Comments on: What is ntuser.dll, How to remove ntuser.dll http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/ HIJACKTHIS ITEMS/REGISTRY ITEMS/HOW TO REMOVE Mon, 14 Feb 2011 12:06:24 -0600 hourly 1 http://wordpress.org/?v=3.0.5 By: Ben http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/#comment-3420 Ben Mon, 07 Dec 2009 13:55:30 +0000 http://htlogs.com/?p=918#comment-3420 Please look for file name 'Nsrbgxod.bak' in your windows/internet temp directories or the registery key you meantioned. You will be unable to delete it due to it opening processes on your machine. It will recreate the registery key under your windows run directory so even if you shut down and reboot it will reinfect your machine. If you find it there are a couple of steps, other wise you will just need a good spyware remover and an antivirus software that is up todate. If you find either the registery (as above) or the file then first: Download a spyware remover and run a full scan when it finishes fix everything. (this may be an issue if your machine web browser keeps redirecting you to another site and not letting you down load the software, you may have to use a different machine and download and burn the spyware software to CD or persist and try downloads.com to get a clean download without redirection) Spyware doctor (this is the best for this kind) Spybot - Search & Destroy (this is free and had a great ability to plug exploits in IE) <--did not actually find this picked up the problem. (however once I fix the issue this can plug the exploits in your IE or firefox that allow these things to slip through) Trend Microsystems <- did not use but is recommened on a lot of the forums. This will remove the spyware/Trojan that will keep putting in the registry edit to run a script that re infects your machine every time the antivirus removes the problem. You will need to also make sure you have a antivirus like Symantec, make sure the defintoins are up todayte and run a full scan. It may report a Bloodhound.Exploit so have the antivirus fix/Quarantine the files. Delete everything in your personal temp directory (run/%temp%) and windows temp directory (run/temp) Next run regedit make sure the key you found in the ‘Run’ directory with the ‘Rundel32.exe’ in it is deleted, if not delete it. This particular spyware/trojan is combining a couple of different known *Bloodhount.Exploit - captalises on a couple of weaknesses in Adobe Acrobat and IE *Trojan:Win32/Opachki.A - is a trojan that runs at Windows start and redirects search queries while monitoring user Internet traffic *Nsrbgxod.bak - trojan.agent (above) which seems to be a rootkit infection Please note that most Antivirus will not pickup malware or spyware very well, but i find if you have a combination at lease two different spyware scanners and a good antivirus program that is regulary updated you should be pretty safe. As always check you patch level, i suggest you download the latest 'Microsoft Baseline Security Analyzer' from the microsoft website. Please look for file name ‘Nsrbgxod.bak’ in your windows/internet temp directories or the registery key you meantioned. You will be unable to delete it due to it opening processes on your machine. It will recreate the registery key under your windows run directory so even if you shut down and reboot it will reinfect your machine.

If you find it there are a couple of steps, other wise you will just need a good spyware remover and an antivirus software that is up todate.

If you find either the registery (as above) or the file then first:

Download a spyware remover and run a full scan when it finishes fix everything. (this may be an issue if your machine web browser keeps redirecting you to another site and not letting you down load the software, you may have to use a different machine and download and burn the spyware software to CD or persist and try downloads.com to get a clean download without redirection)

Spyware doctor (this is the best for this kind)
Spybot – Search & Destroy (this is free and had a great ability to plug exploits in IE) <–did not actually find this picked up the problem. (however once I fix the issue this can plug the exploits in your IE or firefox that allow these things to slip through)
Trend Microsystems <- did not use but is recommened on a lot of the forums.

This will remove the spyware/Trojan that will keep putting in the registry edit to run a script that re infects your machine every time the antivirus removes the problem.

You will need to also make sure you have a antivirus like Symantec, make sure the defintoins are up todayte and run a full scan. It may report a Bloodhound.Exploit so have the antivirus fix/Quarantine the files.

Delete everything in your personal temp directory (run/%temp%) and windows temp directory (run/temp)

Next run regedit make sure the key you found in the ‘Run’ directory with the ‘Rundel32.exe’ in it is deleted, if not delete it.

This particular spyware/trojan is combining a couple of different known

*Bloodhount.Exploit – captalises on a couple of weaknesses in Adobe Acrobat and IE
*Trojan:Win32/Opachki.A – is a trojan that runs at Windows start and redirects search queries while monitoring user Internet traffic
*Nsrbgxod.bak – trojan.agent (above) which seems to be a rootkit infection

Please note that most Antivirus will not pickup malware or spyware very well, but i find if you have a combination at lease two different spyware scanners and a good antivirus program that is regulary updated you should be pretty safe.

As always check you patch level, i suggest you download the latest 'Microsoft Baseline Security Analyzer' from the microsoft website.

]]> By: admin http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/#comment-1893 admin Sun, 22 Nov 2009 05:00:51 +0000 http://htlogs.com/?p=918#comment-1893 John, you mean ntuser.dat ? ntuser.dll is not ntuser.dat John, you mean ntuser.dat ?
ntuser.dll is not ntuser.dat

]]> By: John http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/#comment-1857 John Sat, 21 Nov 2009 22:22:45 +0000 http://htlogs.com/?p=918#comment-1857 ntuser.dll is related to the user accounts ntuser.dll is related to the user accounts

]]> By: admin http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/#comment-1455 admin Mon, 09 Nov 2009 04:47:20 +0000 http://htlogs.com/?p=918#comment-1455 Boot your computer in the Safe mode with networking by: * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, press F8. * Instead of Windows loading as normal, a menu should appear * Select the second option, to run Windows in Safe Mode with networking In the mode try open links above. Boot your computer in the Safe mode with networking by:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
* Instead of Windows loading as normal, a menu should appear
* Select the second option, to run Windows in Safe Mode with networking

In the mode try open links above.

]]> By: Juergen http://htlogs.com/what-is-ntuser-dll-how-to-remove-ntuser-dll/#comment-1454 Juergen Mon, 09 Nov 2009 03:51:23 +0000 http://htlogs.com/?p=918#comment-1454 Cannot link to those hotlinks because it will reroute me to thefeedwater.com/... or providefeed.com... Cannot link to those hotlinks because it will reroute me to thefeedwater.com/… or providefeed.com…

]]>