ndrives32.exe - Dangerous
ndrives32.exe
Manual removal instructions:
Antivirus Report of ndrives32.exe:
ndrives32.exe
W32/Rbot-DK is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
It spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element.
Copies itself to the Windows system folder as NDRIVES32.EXE.
Creates entries at the following locations in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-DK may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
Also, may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.
Drops 3 files to the current folder called EXPIORER.EXE, ADMDLL.DLL and RADDRV.DLL, all of which appear to be legitimate remote server applications.
Use RegRun Startup Optimizer to remove this worm from startup.
| ndrives32.exe | Malware |
| ndrives32.exe | Dangerous |
| ndrives32.exe | High Risk |
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
It spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element.
Copies itself to the Windows system folder as NDRIVES32.EXE.
Creates entries at the following locations in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Rbot-DK may set the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
Also, may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer.
Drops 3 files to the current folder called EXPIORER.EXE, ADMDLL.DLL and RADDRV.DLL, all of which appear to be legitimate remote server applications.
Use RegRun Startup Optimizer to remove this worm from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.