Jump to content

Deleted NTDETECT.COM - killed WinXP


Press any key

Recommended Posts

I ran across some spyware and may have panicked. Hey, I'm only human, and Windows is OK when it works, BUT A PRICK when things go wrong!

Especially if you have OEM disks; most particularly from a NAME company. In my case, ACER Extensa Series Notebook. It appears to only allow you to delete the first partition and re-install.

It is so arranged that you cannot run REPAIR or extract any of the files ..

* Alright I deleted NTDETECT.COM. One stinking little 47K DOS file, mind you - AND THE WHOLE BLOODY THING WOULD NOT BOOT.

I may also have deleted: [from Root C:]

sw.bat

is.bat

tb.exe

xe.exe

low.exe

mmxateam.exe

IELower.exe

* ARE ANY OF THESE IMPORTANT? Everybody in this forum would know a whole lot more than me. Any of them spyware? Only deleted them to the Recycle Bin (named TRASH) just in case.

Something has turned off my Windows firewall and all options are grayed out. I have WinsockxpFix-restart xp firewall but that's not working this time. Windows puts up a message also, something along the lines of: 'Firewall has been turned off, because associated services have been turned off, do you want to turn them back on. YES.' This does not work either.

Also, my automatic updates have been turned off. Although I can change that back to ON, it keeps switching to OFF.

Spybot - Search & Destroy seems to have picked up some Reg keys..

** Microsoft AntiSpyware Beta 1 **

______________________________

Spyware Scan Details

Start Date: 26/10/2005 10:50:15 PM

End Date: 26/10/2005 11:05:20 PM

Total Time: 15 mins 5 secs

Detected Threats

IST.ISTbar Browser Modifier more information...

Details: ISTbar is an Internet Explorer redirector that modifies your homepage and searches without your consent using an Internet Explorer toolbar.

Status: Removed

Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected registry keys/values detected

HKEY_CURRENT_USER\software\ist

HKEY_CURRENT_USER\software\ist exe_start 5

Detected Spyware Cookies

No spyware cookies were found during this scan.

-----------------------

** Ad-aware **

_______________

Name:DyFuCA

Category:Malware

Object Type:Regkey

Size:4 Byteshttp://liveupdate.openwares.org/index.html

Location:S-1-5-21-3469509842-254541981-1596856438-1005\software\ist\

Last Activity:26-10-2005

Relevance:Low

TAC index:3

Comment:

Description:Also known as InternetOptimizer. Error page hijacker, malware. Installs unsolicited (Bundled with third party applications) runs stealth.

------

** Spybot s&d **

______________________

ISearchTech.PowerScan: Settings (Registry key, nothing done)

HKEY_USERS\S-1-5-21-3469509842-254541981-1596856438-1005\Software\IST

Windows Security Center.SP2Update: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Windows Security Center.AntiVirusOverride: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center.FirewallOverride: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-07-21 unins000.exe (51.41.0.0)

2005-05-31 blindman.exe (1.0.0.1)

2005-05-31 SpybotSD.exe (1.4.0.3)

2005-05-31 TeaTimer.exe (1.4.0.2)

2005-05-31 Update.exe (1.4.0.0)

2005-05-31 advcheck.dll (1.0.2.0)

2005-05-31 aports.dll (2.1.0.0)

2005-05-31 borlndmm.dll (7.0.4.453)

2005-05-31 delphimm.dll (7.0.4.453)

2005-05-31 SDHelper.dll (1.4.0.0)

2005-05-31 Tools.dll (2.0.0.2)

2005-05-31 UnzDll.dll (1.73.1.1)

2005-05-31 ZipDll.dll (1.73.2.0)

2005-09-30 Includes\Dialer.sbi (*)

2005-09-30 Includes\Hijackers.sbi (*)

2005-09-30 Includes\Keyloggers.sbi (*)

2005-09-30 Includes\Malware.sbi (*)

2005-09-30 Includes\Revision.sbi (*)

2005-09-30 Includes\Security.sbi (*)

2005-09-30 Includes\Spybots.sbi (*)

2005-09-30 Includes\Trojans.sbi (*)

2005-02-17 Includes\Tracks.uti

2005-09-30 Includes\PUPS.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2005-09-30 Includes\Cookies.sbi (*)

----------------------------------------------

I have my OLD computer, so can use that to search the Net. Except my ISP changed phone numbers recently and the old PC had the wrong dial-up number. Rooter Skunk.

