Browse » Home
Wednesday, June 19, 2013
How to Remove Notify DLL Hijacker
1. If the operating system of the infected computer is Windows Me or Windows XP, turn off System Restore while this fix is being implemented.
To turn off System Restore in Windows Me, click 'Start,' 'Settings' and 'Control Panel.' Double-click on the 'System' icon and select 'File System' from the 'Performance' tab. Left-click on the 'Troubleshooting' tab and check the 'Disable System Restore' box. Click 'OK.'
To turn off System Restore in Windows XP, log in as an administrator and click 'Start.' Right-click on 'My Computer,' and select 'Properties' from the shortcut menu. Check the 'Turn off System Restore' option for each drive on the 'System Restore' tab. Left-click 'Apply' and 'Yes' to confirm when prompted. Click 'OK.'
2. Restart your computer in safe mode. Press 'F8' after the first beep occurs during start-up, before the display of the Microsoft Windows logo. Select the first option to run Windows in Safe Mode from the selection menu.
3. Remove the program files from the computer. Go to 'Start,' 'Control Panel,' 'Add/Remove Programs' and 'Remove Timbuktu Pro.' If it is not listed, continue to step 4.
4. Use the Windows Search tool to determine if the notify.dll file was removed with the program files. Go to 'Start,' 'Search All Files' and 'Folders.' Type 'notify.dll' in the 'All or Part of the File Name' section. Select 'All Local Hard Drives' from the 'Look in:' drop-down list for the best results. Click 'Search.' Remember or write down the specific path where the file is located, typically a subdirectory within C:\Program Files. This information will be necessary later in the removal process.
5. Repeat step 4 for the following files:
cbkhdlr.exe
chat.dll
copyhelp.exe
ctpwim.dll
dinstall.exe
exchange.dll
filemap.ini
hook32.dll
license.txt
minitb2.exe
munger.dll
netinstaller.exe
netinstnt.dll
note.dll
nsldapssl32v30.dll
ntlog.dll
ntsecurity.dll
personal.tbk
playback.dll
plughnt.dll
qiao.dll
readme.htm
regman.exe
schmacka.exe
shellext.dll
sndhlp.dll
tb2.plu
tb2addr.exe
tb2clean.exe
tb2cob.dll
tb2desk.exe
tb2ewx.exe
tb2ftp.dll
tb2init.exe
tb2inst.inf
tb2launch.exe
tb2phone.dll
tb2plugh.dll
tb2pro.exe
tb2rcinst.dll
tb2start.exe
tb2tools.dll
tb2xpres.exe
tmarina.dll
tnapi.dll
tnotify.exe
ttcp.dll
vofile32.dll
voolesvr.exe
wininet.dll
6. Use the Windows Task Manager to end any Timbuktu Pro processes that are running. Press 'Ctrl,' 'Alt' and 'Del' to open Task Manager. Click 'tb2pro.exe' within the Applications tab and click 'End Task.' Click on the Processes tab to search for individual processes that the hijacker may be running. Click on the 'Image Name' column to search for the following files. Highlight each of the listed names and click 'End Process' to kill it:cbkhdlr.exe
copyhelp.exe
dinstall.exe
minitb2.exe
netinstaller.exe
regman.exe
schmacka.exe
tb2addr.exe
tb2clean.exe
tb2desk.exe
tb2ewx.exe
tb2init.exe
tb2launch.exe
tb2start.exe
tb2xpres.exe
tnotify.exe
voolesvr.exe
7. Access the command prompt to unprotect the files to enable deletion. Click 'Start' and 'Run.' Type 'cmd' and click 'OK.'
Type 'cd' (change directory) from the command prompt, press the 'space bar' and type the name of the full directory path of the file, usually C:\Program Files\Timbuktu Pro.
From the command prompt, type 'attrib -a -s -h notify.dll.'
8. Repeat Step 7 for each of the following files:cbkhdlr.exe
chat.dll
copyhelp.exe
ctpwim.dll
dinstall.exe
exchange.dll
filemap.ini
hook32.dll
license.txt
minitb2.exe
munger.dll
netinstaller.exe
netinstnt.dll
note.dll
nsldapssl32v30.dll
ntlog.dll
ntsecurity.dll
personal.tbk
playback.dll
plughnt.dll
qiao.dll
readme.htm
regman.exe
schmacka.exe
shellext.dll
sndhlp.dll
tb2.plu
tb2addr.exe
tb2clean.exe
tb2cob.dll
tb2desk.exe
tb2ewx.exe
tb2ftp.dll
tb2init.exe
tb2inst.inf
tb2launch.exe
tb2phone.dll
tb2plugh.dll
tb2pro.exe
tb2rcinst.dll
tb2start.exe
tb2tools.dll
tb2xpres.exe
tmarina.dll
tnapi.dll
tnotify.exe
ttcp.dll
vofile32.dll
voolesvr.exe
wininet.dll
9. Unregister all instances of the malware's dll files from the command prompt. Type 'cd' (change directory) from the command prompt, press the 'space bar' and type the name of the full directory path of the dll files. This should be the path that was determined in step 3, typically C:\Windows\system. Press 'Enter.' The file must be unregistered before removal by typing the exact directory path, 'regsvr32 /u' and [DLL_NAME]: notify.dll.
10. Repeat Step 10 for the following files:chat.dll
ctpwim.dll
exchange.dll
hook32.dll
munger.dll
netinstnt.dll
note.dll
nsldapssl32v30.dll
ntlog.dll
ntsecurity.dll
playback.dll
plughnt.dll
qiao.dll
shellext.dll
sndhlp.dll
tb2cob.dll
tb2ftp.dll
tb2phone.dll
tb2plugh.dll
tb2rcinst.dll
tb2tools.dll
tmarina.dll
tnapi.dll
ttcp.dll
vofile32.dll
wininet.dllExit the command prompt and return to the operating system by typing 'exit' and pressing 'Enter.'
11. Left-click on 'Start,' choose 'Search' then 'All Files and Folders.' Type 'notify.dll' in the 'All or Part of the File Name' field. Select 'All Local Hard Drives' from the 'Look in:' drop-down list. Left-click on 'Search.' Right-click on the file name and select 'Delete' from the shortcut menu.
12. Repeat step 11 for the following files:cbkhdlr.exe
chat.dll
copyhelp.exe
ctpwim.dll
dinstall.exe
exchange.dll
filemap.ini
hook32.dll
license.txt
minitb2.exe
munger.dll
netinstaller.exe
netinstnt.dll
note.dll
nsldapssl32v30.dll
ntlog.dll
ntsecurity.dll
personal.tbk
playback.dll
plughnt.dll
qiao.dll
readme.htm
regman.exe
schmacka.exe
shellext.dll
sndhlp.dll
tb2.plu
tb2addr.exe
tb2clean.exe
tb2cob.dll
tb2desk.exe
tb2ewx.exe
tb2ftp.dll
tb2init.exe
tb2inst.inf
tb2launch.exe
tb2phone.dll
tb2plugh.dll
tb2pro.exe
tb2rcinst.dll
tb2start.exe
tb2tools.dll
tb2xpres.exe
tmarina.dll
tnapi.dll
tnotify.exe
ttcp.dll
vofile32.dll
voolesvr.exe
wininet.dll
13. Reboot the PC.
14. If notify.dll still resides on the computer, repeat the above steps or try using an automatic removal program from Trend Micro listed in References.