W32.Ceted
W32.Ceted is a worm that will spread by copying itself on removable drives and shared network folders. W32.Ceted will drop numerous files on the compromised computer and provide them with system, hidden and read-only attributes to avoid detection.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
How to Remove W32.Ceted:
FIRST AID TO STOP W32.Ceted:
When W32.Ceted virus infects a computer, it will modify system settings and inject itself to legitimate Windows files. System Restore is the tool-to-go-to in bringing back clean files and restoring earlier configuration. If you have saved previous restore point, please restore Windows to an earlier date.
MANUAL REMOVAL OF W32.Ceted:
1. If an anti-virus program is present, update the definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- From the menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- To edit the registry, click on Start. Search or Run regedit.exe.
Note: For a complete guide on Safe Mode and Registry Editor, please see tutorial links on the sidebar.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Online Virus Scanner:
Another way to remove a virus from a computer without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate computer security provider.
Technical Details and Additional Information:
Other functionalities of this Virus:
- This worm monitors newly opened processes and closes if it contain strings such as Task Manager and Process Explorer.
- W32.Ceted can restart the infected computer on its own.
- It can redirect Google search to a predefined or false result with its own URL.
Malicious Files Added by W32.Ceted:
%SystemDrive%\ntdetec1\ntdetec1.exe
%SystemDrive%\ntdetec1\cmrss.exe
%SystemDrive%\ntdetec1\run.exe
%SystemDrive%\ntdetec1\shell32.exe
%SystemDrive%\ntdetec1\drivelist.txt
%SystemDrive%\ntdetec1\child\autorun.inf
%SystemDrive%\ntdetec1\child\ntdetec1.exe
File Location for Windows Versions:
- %SystemDrive% refers to any drive including external removable devices.
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”winlogon” = “C:\ntdetec1\run.exe”
Anup
Feb 25, 2008 @ 09:35:48
I removed W32.ceted this way, but the computer has become slow. I think it troubled some DLL files because of which my computer makes a slow start and has become lazy. I have removed other related files like ntdetec1, cmrss, shell32 autorun.inf etc… help!