subject: fix: XP: all network adapters unusable (code 39)
posted: Thu, 27 May 2010 23:01:12 +0100


Problem:

In Device Manager, all your network adapters are all marked with a
yellow exclamation mark. If you double-click an adapter, you see
that Windows is reporting that the drivers are missing or corrupt
(Code 39). Reinstalling the driver does not help.

Cause:

Note: this problem may have multiple causes and solutions. The fix
presented here may not work in all circumstances.

This is caused by a missing/corrupted file, and/or registry key(s).
The file is:

%WINDIR%\system32\drivers\NDIS.SYS

The registry keys are noted below.

This file may be corrupted by a virus, and then deleted by anti-virus
software (the Microsoft Malicious Software Removal Tool is one such
program that, as of this writing, will delete this file, if it is
infected). The registry keys may also be deleted. However, this file
is critical to Windows' operation, and it should NOT be deleted. The
registry keys are also critical and should not be deleted.

Solution:

1. Replace NDIS.SYS with a known-good copy. This may come from
another machine, OR it may come from the %WINDIR%\system32\dllcache
directory, or some other location (ServicePackFiles etc). Ensure to
use the correct NDIS.SYS for your currently-installed Service Pack.
The date and size of the file indicate which version it is:

SP1 NDIS.SYS ... August 2002 ... 167552 bytes ... version 5.1.2600.1106

SP2 NDIS.SYS ... August 2004 ... 182912 bytes ... version 5.1.2600.2180

SP3 NDIS.SYS ... April 2008 ... 182656 bytes ... version 5.1.2600.5512

Note, a file called NDIS.SY_ may be on the system, this is a
compressed copy, and should be extracted using the EXPAND command
before it is used. The file sizes given above are for the extracted
versions, NOT the compressed versions.

Copy NDIS.SYS to these two directories:

%WINDIR%\system32\dllcache\
%WINDIR%\system32\drivers\

Ensure that both copies of the file are identical.

Once the correct NDIS.SYS has been copied to the two directories
above, reboot - the exclamation marks should now be gone. If you now
get a blue screen (or a reboot) every time you try and start Windows
in Normal Mode, with an error something like STOP: 0x0000007E
(0xC0000005, 0x80599F19, 0xF7CC2690, 0xF7CC2380), proceed to step 2.
Note that NDIS.SYS may not be mentioned on the blue screen.

2. Replace the registry keys for NDIS.SYS with known-good keys.
These must come from another machine. Ensure to use the correct keys
for your currently-installed Service Pack. Export the keys from a
computer running the same Service Pack.

The keys to export are:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDIS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS

Using REGEDIT, locate the keys in the registry of another machine,
then right-click the key and select Export. Save each key as a new
.REG file (eg. 1.reg, 2.reg, 3.reg etc).

Note that if, on the broken machine, you have more than one
ControlSetXXX key (where XXX is a number), you need to export a key
for each of those keys. It is possible to simply copy the file
containing the key for ControlSet001 to a new file, then edit it to
read ControlSet002 instead.

Once you have three .REG files for each ControlSetXXX key (where XXX
is a number), login to the broken machine in Safe Mode, and import
the keys into the registry. To import, using the broken machine, open
Windows Explorer, then double-click the .REG files. The
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NDIS
keys will import without any extra steps. The
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDIS keys,
however, will need permissions set first.

To add subkeys to the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root key, you must first
give yourself permissions to edit the key:

1. Open REGEDIT
2. go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
3. in the left pane, right-click the "root" key
4. click permissions
5. click the Add button
6. type "Administrator" into the box, then click OK
7. click Administrator (once)
8. in the Permissions for Administrator panel, in the Allow column,
tick the box [ ] Full Control
9. click OK

Now, subkeys can be imported by Administrator to the
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root key. Double-click
a valid .REG file to import. REGEDIT should update the screen
automatically.

Once the import is successful, remove the permissions you just added:

1. Open REGEDIT (if not already open)
2. go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
3. in the left pane, right-click the "root" key
4. click permissions
5. click Administrator (once)
6. click the Remove button
7. click OK

Note, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet key is a mirror
of one of the HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX keys (where XXX
is a number). There is no need to repair the "CurrentControlSet"
key, it is auto-updated when the relevant
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key is updated.

Note, the keys should also be added to ControlSet002, ControlSet003
etc if they exist.

Once all the keys have been added, and permissions reset back to
normal, reboot.

Assuming you were trying to fix a blue-screen/reboot following
replacing NDIS.SYS, and your system was otherwise OK, you should now
find that you can login in normal mode.

Other notes:

- if NDIS.SYS is missing or corrupted, the System File Checker (SFC)
does NOT fix it

- if NDIS.SYS is missing or corrupted, applying SP3 does NOT fix it

- NDIS.SYS may exist in the locations below:

%WINDIR%\$NtServicePackUninstall$
%WINDIR%\ServicePackFiles
%WINDIR%\SoftwareDistribution\Download\dd9a...
%WINDIR%\system32\dllcache
%WINDIR%\system32\drivers

However, all copies apart from %WINDIR%\system32\dllcache and
%WINDIR%\system32\drivers are not used by Windows, they were left
lying around by Microsoft, as part of an upgrade or patch.

- Windows File Protection may interfere if you attempt to delete
NDIS.SYS - to get around this, delete the copy of NDIS.SYS from the
%WINDIR%\system32\dllcache directory, before deleting it from the
%WINDIR%\system32\drivers directory

- Windows File Protection may interfere if you attempt to place
NDIS.SYS - the test system rebooted when the file was placed into
the %WINDIR%\system32\drivers directory (this may have been a blue
screen with auto-restart), however on the second or third attempt,
the file was written to disk before the reboot. Try XP's Recovery
Console if you can't place NDIS.SYS back into
the %WINDIR%\system32\drivers directory without Windows File
Protection interfering

- on XP, SFC doesn't have a logfile

- Microsoft's Malicious Software Removal Tool writes a log to:
%WINDIR%\debug\MRT.log

- starting approx April 2009, %WINDIR%\debug\MRT.log may contain the
text "WARNING: Security policy doesn't allow for all actions MSRT may
require." - this is apparently unrelated to the NDIS.SYS problem

- links:

http://en.kioskea.net/forum/affich-86872-code-39-error-on-network-cards-due-to-virus#29
http://en.kioskea.net/forum/affich-355465-ndis-sys-missing-legacy-ndis-registry-entry
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t243839.html
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/422916-help-hacktool-rootkit-4.html

- sample MRT log showing the deletion of NDIS.SYS and registry keys
(this toasted the machine, until the above fixes were applied):

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 HH:MM:SS 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
driver://NDIS
file://C:\WINDOWS\system32\drivers\NDIS.sys
SigSeq: 0x00008A78910FD971
SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A

regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS

safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !


Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be
restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May
18 HH:MM:SS 2010


Return code: 10 (0xa)


---
* Origin: [adminz] tech, security, support -
http://cyberdelix.net/adminz/

generated by msg2page 0.06 on May 28, 2010 at 10:15:41

 search:
this site only