Help, I've met my match NDT2.sys

By fastco ยท 20 replies
Dec 6, 2007
  1. I am infected with ndt2.sys. I turned off System Restore, Started in safe mode, ran ATF cleaner then ran AVG AntiSpyware which didn't even find it. Then ran SuperAntispyware which found the infection and removed it on reboot.
    Now everytime I reboot it comes back! Normally I can remove infections easily but this one is beating me mentally. I try to help as many people as I can on this forum and now I need some help removing ntd2.sys. I need to know where this thing is buried so I can remove the source and I can't find it. I go into C:/Windows/prefetch and remove then I go to Windows/system32 and remove the ndt2.sys and .txt and it comes back. Very persistent. Any help appreciated and thank you in advance.
  2. raybay

    raybay TS Evangelist Posts: 7,241   +10

    Run SuperAntispyware in regular mode, then immediately reboot to Safe Mode (by repeatedly pressing the F8 key as soon as you press the ON button) then run SuperAntispyware again in Safe Mode.
    You might also want to try Spyware Doctor, SpySweeper, Norton, and other free scans to see if they detect it... Then you can decide if you wish to put out the money.
    We have found that AVG Antivirus removes ndt2.sys for us, when used again in Safe Mode, after the latest download.
  3. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Thanks I did exactly that and it removes it but it comes right back. I tried SpySweeper, Adaware and they didn't even detect it. I will pay for whatever will remove it but I don't want to pay for something that won't work. If I could find the source in the registry I can remove it but I get nothing when I search for ndt2 in the registry. I'll try it again.. Thanks again
  4. raybay

    raybay TS Evangelist Posts: 7,241   +10

    Be sure to try AVG's Root Kit (free) as we have had luck with that. Then do searches for Trojan removers, and try a few of their scans.

    The problem named NDT2.SYS refers to many versions of an executable program. You will usually find the most common file size is 250,880 bytes. But these file sizes have been reported: 257,536 bytes, 256,512 bytes, and 249,856 bytes.
    Ndt2.sys.html is associated with the malware group Win32.Rootkit. Look also under Trojan.Downloader
    We have also been able to remove it using AVG Rootkit, but there are now too many versions. They can show some of this Vendor - Product - Version - Info in a file header:,,, and
    Among the problems Ndt2.sys causes are communicatin with other computer systems via HTTP protocols. It may execute a process, remove other processes from your drive, change the you Windows host file thjus block you from visiting certain web sites, while tranferring you to alternate sites without your awareness. It may add a registry key to autostart programs on system startup, or go outside using NetBiosOut protocols. It will terminate processes which it determines are threatening it. It sometimes registers a dynamic Link library file. It gets into process hijacking by writing to another process's virtual memory, or creates other processes on your hard drive.

    You might want to expand your searches, look for these, as they are sometimes how it identifies itself... and is why the removal tools software have continual trouble with it.

    The reason everyone has trouble is because it has so many ways to reidentify itself, and by hiding numerically so as to appear to be networking information. All the spyware and trojan software companies copy each other, so within three days, they all have the same information... they just have been unable to stay ahead of this one. It was not released until October 31 (perhaps a Halloween trick or trick), then has rapidly spread all over the world.
  5. momok

    momok TS Rookie Posts: 2,265

    Usually there is another file or process that continually generates the .exe everytime it is removed or deleted; in some cases, a rootkit.

    I advise you to go through the 15 step removal to provide us with logs so we can see if there are other nasties residing in your system.

    momok =)
  6. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Thank you very much guys I will do everything you suggest and get back to you.

    OK I did everything and that damned thing keeps coming back.. It's killing me. I tried the AVG Root Kit remover and it didn't even find ndt2.sys I really don't want to do a clean install of Windows. Here is the HJT log. thanks for all the help.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

    HD_START TS Rookie

    This line look suspicious

    O4 - HKLM\..\Run: [iProtectYou] "C:\WINDOWS\system32\ip.exe" -h

    you should also rename HijackThis to something else and run it.

    Have you delete any file at Temp folders?


    C:\Documents and Settings\XXX\Local Settings\Temp

    C:\Documents and Settings\XXX\Local Settings\Temporary Internet Files

    and look into Start up folder at

    C:\Documents and Settings\XXX\Start Menu\Programs\Startup

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    and look for suspicious files under

    C:\Program Files\Common Files

    some other place in registry to look for.....I hope it can help....

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.




    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options



  8. evilfantasy

    evilfantasy Banned Posts: 428

    Where are the other logs?
  9. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Quick reply, this line
    O4 - HKLM\..\Run: [iProtectYou] "C:\WINDOWS\system32\ip.exe" -h

    Is safe, it's a parental website control program....I Protect

    What logs do you want? The only programs that found anything were HJT and SuperAntispyware.