Anyway, finally got going and downloaded every piece of junk I could find, including from Microsoft. Who apparently only think NTDETECT.COM is in Windows 2000. Well, why would it be in XP, XP is not NT, is it?

THE SIMPLY SOLUTION:::

Boot with Acer Disk 1 while holding the Shift Key down. That will get you at a DOS prompt.

A:> [ For some reason it says drive a:, even though I don't have a floppy.]

CD C:

Copy C:\i386\NTDETECT.COM C:\

[ 1 file copied .. ]

Well, bugger me. Been a long time since I really used DOS. I might add that the [Copy] bit came from a Net site named : computerhope.com

So, there's a copy of this on my Hard Drive. [in the i386 folder - which used to be in Win]

Now, you can't re-boot Acer, so push the OFF button and wait a while as not to shock the electrical parts, then turn on again..

AND IT BOOTS INTO WINDOWS ......

So, a 47K file can stop WinXP from running. That's just perfect, isn't it!

Thousands of man (and woman) hours, millions of dollars spent, and one missing little 47K DOS program stops it from working.

___________________________________________________________

_______________________________________________________

Do you think it would help if WINDOWS was in a partition by itself, and the REGISTRY, program files, documents, etc, were kept separate?

Then, if you had to re-install Windows, it could pick up the previous REG. To save you having to re-install all your programs.

Link to comment
Share on other sites


These are not important, they are definitely spyware or some random app you don't need:

sw.bat, is.bat, tb.exe, xe.exe, low.exe, mmxateam.exe, IELower.exe

Deleting NTDETECT.COM was a bad move, it's a critical file

As far as getting spyware, you need to run either MS AniSpyware or Panda AV, iirc no other apps out there will give you full spyware protection.

Of course the best thing is to not run Windows as an administrator, run as a user and use RunAs to run installs as an admin. If you don't want to be hassled not being an admin, then use this guide I wrote to run as admin but to protect IE or any other internet app (FireFox, IM, etc) from installing spyware/viruses.

Do you think it would help if WINDOWS was in a partition by itself, and the REGISTRY, program files, documents, etc, were kept separate?

Then, if you had to re-install Windows, it could pick up the previous REG. To save you having to re-install all your programs.

No, this won't help you at all, no matter where you put the registry, if it gets corrupt/infected, it's infected no matter where it is. And honestly, you don't want to restore a registry from a seperate install because it will only cause problems.

Putting your Program Files in an alternate location won't help you either.

Just run a good anti virus and anti spyware app, I've looked at all of them and imho Panda Titanium AV is the best on the market, although it's the most expensive and uses a whopping ~50megs of ram, but you get what you pay for (in $ and in hardware requirements).

Edited by Rhelic
Link to comment
Share on other sites

NTDETECT.COM is not a DOS file strictly speaking. Win2K (and perhaps NT) uses it too (but older versions).

There're excellent chapters in MS Windows XP Resource Kit which tells you in detail about the XP boot process and what files it uses. Then you'll know how XP boots.

Also this KB:

http://support.microsoft.com/default.aspx?...kb;en-us;314079

The i386 folder is not part of the working Win XP any more; it was used in the factory for unattended installation (but often left behind afterwards).

Edited by Takeshi
Link to comment
Share on other sites

if you have a windows xp cd. boot into the recovery console. copy ntdetect.com from the cd.

if you can't boot into the recovery console or copy the file, ask a friend if their willing to help you out by setting up your harddisk in their pc. from their windows, copy the file to your drive.

Link to comment
Share on other sites

I got the firewall, auto updates and virus protection turned back on by using >> Control Panel >> Performance and Maintenance >> Administrative Tools >> Computer Management >> Services ..

..and finding Windows Firewall/Internet Connection << and double clicking on it - this provides options to apply.

*Must have hit a bad web page or something that infected me. Seems to be blocking my downloads >web pages< while uploading data from my computer. Maybe I've been turned into a zombie spam computer. Don't have any Torrent, etc, software presently installed.

Deleted::

sw.bat

is.bat

tb.exe

xe.exe

low.exe

mmxateam.exe

IELower.exe

xe.exe looks like an unloader and then sw.bat starts everything else..

I also deleted lsass.exe from Windows as MS Anti-sypware reports it may be bad. Doesn't say what it is .. but the one in System32 says it's Microsoft and is different size and date.

I have a lot of protection --- but only Spyware S&D picks up the Reg Keys. However it does not remove them on 'fix problems.'

