0

Hi all. I've spent the last week removing somewhere around 1000 viruses off of the receptionist's computer at my job, which was incredibly difficult--the malware disabled any internet access, task manager, registry editing, virus/malware removal software, etc.

So.. I was eventually able to get all of them off but one... "ntdll64.dll"

When I got to the point where I had to remove that one, I had managed to fix everything else--internet worked again, registry was fine, etc.--and about 5 minutes after I deleted that virus, the computer froze. I restarted, and after about 30 minutes, you get to the network login screen, the keyboard stops working, and thats it.

I've tried going in through safe mode and command prompt, but that's not an option. Those just freeze. I do not have any Hijackthis logs or anything of the sort because I cannot access that computer.

I've thought of removing the hard drive and scanning it from another computer, but my boss has expressed his disinterest in me doing that...

So ANY help, thoughts, ideas, or anything would be greatly appreciated! Thanks in advance!

3
Contributors
11
Replies
12
Views
8 Years
Discussion Span
Last Post by acthrellis
0

When you 'repaired' ntdll64 did you delete it altogether? Or did you actually heal it? Because ntdll is vital for the operation of the operating system since it contains information on the NT kernel, which communicates between NT based OS's (like xp) and the hardware. There is hope, potentially. Get a clean copy of the file from a working computer, boot up Windows Live (google windows live boot disk). You can boot into windows live, then copy the file from some form of media (USB, floppy, cd) to C:\windows\system32 .
If this is the only file causing the problem this should solve your issues.

0

I thought that was a valid file, but everywhere I went said that it was a virus remove it immediately or the world's coming to an end. Also, if it matters, it was in a directory that to me seemed strange.

C:\Documents and Settings\USERNAME\Local Settings\Temp

also, my firm has conveniently lost all of our xp installation discs, so BartPE isn't gonna work...

0

I thought that was a valid file, but everywhere I went said that it was a virus remove it immediately or the world's coming to an end. Also, if it matters, it was in a directory that to me seemed strange.

C:\Documents and Settings\USERNAME\Local Settings\Temp

also, my firm has conveniently lost all of our xp installation discs, so BartPE isn't gonna work...

lol. That is a bit suspicious of a place to find any dll. Just steal it off a computer at home. It should be in c:\windows\system32. DLL files are common to all machines, so there shouldn't be an issue with bringing in a 'foreign' dll.

0

I'm lookin in the system32 folder, and the closest thing I see to that file is "ntdll.dll" not "ntdll64.dll"

to think I took 3 years of classes and spent tons of money on certifications...

0

Lol. Is the system in question a 64-bit OS? Because that could be a problem... If not then the ntdll.dll will work. If it is then you will have to find a healthy 64 bit version of the DLL.

0

I'm not sure. I found an xp sp2 repair installation cd, so I ran that... and it froze ... over and over... BUT, on a hunch I left the cd in the drive, and windows booted up nicely, and I promptly got more alerts of more viruses. So I'm going to clear those out. Here is the HijackThis log of right now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:54 AM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Neon Software\Neon Responder\Neon Responder Service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\init32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://huronapp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0a94b111-4504-4e26-ab05-e61e474aa38b} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://huronapp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = huronlaw.local
O17 - HKLM\Software\..\Telephony: DomainName = huronlaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = huronlaw.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = huronlaw.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = huronlaw.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = huronlaw.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: migloe - C:\WINDOWS\Microsoft.NET\migloe.dll (file missing)
O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
O20 - Winlogon Notify: oqenbmsl - oqenbmsl.dll (file missing)
O20 - Winlogon Notify: rtmyncgi - rtmyncgi.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2antimalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (googledesktopmanager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Neon Responder - Neon Software, Inc. - C:\Program Files\Neon Software\Neon Responder\Neon Responder Service.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrALG (RDSessMgrALG) - Unknown owner - C:\WINDOWS\system32\APPENDr.exe
O23 - Service: QoS RSVP RSVPLmHosts (rsvplmhosts) - Unknown owner - C:\WINDOWS\system32\APPENDry.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VolDir - Unknown owner - C:\Program Files\FireDaemon\FireDaemon.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8051 bytes


I'm gonna try replacing that dll file too. just in case.

0

System restore can be your friend :).

==

PC is still infected, judging from your log.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Alot of viri can hide themselves from HJT, such as many bootstraps. It seems, from your log, that several dlls are infact missing. It's looking like your in for a painstaking file recovery, or just a total OS reinstall.

0

System restore can be your friend :).

Unless you're like me and turn it off to save resources, then kick yourself when you run into a problem like this ;)

0

I did have the Malware bytes software, but it freezes every time I open it. i've been trying system restore, but that freezes too. *sigh*

head::desk

0

Update:

Viruses have wiped all previous restore points... yay.

gonna try again to fix OS installation...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.