ndt2.sys and andt.sys [Malware Problem] (HJT Log included)

As I said, eTrust gets my vote, over anything. As for getting rid of other stuff;

Ad-aware = keep
Spybot = keep
McAfee = you will never see me recommend using it
System Mechanic = I wouldn't use it
SpywareBlaster = keep
HJT = not applicable
AVG = no need for it if you have something else

No matter what you use for protection, it will do you no good without using good sense and safe surfing habits. As I indicated previously, running a wide open Administrator account coupled with P2P apps is just asking for trouble.

 

Delete the following files.

C:\Windows\System32\andt.sys
C:\Windows\System32\msspa.exe

Cracked software and keygens are yet another avenue for infection, not to mention unfair to the software developer(s). Recommend you dump this one too.

C:\Users\Administrator\Downloads\Nero 8 Ultra Edition 8.2.8.0+Keymaker\Nero-8.2.8.0_eng_trial.exe


Did you install TightVNC and UltraVNC?

 

I only have a pirated copy of Nero 8 because I've already purchased 2 copies. Both of their serials had been pirated (I'm guessing) and Nero left me out in the cold. They said the only thing I could do is to purchase another copy to get a legitimate serial.

I completely agree it's unfair for the developer's but I feel I have paid my dues and I was tired of paying.

I deleted all three of those files.

Yes, I installed TightVNC and Ultra VNC, but I already uninstalled TightVNC.

 

I would certainly be questioning the sources from which you purchased pirated software.

You have some remnants of TightVNC. Let's get rid of those. Scan again with HijackThis and place a check next to the following entry, then click Fix Checked.

O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper

Note: If Spybot's TeaTimer is active, it may interfere with HijackThis, so best disable it first.

Now click Start>Run and type cmd then hit Enter to open a command window. Copy and paste the following commands, 1 at a time, hitting Enter after each.

sc stop winvnc
sc delete winvnc

Close the command window, then run a new scan with HijackThis and verify both the above O4 - HKLM\..\Run: [WinVNC] entry and the 023 Service VNC Server (winvnc) entry are gone.

If all is well, I'd say we're done.

 

Wow, thanks for all of your help. No more annoying error messages and I am definitely noticing a huge increase in the response time of my computer and logging in is twice as fast. Also, my CPU usage has dropped to around 2% under normal usage; it used to hang around 15% all the time. I simply can not thank you enough for your help, is there anyway I can give back to you for all the help you have provided me? (paypal?)

...Now I have to work on getting rid of this stupid net user Administrator account and transferring everything over to a regular admin account...

 

Happy to hear things are working good again. You're most welcome! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!


I do have a paypal account and accept donations if you're inclined, and appreciate any and all. noahdfear @ msn . com without the spaces. Also appreciated if you prefer, is to contribute to WindowsBBS instead. In addition to helping fund the upkeep of this site, you will notice a few other benefits to becoming a contributing member.