Microsoft Anti-spyware (Beta) +on guard

Ad-aware SE

Spybot - Search & Destroy +on guard

SpywareBlaster +on guard

WinPatrol +on guard

---------

:no: Ooops, now that I have rebooted and dialed-up the firewall and auto-updates are off again. But at least I am surfing OK, lost my zombie uploading status.

So, I'm going OK now, except can't turn the firewall on.. :wacko:

WinXP Home dial-up 56K.

Link to comment
Share on other sites

Important Information ..

I found this at LOCKERGNOME

-----------------------------------------------------

http://help.lockergnome.com/lofiversion/in...php/t40349.html

salarymanjam

Oct 23 2005, 02:15 AM

I have been attacked by this Trojan which AVG is calling Mytob.ABR and i cannot seem to find any programs that remove it, it is that new! Can someone please help me out here. It seems to dump 5 files on to C:/ -

is.exe

low.exe

mmxateam.exe

sw.bat

xe.exe

zxvcc73x.exe

and they also crop up in the temporary internet file folders. It is blocking me from using the internet and my home network.

Can anyone help me?

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Locate and delete the following:

C:\WINDOWS\lsass.exe

----------------------------------------------

I had all of these, except zxvcc73x.exe, mine was named IELower.exe. And AVG7 Free with current definitions did not detect anything. Nor did all the active AntiSpyware scanners.

So, it may have been updated to be a better scumware...

Turn off auto backups, until problem fixed.

Delete all offline content (temp Internet files) from all your installed browsers.

Delete all temp files. ( Windows will want to keep 3 or 4 and this is OK.)

[if you have CCleaner, set the delete temp files on Re-boot, and not after 48 hours, which is the default.]

Delete all files mentioned above.

*This seems to disable it, but may not be all the files. Internet connection speed returns to normal.

I still have the Win Firewall turned off, and grayed out, plus auto-updates off. Any attempt to turn them back on is ineffective.

firewall.jpg

Does not work!

This is suppose to be the path to the Firewall:: C:\WINDOWS\system32\svchost.exe -k netsvcs

Plus, The Reg entries that only Spybot S&D picked up, but cannot clean. They get replaced.

I also get some USB 16 bit error notice popping up and I suspect this file in C:\ usbupdatesx.exe as it has the same date as the other Malware.

usbupd.jpg

Hiding Windows protected files, I am left with the following in my Root folder::

usbupdatesx.exe

first.sav

AVG7QT.DAT

acecpl.sav

PDOXUSRS.NET

ascserv.log

data (6K)

ISACER.ID

I have an Acer notebook and AVG7 Antivirus.

------------------

Thanks for your reply Rhelic (That's the biggest Margarita I have ever seen [my preferred drink] and I'm a recovering alcoholic. [Ten years without a drink, ****. Luckily the cigarettes will kill me.]) :)

Thanks for your reply Takeshi (The i386 folder saved my life, as I have Acer recover disk and can't extract anything, just reinstall as purchased.) And I've lost count of the Windows updates applied that would be lost.. And I've only had the Notebook a year with XP SP2 Home.)

I'm still in shock that ONE small file can stop WindowsXP from booting.

Thanks for your reply shix (copy ntdetect.com from the CD not available to me because of BRAND NAME computer recovery disk only. won't be buying another brand name.)

*You know, Microsoft keep sending me newsletters that say:_ "START SOMETHING.."

I don't have time to start anything except try to keep the operating system going .. :)

Link to comment
Share on other sites

I should have also added the best way to run a SpyBot span is while you are in Safe Mode (no network support).

In fact if you know a machine is infected with something nasty, I insist on Safe Mode.

It's often faster and since less things are loaded, it can remove more things. Although I've noticed with SpyBot 1.4 they do a much better job of unloading & unlocking files, so maybe this doesn't matter as much anymore.

Link to comment
Share on other sites

Im pretty sure this is a pretty recent thing, there isnt much information about it, im just trying to help out as much as i can since i got it too, Virus scans and spyware scans come up clean (except for lsass.exe running from C:\Windows AND C:\windows\system 32 where it is suposed to run from).

Nothing in the registry telling it to run, I emptied out the prefetch folder, if im not connected to the internet, I can delete the files I mention later and it works fine, untill about a minute after i plug in the cat5 cable, a dos window pops up and those files come back. Even after a ful format and reinstal of XP on my C:\ drive

i dont know how i got this or where it came frombut its pretty bad, ive had viruses before and ive managed to fix them pretty easialy...this is differant, ive been working on it for about 4 days now, and i see that others have teh same problems and no one seems to know a solution...hopefully we wil be able to solve this soon.