    I did clean the temp folders both manually in normal mode and in safe mode with ATF cleaner. I also checked the startup folder and nothing looks suspicious. Man this thing is tough to remove...

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
  10. evilfantasy

    evilfantasy Banned Posts: 428

    You have at least 3 very nasty entries in the HijackThis log.

    Lets do this. First uninstall HijackThis and download the new version.



    Download ViewpointKiller

    * Unzip the program and all of the contents of to a location such as your desktop.
    * Double click the ViewpointKiller icon to run ViewpointKiller.exe. Select the "File" menu, and select "Check to see if you have Viewpoint installed".
    * If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

    Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with. The MsConfig instructions are very important, so be sure to read them carefully.

    Note: When done with ViewpointKiller, simply right click and delete all files that were unzipped.


    Please download Combofix by sUBs from either here or here

    Save Combofix.exe to your your Desktop.

    1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
    2. When finished, it will produce a log for you.
    3. Attach that log in your next reply.

    Do not mouseclick combofix's window while it's running. That may cause your computer to stall


    Run a new scan with HijackThis and save the log.


    Next post please attach:
    combofix log
    New HijackThis log
  11. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Combo and HJT logs

    Mr. Evil thank you here are the logs. Please let me know what you find? Thanks again!
  12. evilfantasy

    evilfantasy Banned Posts: 428

    Open HijackThis and select Do a system scan only and place a check mark next to:

    O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe

    Close all windows except for HijackThis and click Fix checked


    * Download OTMoveIt.exe from here and place it on your desktop:

    Double click OTMoveIt.exe to launch it.
    Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

    Then click the MoveIt button below.
    * The list will be processed and the results will appear in the right hand pane.
    * If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    * When finished click Exit to exit the program.
    * A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

    Please attach the log back here please.


    Next post please attach:
    OTMoveIt log
    New HijackThis log
  13. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Here they go

    Thanks again. I will reboot anyway to see if ndt2 comes back.
  14. evilfantasy

    evilfantasy Banned Posts: 428

    They are still there.

    Boot to safe mode and try to delete them manually. You will have to enable viewing of hidden files/folders first.

  15. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    EvilFantasy, you are the man!! It's been about 5 minutes after a reboot and no ndt2 and a clean HJT log. Awesome job! How did you narrow it down and can I ask what your experience is and do you do this stuff for a living? Always curious to find out how people learned what they know. Thank you also to Raybay, Momok and HD_Start for your help.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.

    Thank you but I checked Windows\system32 and both the files are gone!!
  16. evilfantasy

    evilfantasy Banned Posts: 428

    They were in the last HijackThis log. Did you attach the wrong one?

    Try running a fresh scan and attaching the log.
  17. fastco

    fastco TS Booster Topic Starter Posts: 1,123


    I did attach the wrong one, sorry. I checked the new one at the HJT site and it looked clean.
  18. evilfantasy

    evilfantasy Banned Posts: 428

    Have HijackThis fix this entry

    O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfmonss.exe (file missing)

    The locate and delete C:\WINDOWS\system32\perfmonss.exe (if there)

    It would be a good idea to run a good scan to see if anything else is hiding in there.

    Download Superantispyware (SAS) SUPERAntispyware Free Edition

    Install it and double-click the icon on your desktop to run it.
    * It will ask if you want to Update the program definitions, click Yes.
    * Under Configuration and Preferences, click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
    * On the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK.
    * Make sure everything in the white box has a check next to it, then click Next.
    * It will quarantine what it found and if it asks if you want to reboot, click Yes.
    * To retrieve the removal information please do the following:
    • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    * Please add the log as an attachment along with a new HijackThis log in the next post.
  19. momok

    momok TS Rookie Posts: 2,265

    Usually O23 entries indicate a running service. Here's a simple remedial step I used to provide:
    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    perfmons Service

    Then after that attempt to navigate manually in Windows explorer to delete the file. Usually that does the trick.

    momok =)
  20. fastco

    fastco TS Booster Topic Starter Posts: 1,123

    Quick question, is perfmon without the ss a valid service because it is in the services window?! I disabled it in the services window but it is not listed in the windows\sytem32 folder. I think it is all clean. HJT log is clean and Superantispyware finds nothing. Thank you for all your help!!

    Disregard the question I found out that it is a valid service, just not a necessary one.

    Thanks again

    Just an update....That IProtect you spyware is more evil than I thought and the ip.exe -h still restarts on every reboot. I finally found this on Symantec's website which shows how deep and evil it can be:
  21. evilfantasy

    evilfantasy Banned Posts: 428

    Adding the ss to the end is how the malware attempts to disguise itself.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...