sys/
I would download a virus boot disc and check it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Friends,
I wound up reformatting the drive and reinstalling programs, documents and settings.
I'd like to award points to those of you who helped me with this problem but I don't see any way to do this. There are no 'Award Points' or 'Multiple Points' buttons.
How do I do this?
I wound up reformatting the drive and reinstalling programs, documents and settings.
I'd like to award points to those of you who helped me with this problem but I don't see any way to do this. There are no 'Award Points' or 'Multiple Points' buttons.
How do I do this?
You should have an option to split points but if in doubt, click on Request Attention to the right of Time Zone and ask for assistance.
Type copy "C:\WINDOWS\ServicePackFil
Reboot.