Logfile of HijackThis v1.97.7

Scan saved at 12:35:48 PM, on 11/1/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\lsass.exe---------------------Not Suposed to be here!!!!

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\WinBar\WinBar.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

G:\Mikes stuff\HijackThis.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

I also have

IELower.exe (2kb)

is.exe (34kb)

low.exe (2kb)

mc-110-12-000169.exe(165kb)

mmxateam.exe (18kb)

sw.bat (1kb)

tb.exe (204kb)

usbupdatesx.exe (461kb)

xe.exe (24kb)

in my root directory C:\

I hope this will help figure out something.

Link to comment
Share on other sites

Ok..im back on my computer for now...i think i have a solution

This is what I did

Disconnect from the Internet

Download Process Explorer here http://www.sysinternals.com/Utilities/ProcessExplorer.html From another computer and save it to a disk (if you can get it with the infected computer it will still work), Disconnect after youget it thuogh)

Run that and look for lsass.exe (if you have the same thing i did it will be running twice)

Click View>Select Columns, Check "Command Line"

One of the lsass.exe will be running from C:\WINDOWS..this is the bad one, the other will be wunning in C:\WINDOWS\System32

Miniamize Process Explorer, and browse to C:\WINDOWS Use the folder options to show hidden and system files

Find lsass.exe, be sure you are not in the System32 folder

It wont let you delete the file because it is in use by windows so you have to select it in process explorer and push delete, it will ask you if you want to kill the process, say yes.

You have to work quickly because lsass.exe will start itself after a few seconds, so what you do is have both windows open, Process explorer and C:\windows, have lsass.exe selected

Go to the Process Explorer and kill lsass.exe that is running from C:\WINDOWS, then move over to the C:\WINDOWS folder and delete lsass.exe before it has a chance to start again.

Then delete

sw.bat

is.bat

tb.exe

xe.exe

low.exe

mmxateam.exe

IELower.exe

uspupdatesx.exe

mc-110-12-000169.exe

from C:\

Ive seen differant sets of files so there may be files here you dont have, and you may have others.

After I did that I restarted and the files didnt come back, I connected to the internet gain and waited.....No files its been about an huor and ho problems yet, i hope that is all it was, but there may be more of this...ill post if i find out anymore

Link to comment
Share on other sites

Please help, this has been driving me mad! I have a lot of work to do but have spent the past two hours messing with this and still no progress.

I tried what mcl768 suggested above, and it seemed to work, however I ran into a problem. I cannot, for the life of me, find lsass.exe in my C:\WINDOWS folder.

Yes, I made sure to select the Folder Options thing to view all hidden files, I can see ALL other hidden and weird looking files, but I cannot find lsass.exe.

Furthermore, when I look in process explorer I see the **** file and it says that it IS in C:\WINDOWS however when I search for it and look for it manually I don't see it. So what's going on here, all signs point to it being there, yet I cannot find it to delete it.

Any help would be GREATLY appreciated. Thanks!

Link to comment
Share on other sites

The Virus/Malware, whatever it is classified as, probably comes from a ųTORRENT download.

Viruses and Malware come from Kazaa and LimeWire. Torrents rarely contain viruses.

And if you're going to use alternate characters, it's μ, not ų. ;)

Link to comment
Share on other sites

And if you're going to use alternate characters, it's µ, not u.

I couldn't find µ, :( but have u, which it is not, so used Character Map Arial ų. But now I have yours, I'll copy it. µ :P

AVG7 has just updated itself to 7.1.362, and finally picked up Trojan horse Dropper.Agent.VC. So, I know this came in on a µTORRENT download. I have never used these type of programs before, and as this is a very small one, decided I'd give it a go. The TORRENT is rouge ofcourse, not the programs fault. No, I'm not going to say. These type of programs seem to be for copyrighted material.

*But I would check your Outlook Express Address Book for entries that look a little strange, and you have never seen before! Just a thought. sndmail.gif

.

Link to comment
Share on other sites

Hi Peeps ive been trying to sort out a booting up issue on my girlfrinds laptop and while doing the head scratching, chin stroking research came through here. With concern to your lsass.exe being in two places they are actually two different file names one is LSASS.exe this is the one you need and the other is isass.exe the clever thing is that a capital (i) lokks alot like a lower case (L). hope this helps

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...