 TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5 | reply to flighty
Re: [Spyware] ntdll64Are you not running an antivirus, or is it being prevented from running?
I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. You will also need the printed copy as you will be in Safe mode for several instructions. Please follow the directions in the order listed (Important).
Reboot to Safe Mode - Restart your computer and begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes if found:
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe
Exit the Task Manager when finished.
Using Windows Explorer, delete the following files:
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\Windows\fmark2.dat
Also delete the following folders if found:
C:\Windows\Program Files\TinyProxy folder
C:\Windows\Program Files\ProtectService
also in the Windows folder delete any .exe files starting with kenny in the file name:
C:\Windows\kenny*.exe
Restart your system.
Go to Start -> Settings -> Control Panel -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server if you have set it previously.
If you use FireFox, do the same thing: Go to Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O20 - AppInit_DLLs: C:\WINDOWS\system32\vedilune.dll
Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
Using Windows Explorer, locate the following files, and delete them (if found):
C:\WINDOWS\system32\vedilune.dll
C:\WINDOWS\system32\init32.exe
C:\WINDOWS\system32\SYS32DLL.exe
Download the latest version of Kaspersky Virus Removal Tool
ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool/index.html
- Disconnect from the Internet (pull your connection cable).
- Reboot to Safe mode.
- Close all other applications and double-click and run the installer.
- When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
- If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
- In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
- If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
- In the Scan window click the Reports button and select Save to file.
- Name the report AVPT.txt, and save it to the Desktop.
- Close AVPTool.
- You will be prompted if you want to uninstall the program; click Yes.
- You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
- After the system restarts, reconnect to the Internet
- Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
Download ComboFix© by sUBs from one of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix
- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.
Download Security Check by screen317 and save it to your Desktop:
http://screen317.spywareinfoforum.org/SecurityCheck.zip
http://screen317.changelog.fr/SecurityCheck.zip
- Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please post a new HijackThis log, the log from MBAM, the contents of the log from Security Check (checkup.txt), and in a second reply the requested portion of the log from Kaspersky Virus Removal Tool, the contents of ComboFix (combofix.txt), and note any errors encountered.
--
Proud ASAP member since 2005 |
