Help, I've met my match NDT2.sys

[fastco]

I am infected with ndt2.sys. I turned off System Restore, Started in safe mode, ran ATF cleaner then ran AVG AntiSpyware which didn't even find it. Then ran SuperAntispyware which found the infection and removed it on reboot.
Now everytime I reboot it comes back! Normally I can remove infections easily but this one is beating me mentally. I try to help as many people as I can on this forum and now I need some help removing ntd2.sys. I need to know where this thing is buried so I can remove the source and I can't find it. I go into C:/Windows/prefetch and remove ndt2.sys.pf then I go to Windows/system32 and remove the ndt2.sys and .txt and it comes back. Very persistent. Any help appreciated and thank you in advance.

 

[raybay]

Run SuperAntispyware in regular mode, then immediately reboot to Safe Mode (by repeatedly pressing the F8 key as soon as you press the ON button) then run SuperAntispyware again in Safe Mode.
You might also want to try Spyware Doctor, SpySweeper, Norton, and other free scans to see if they detect it... Then you can decide if you wish to put out the money.
We have found that AVG Antivirus removes ndt2.sys for us, when used again in Safe Mode, after the latest download.

 

[fastco]

Thanks I did exactly that and it removes it but it comes right back. I tried SpySweeper, Adaware and they didn't even detect it. I will pay for whatever will remove it but I don't want to pay for something that won't work. If I could find the source in the registry I can remove it but I get nothing when I search for ndt2 in the registry. I'll try it again.. Thanks again

 

[raybay]

Be sure to try AVG's Root Kit (free) as we have had luck with that. Then do searches for Trojan removers, and try a few of their scans.

The problem named NDT2.SYS refers to many versions of an executable program. You will usually find the most common file size is 250,880 bytes. But these file sizes have been reported: 257,536 bytes, 256,512 bytes, and 249,856 bytes.
Ndt2.sys.html is associated with the malware group Win32.Rootkit. Look also under Trojan.Downloader
We have also been able to remove it using AVG Rootkit, but there are now too many versions. They can show some of this Vendor - Product - Version - Info in a file header: 1.0.0.0, 2.0.1.38, 2.0.1.66, and 2.0.1.88
Among the problems Ndt2.sys causes are communicatin with other computer systems via HTTP protocols. It may execute a process, remove other processes from your drive, change the you Windows host file thjus block you from visiting certain web sites, while tranferring you to alternate sites without your awareness. It may add a registry key to autostart programs on system startup, or go outside using NetBiosOut protocols. It will terminate processes which it determines are threatening it. It sometimes registers a dynamic Link library file. It gets into process hijacking by writing to another process's virtual memory, or creates other processes on your hard drive.

You might want to expand your searches, look for these, as they are sometimes how it identifies itself... and is why the removal tools software have continual trouble with it.
1.0.0.0
2.0.1.38
2.0.1.66
2.0.1.88
31072677.SYS
33201795.SVD
59493876.SVD
21338204.SYS
11446168.SYS
88181595.SVD
84733211.SYS
79840294.SYS
NDT.SYS
WMIPRVES[1].EXE
WMIPRVES[2].EXE
NDT2
SUSPECT.SYS
SAMPLE.SYS

The reason everyone has trouble is because it has so many ways to reidentify itself, and by hiding numerically so as to appear to be networking information. All the spyware and trojan software companies copy each other, so within three days, they all have the same information... they just have been unable to stay ahead of this one. It was not released until October 31 (perhaps a Halloween trick or trick), then has rapidly spread all over the world.

 

[momok]

Usually there is another file or process that continually generates the .exe everytime it is removed or deleted; in some cases, a rootkit.

I advise you to go through the 15 step removal to provide us with logs so we can see if there are other nasties residing in your system.

Regards,
momok =)

 

[fastco]

Thank you very much guys I will do everything you suggest and get back to you.

OK I did everything and that damned thing keeps coming back.. It's killing me. I tried the AVG Root Kit remover and it didn't even find ndt2.sys I really don't want to do a clean install of Windows. Here is the HJT log. thanks for all the help.

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[HD_START]

This line look suspicious

O4 - HKLM\..\Run: [iProtectYou] "C:\WINDOWS\system32\ip.exe" -h

you should also rename HijackThis to something else and run it.

Have you delete any file at Temp folders?

C:\WINDOWS\Temp

C:\Documents and Settings\XXX\Local Settings\Temp

C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files

and look into Start up folder at

C:\Documents and Settings\XXX\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and look for suspicious files under

C:\Program Files\Common Files

some other place in registry to look for.....I hope it can help....

