If you’re using the Operating System called Windows, chances are that you might have already come across the ntdetec1.exevirus. Or you will, sooner or later.
Its official name is W32.Ceted and it is a worm that copies itself to all shared and removable drives and spreads when the user double clicks on it to open it. If a system is infected, it creates a folder called ntdetec1 in your System Drive which is NOT visible via Explorer or Command prompt.
Related files:
\ntdetec1\ntdetec1.exe
\ntdetec1\cmrss.exe
\ntdetec1\run.exe
\ntdetec1\shell32.exe
\ntdetec1\drivelist.txt
\ntdetec1\child\autorun.inf
\ntdetec1\child\ntdetec1.exe
\ntdetec1\ntdetec1.exe
\ntdetec1\cmrss.exe
\ntdetec1\run.exe
\ntdetec1\shell32.exe
\ntdetec1\drivelist.txt
\ntdetec1\child\autorun.inf
\ntdetec1\child\ntdetec1.exe
Symptoms:
1. Task Manager closes as soon as it launches.
2. RegEdit may be inaccesible
3. Folder Options may be inaccessible
1. Task Manager closes as soon as it launches.
2. RegEdit may be inaccesible
3. Folder Options may be inaccessible
When I scanned using some anti-virus software, Nod32, Symantec
AV Corporate, McAfee and AVG failed to detect the files, even in Safe Mode.
AV Corporate, McAfee and AVG failed to detect the files, even in Safe Mode.
To remove it, run the following commands at the command prompt:
taskkill /im cmrss.exe
taskkill /im ntdetec1.exe
taskkill /im shell32.exe
taskkill /im ntdetec1.exe
taskkill /im shell32.exe
Now, make sure you are in the root drive of your system. For example, if your Windows in installed in C:, make sure your prompt shows C:\>
Now, run the command..
Now, run the command..
attrib ntdetec1 -s -h -r /s /d
(s->system,h->hidden,r->read only)
This will make the folder visible in explorer. Now you can Shift+Delete the folder from explorer.
Also, you might need to delete the following registry key (if it is present)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\ Run\"winlogon" = "C:\ntdetec1\run.exe"
Congratulations, this will remove all known traces of the above worm.
And remember, next time you use someone’s PD, before you access it, goto your command prompt and delete the autorun.inf file if any
0 comments:
Post a Comment