Windows cannot find NTDETECT.exe

[Michael]

Last night, when I was in the middle of doing my work, this weird thing happened.
When I go to My Computer and want to access the Local Disks (C: ) & (D: ), this error message came up:

   Windows cannot find NTDETECT.exe.
  
   This program is needed for opening files
   of type 'File'.
  
    Type in the executable file to be used instead:
    C:\
    
I could still access the drives through Windows Explorer or any Open/Browse dialogue box.

System: WinXP SP2

No file was deleted prior to that error.
I was just surfing the internet.

Any idea?
Thanks.

[GX1_Man]

A quick google search would have told you that ntdetect.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Whatever you are using for security is not working. I would be interested in what it was and what sites you were on.

Have a read:

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1149948530

It may be Ewido time for you at the minimum. TAKE YOUR TIME AND READ IT ALL

[Michael]

I did googled for it...but I was googled for the error message and not "ntdetect" only...seems that was why i got nonsense results that day...
I am using Norton...and it couldn't detect anything about it....and the Symantec website also has no information about this ntdetect.exe....
My internet connection was on whole day so I couldn't really recall any possible
candidate of website resulting in the situation.

[pcdoc4christ]

These might help:

http://www.processlibrary.com/directory/files/ntdetect/
http://www.liutilities.com/products/wintaskspro/processlibrary/ntdetect/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.AYZ&VSect=T

[Michael]

I installed Ewido but it stop responding in the middle of scanning.
I notice that when I right-click on the disk drives, the first option has been modified to be some weird characters, follow by AutoPlay, Search, Open, Explore, System Information.
How can I fix the issue?
The WinTask software is not a freeware...
I guess there must be a way to fix it manually?

[GX1_Man]

Try booting in safe mode with system restore turned off and run Ewido from there.

[patio]

And with those wierd characters showing in the context menu i would also highly recommend running chkdsk as well, also in Safemode...

[Michael]

Running in Safe Mode (System Restore OFF):

ChkDsk detected nothing wrong and fix nothing.
AVG Anti-Spyware 7.5 (Ewido) detected some medium risk threats but that doesn't fix the issue.
SpyBot S&D detected some threats but that doesn't fix the issue.
Norton AV detected some threats but that doesn't fix the issue.

So, what else can I do?

[GX1_Man]

You can try running Hijack This and post a log file here for analysis by one of the resident experts. It will take several posts to get the whole report.

Do you have a real Windows CD to reinstall, if that becomes necessary to solve this?

[Michael]

Here is the zipped log file.

I do have the installation CD to reinstall Windows if necessary.

Thanks.

[Michael]

Anyone can help?

[Michael]

You can try running Hijack This and post a log file here for analysis by one of the resident experts.

So, is there any expert around?

[JPH]

Hi Michael, I'll try to help until an expert is available.
First and foremost, let's try to get rid of the nasty Chinese malware infection your PC has.

You might want to print this out or save it to a text file for reference from within safe mode.

Download the attached URLSearchHookFix zip file.

Boot into safe mode again and turn system restore off if you haven't already.

Click Start > Control Panel > Add or Remove Programs and remove WinPcap. Also remove any entries related to CNNIC (might be written in Chinese characters)

Run another HJT scan and put a check next to the following entries if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html

O2 - BHO: CNNIC ÍøÂ繤¾ßDrag - {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} - C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll

O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll

O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - (no file)

O2 - BHO: (no name) - {79B8A2B5-CCAB-40CD-B939-A18B916FAD95} - (no file)

O2 - BHO: (no name) - {B10343BD-1DC6-442F-9BA2-D44C708CEE83} - (no file)

O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe

O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll

O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing

O11 - Options group: [CDNCLIENT] Chinese Navigation

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Click "Fix checked"
Close HiJackThis

Remove the following folder (including all files and sub-directories):

C:\Program Files\CNNIC

Unzip the URLSearchHookFix.reg from the attached file and right-click the .reg file and choose Merge

Rename HiJackThis.exe to something else (e.g. HJT2K6.exe)

Run another HJT scan and save the logfile, rename the logfile to HJTnewSafe.log

Reboot back into normal mode, run another HJT scan from normal mode.

Zip up both new HJT logfiles and attach them to your next post.

- JPH

[GX1_Man]

A quick google search would have told you that ntdetect.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

[highlight]Whatever you are using for security is not working. I would be interested in what it was and what sites you were on.[/highlight]
Have a read:

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1149948530

It may be Ewido time for you at the minimum. TAKE YOUR TIME AND READ IT ALL

[Michael]

Hi JPH, thanks for your guidance.
Attached are the two HJT log file before and after the fix.
Anyway, fyi, the issue still persist...when I click on any local drive, instead of entering the drive, still a blank command prompt window entitled C:\NTDETECT.COM flashes up and close immediately.....and if I right click on the drive, the first option is still some weird characters instead of what it should be.


GX1_Man, I've actually gone through the page before, and I'm wondering whether I've missed out something since you highlighted it again?


Thanks.