Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security Cleanup » [Spyware] ntdll64
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean Rules ·Site IMs ·VundoFix ·Zlob/Smitfraud ·MonaRonaDona
« Cant run SYSTEM RESTORE, NO SOUND, no ADMIN PRIVILEGES, etc.  
AuthorAll Replies


TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA

reply to flighty
Re: [Spyware] ntdll64

Are you not running an antivirus, or is it being prevented from running?

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. You will also need the printed copy as you will be in Safe mode for several instructions. Please follow the directions in the order listed (Important).

Reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes if found:
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe
Exit the Task Manager when finished.

Using Windows Explorer, delete the following files:
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\Windows\fmark2.dat

Also delete the following folders if found:
C:\Windows\Program Files\TinyProxy folder
C:\Windows\Program Files\ProtectService

also in the Windows folder delete any .exe files starting with kenny in the file name:
C:\Windows\kenny*.exe

Restart your system.

Go to Start -> Settings -> Control Panel -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server if you have set it previously.
If you use FireFox, do the same thing: Go to Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O20 - AppInit_DLLs: C:\WINDOWS\system32\vedilune.dll

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Using Windows Explorer, locate the following files, and delete them (if found):
C:\WINDOWS\system32\vedilune.dll
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe

Download the latest version of Kaspersky Virus Removal Tool
- Disconnect from the Internet (pull your connection cable).
- Reboot to Safe mode.
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- After the system restarts, reconnect to the Internet
- Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Download ComboFix© by sUBs from one of these locations:


* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Download Security Check by screen317 and save it to your Desktop:
- Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please post a new HijackThis log, the log from MBAM, the contents of the log from Security Check (checkup.txt), and in a second reply the requested portion of the log from Kaspersky Virus Removal Tool, the contents of ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005
to forum · permalink · · 2009-05-17 09:58:42 · Reply to this
-
Forums » Up and Running » Security » Security Cleanup« Cant run SYSTEM RESTORE, NO SOUND, no ADMIN PRIVILEGES, etc.  

Thursday, 10-Dec 01:29:52 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [200] Sprint Sued For Distracted Driving Death
· [109] AT&T Launching New 24 Mbps U-Verse Tier
· [82] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [66] Sprint Poised For A Turnaround?
· [66] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [66] AT&T Hints At Usage-Based iPhone Data Pricing
· [51] The Future Of Wi-Fi Is Bright
· [47] Site Leaks Yahoo, Verizon Fed Data Share Pricing
· [44] Microwaving Your Innards Is Not 'Extreme'
Most people now reading
· Hot Girl falls face first down stairs [56k Lookout (Broadband Heavy)]
· Windows 7 boot manager editing questions [Microsoft Help]
· Official "Invite" thread Part 3 - ALL INVITES GO HERE ! [Filesharing Software]
· [ Classes] Druid tanking: rotation and glyphs [World of Warcraft]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· Need some electrical advice - one circuit on two fuses? [Home Repair & Improvement]
· ICC Strats??? [World of Warcraft]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· ICC strats [World of Warcraft]
· RG Firmware update to VDSL2 this morning [AT&T U-verse]