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

[evilfantasy]

OK I did everything and that damned thing keeps coming back.. It's killing me. I tried the AVG Root Kit remover and it didn't even find ndt2.sys I really don't want to do a clean install of Windows. Here is the HJT log. thanks for all the help.

Where are the other logs?

 

[fastco]

Quick reply, this line
O4 - HKLM\..\Run: [iProtectYou] "C:\WINDOWS\system32\ip.exe" -h

Is safe, it's a parental website control program....I Protect

Where are the other logs?

What logs do you want? The only programs that found anything were HJT and SuperAntispyware.

This line look suspicious .....
.
.
and look for suspicious files under
C:\Program Files\Common Files

I did clean the temp folders both manually in normal mode and in safe mode with ATF cleaner. I also checked the startup folder and nothing looks suspicious. Man this thing is tough to remove...

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

 

[evilfantasy]

You have at least 3 very nasty entries in the HijackThis log.

Lets do this. First uninstall HijackThis and download the new version.
https://www.techspot.com/downloads/4067-trend-micro-hijackthis.html

--------------------

Next:

Download ViewpointKiller

* Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
* Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
* If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.

--------------------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


-----

Run a new scan with HijackThis and save the log.

-----

Next post please attach:
combofix log
New HijackThis log

 

[fastco]

Combo and HJT logs

Mr. Evil thank you here are the logs. Please let me know what you find? Thanks again!

 

[evilfantasy]

-
Open HijackThis and select Do a system scan only and place a check mark next to:

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe

Close all windows except for HijackThis and click Fix checked

--------------------

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Double click OTMoveIt.exe to launch it.
Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

C:\WINDOWS\system32\perfmonss.exe
C:\WINDOWS\system32\ip.exe

Then click the MoveIt button below.
* The list will be processed and the results will appear in the right hand pane.
* If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
* When finished click Exit to exit the program.
* A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please attach the log back here please.

--------------------

Next post please attach:
OTMoveIt log
New HijackThis log

 

[fastco]

Here they go

Thanks again. I will reboot anyway to see if ndt2 comes back.

 

[evilfantasy]

They are still there.

Boot to safe mode and try to delete them manually. You will have to enable viewing of hidden files/folders first.

C:\WINDOWS\system32\perfmonss.exe
C:\WINDOWS\system32\ip.exe

 

[fastco]

EvilFantasy, you are the man!! It's been about 5 minutes after a reboot and no ndt2 and a clean HJT log. Awesome job! How did you narrow it down and can I ask what your experience is and do you do this stuff for a living? Always curious to find out how people learned what they know. Thank you also to Raybay, Momok and HD_Start for your help.

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

They are still there.

Boot to safe mode and try to delete them manually. You will have to enable viewing of hidden files/folders first.

C:\WINDOWS\system32\perfmonss.exe
C:\WINDOWS\system32\ip.exe

Thank you but I checked Windows\system32 and both the files are gone!!

 

[evilfantasy]

They were in the last HijackThis log. Did you attach the wrong one?

Try running a fresh scan and attaching the log.

 

[fastco]

Sorry

I did attach the wrong one, sorry. I checked the new one at the HJT site and it looked clean.

 

[evilfantasy]

Have HijackThis fix this entry

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe (file missing)

The locate and delete C:\WINDOWS\system32\perfmonss.exe (if there)

It would be a good idea to run a good scan to see if anything else is hiding in there.

Download Superantispyware (SAS) SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment along with a new HijackThis log in the next post.

 

[momok]

Have HijackThis fix this entry

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe (file missing)

The locate and delete C:\WINDOWS\system32\perfmonss.exe (if there)

Usually O23 entries indicate a running service. Here's a simple remedial step I used to provide:
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

perfmons Service

Then after that attempt to navigate manually in Windows explorer to delete the file. Usually that does the trick.

Regards,
momok =)

 

[fastco]

Quick question, is perfmon without the ss a valid service because it is in the services window?! I disabled it in the services window but it is not listed in the windows\sytem32 folder. I think it is all clean. HJT log is clean and Superantispyware finds nothing. Thank you for all your help!!

Disregard the question I found out that it is a valid service, just not a necessary one.

Thanks again

Just an update....That IProtect you spyware is more evil than I thought and the ip.exe -h still restarts on every reboot. I finally found this on Symantec's website which shows how deep and evil it can be: http://tinyurl.com/2gzrxe

 

[evilfantasy]

Adding the ss to the end is how the malware attempts to disguise itself.