A 21-year-old Blogger, Webmaster, Content-manager, Apple-lover, Mac-user, iPod-listener, Twitter-boy, IT student who loves travelling, photography and adventure sports.
[How to] Removing the ntdetec1.exe virus
Today is the world of flash drives. Everyone you know now has a PD ( Pen drive ) and wants you to copy some files off your PC / Mac.
Now, unlike me, if you’re using the oh-so-prone-to-viruses Operating System called Windows, chances are that you might have already come across the ntdetec1.exe virus. Or you will, sooner or later.
Its official name is W32.Ceted and it is a worm that copies itself to all shared and removable drives and spreads when the user double clicks on it to open it. If a system is infected, it creates a folder called ntdetec1 in your System Drive which is NOT visible via Explorer or Command prompt.
Related files:
\ntdetec1\ntdetec1.exe
\ntdetec1\cmrss.exe
\ntdetec1\run.exe
\ntdetec1\shell32.exe
\ntdetec1\drivelist.txt
\ntdetec1\child\autorun.inf
\ntdetec1\child\ntdetec1.exe
Symptoms:
1. Task Manager closes as soon as it launches.
2. RegEdit may be inaccesible
3. Folder Options may be inaccessible
When I scanned using some anti-virus software, Nod32, Symantec AV Corporate, McAfee and AVG failed to detect the files, even in Safe Mode.
To remove it, run the following commands at the command prompt:
taskkill /im cmrss.exe
taskkill /im ntdetec1.exe
taskkill /im shell32.exe
Now, make sure you are in the root drive of your system. For example, if your Windows in installed in C:, make sure your prompt shows C:\>
Now, run the command..
attrib ntdetec1 -s -h /s /d
This will make the folder visible in explorer. Now you can Shift+Delete the folder from explorer.
Also, you might need to delete the following registry key (if it is present)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\ Run\"winlogon" = "C:\ntdetec1\run.exe"
Congratulations, this will remove all known traces of the above worm.
And remember, next time you use someone’s PD, before you access it, goto your command prompt and delete the autorun.inf file if any.
Very helpful removal info……
Excellent info!!
But i guess the taskkill cmd won’t work if we start the system in the safemode since the processes cmrss.exe ntdetec1.exe shell32.exe wont loada anyways.
its better to start with the step where the folder ntdetec1 is made unhidden. than we can successfully delete the folder and proceed to remove the registry
but this solution still doesnt touch upon one other associated problem: once the system is effected of this problem one can not go to the tools–>folder options–>view and check the bubble Show hidden files and folders. How to do that?
Hi Rushir,
Thanks for leaving your comment.
AFAIK, I did not have to start the system in Safe Mode. Sure, I did boot into safe mode to scan with my AV, but that did not work as I’ve mentioned.
The above steps work very well in normal functioning, as I’ve done it over and over again.
Thanks for this tip. Now that Windows has become my primary OS(no thanks to that Stupid propreitory crap EDGE modem) I’m sure I’ll need this tip
hey for each pen drive or every other pen drive that we connect is it necessary to stop that auto run feature? wont it work by just pressing the shift key when attaching it?
Aashish,
Someone just emailed me saying that ntdetec1.exe file is capable of self replication and copying. So pressing the shift-key won’t help, neither will deleting the autorun file.
thanks man ……u r doing good job….m just scared of tht virus from last whole month……
thnks
hey thanks for the help
was really effective
thanks a tonn
hi preshit,
nice tip.. thanx
except for the following problem.
i did all the steps you mentioned.now i can see the processXP but still (even after attribute changes) i can’t delete that ntdetec1 folder from c drive. i can see it in explorer.
also folder option not working(the hidden view)
i changed the README option from properties of that folder..dosnt work..the readme gets ticked again.
what to do??
hello everybody
i got the solution for my problem..
as i wasnt able to delete that folder i download a software for deleting files and folder effectively
its called “AEVITA Wipe and Delete”
download it here.. (trial would work ;)
http://www.aevita.com/file/delete/
after installing run the wizard
then select the DELETE FOLDER option
browse and select to ntdetec1 folder from c drive
then AEVITA will delete all files inside.. there is a CHILD folder inside for recuring duplication of ntdetec1.exe
aevita deletes all.. and it wont bother you again
but still the folder menu (show hidden files) NOT working..
i guess its affected once..
maybe preshit can help us!
Thanks,
Solution given by you was really effective
I followed above steps
but still i am unable 2 open taskmanager & folder options
excellent idea