What is ntuser.dll, How to remove ntuser.dll


ntuser.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ntuser
Filename: ntuser.dll
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | calc

Command: %UserProfile%\ntuser.dll
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\username\ntuser.dll,_IWMPEvents@0

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“calc”=rundll32.exe C:\DOCUME~1\username\ntuser.dll,_IWMPEvents@0

Description: a trojan that installed with scandisk.dll trojan

How to remove: use HijackThis and use Malwarebytes` Anti-malware or use Kaspersky virus removal tool

This entry was posted on Monday, October 26th, 2009 at 10:41 pm and is filed under O4, Run, Trojan. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “What is ntuser.dll, How to remove ntuser.dll”

  1. Juergen Says:
    November 8th, 2009 at 9:51 pm

    Cannot link to those hotlinks because it will reroute me to thefeedwater.com/… or providefeed.com…

  2. admin Says:
    November 8th, 2009 at 10:47 pm

    Boot your computer in the Safe mode with networking by:
    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    * Instead of Windows loading as normal, a menu should appear
    * Select the second option, to run Windows in Safe Mode with networking

    In the mode try open links above.

  3. John Says:
    November 21st, 2009 at 4:22 pm

    ntuser.dll is related to the user accounts

  4. admin Says:
    November 21st, 2009 at 11:00 pm

    John, you mean ntuser.dat ?
    ntuser.dll is not ntuser.dat

  5. Ben Says:
    December 7th, 2009 at 7:55 am

    Please look for file name ‘Nsrbgxod.bak’ in your windows/internet temp directories or the registery key you meantioned. You will be unable to delete it due to it opening processes on your machine. It will recreate the registery key under your windows run directory so even if you shut down and reboot it will reinfect your machine.

    If you find it there are a couple of steps, other wise you will just need a good spyware remover and an antivirus software that is up todate.

    If you find either the registery (as above) or the file then first:

    Download a spyware remover and run a full scan when it finishes fix everything. (this may be an issue if your machine web browser keeps redirecting you to another site and not letting you down load the software, you may have to use a different machine and download and burn the spyware software to CD or persist and try downloads.com to get a clean download without redirection)

    Spyware doctor (this is the best for this kind)
    Spybot – Search & Destroy (this is free and had a great ability to plug exploits in IE) <–did not actually find this picked up the problem. (however once I fix the issue this can plug the exploits in your IE or firefox that allow these things to slip through)
    Trend Microsystems <- did not use but is recommened on a lot of the forums.

    This will remove the spyware/Trojan that will keep putting in the registry edit to run a script that re infects your machine every time the antivirus removes the problem.

    You will need to also make sure you have a antivirus like Symantec, make sure the defintoins are up todayte and run a full scan. It may report a Bloodhound.Exploit so have the antivirus fix/Quarantine the files.

    Delete everything in your personal temp directory (run/%temp%) and windows temp directory (run/temp)

    Next run regedit make sure the key you found in the ‘Run’ directory with the ‘Rundel32.exe’ in it is deleted, if not delete it.

    This particular spyware/trojan is combining a couple of different known

    *Bloodhount.Exploit – captalises on a couple of weaknesses in Adobe Acrobat and IE
    *Trojan:Win32/Opachki.A – is a trojan that runs at Windows start and redirects search queries while monitoring user Internet traffic
    *Nsrbgxod.bak – trojan.agent (above) which seems to be a rootkit infection

    Please note that most Antivirus will not pickup malware or spyware very well, but i find if you have a combination at lease two different spyware scanners and a good antivirus program that is regulary updated you should be pretty safe.

    As always check you patch level, i suggest you download the latest 'Microsoft Baseline Security Analyzer' from the microsoft website.

Leave a Reply