 Registry Key for Virus Rundll32.exe Call Regenerates |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Oct 12 2008, 09:15 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 1 Joined: 12-October 08 Member No.: 245,762  |
CCleaner Spybot - Search and Destroy SUPERAntiSpyware Vundo Fix VirtumundoBegone It appears that I got rid of most of the virus but something still remains because I now get the following error message at startup: RunDLL Error loading C:\WINDOWS\system32\dgeknntu.dll The specified module could not be found. Here is the sequence of steps I have taken to try to fix this: 1. Using CCleaner, I found the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Name: BM3fad8bb3 Type: REG_SZ Data: Rundll32.exe "C:\WINDOWS\system32\dgeknntu.dll",s I tried to delete the key manually through CCleaner. However, when I checked the registry the key was still there. 2. Using regedit, I again tried to delete the registry key. But, when I ran regedit a second time, the key was still there. 3. I rebooted in Safe Mode and deleted the registry key using regedit. When I ran regedit a second time the key was deleted. 4. I rebooted in Safe Mode and ran regedit to verify that the key was still gone. It was still deleted! 5. I rebooted in Normal Mode and the error message did not appear. 6. I rebooted in Normal Mode and the error message did appear. 7. I checked the registry and the "BM3fad8bb3" key had been added back. So, it appears that a startup program that loads after the registry startup programs is reloading the "BM3fad8bb3" registry key. How do I find the program that is doing this? Using msconfig, I've generated boot logs and reviewed them but that didn't provide me with enough information to identify the program. Also, I've use the Autoruns tool to look at the files that load at startup but I can't identify the program that way either. My computer is running Windows XP SP2 and is updated with the latest security patches. Can you please provide some suggestions as to how to proceed? This post has been edited by jimr0707: Oct 12 2008, 09:24 PM |
 |
 
|
|
Jan 7 2009, 09:02 AM
Post
#2
|
|
|
New Member Group: Members Posts: 2 Joined: 7-January 09 Member No.: 279,454 |
QUOTE(jimr0707 @ Oct 12 2008, 09:15 PM)  I want to thank the forum very much for recently helping me. By following previously posted instructions I was able to remove most of the virtumond.dll virus from my computer. To do this I ran multiple passed of the following programs: CCleaner Spybot - Search and Destroy SUPERAntiSpyware Vundo Fix VirtumundoBegone It appears that I got rid of most of the virus but something still remains because I now get the following error message at startup: RunDLL Error loading C:\WINDOWS\system32\dgeknntu.dll The specified module could not be found. Here is the sequence of steps I have taken to try to fix this: 1. Using CCleaner, I found the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Name: BM3fad8bb3 Type: REG_SZ Data: Rundll32.exe "C:\WINDOWS\system32\dgeknntu.dll",s I tried to delete the key manually through CCleaner. However, when I checked the registry the key was still there. 2. Using regedit, I again tried to delete the registry key. But, when I ran regedit a second time, the key was still there. 3. I rebooted in Safe Mode and deleted the registry key using regedit. When I ran regedit a second time the key was deleted. 4. I rebooted in Safe Mode and ran regedit to verify that the key was still gone. It was still deleted! 5. I rebooted in Normal Mode and the error message did not appear. 6. I rebooted in Normal Mode and the error message did appear. 7. I checked the registry and the "BM3fad8bb3" key had been added back. So, it appears that a startup program that loads after the registry startup programs is reloading the "BM3fad8bb3" registry key. How do I find the program that is doing this? Using msconfig, I've generated boot logs and reviewed them but that didn't provide me with enough information to identify the program. Also, I've use the Autoruns tool to look at the files that load at startup but I can't identify the program that way either. My computer is running Windows XP SP2 and is updated with the latest security patches. Can you please provide some suggestions as to how to proceed? I am having the same problem. different details, The reg key and dll names are different, the dll name seems to be randomly generated. I downloaded regmon from systeminternals to watch who was writing the reg key and the the scary thing is that it appears to be many different programs writing this key, including firefox, spybot and other normally safe programs. I am not an expert, but that would make me guess that a system dll has been compromised or a virus has attached itself to all these apps. I used trend mirco's online search, AVG8, spybot, windows defender, adaware and had norton resident on the machine when then infection happened. I don;t know how to clean this off. Any help would be good. |
|
|
|
|
Jan 7 2009, 09:05 AM
Post
#3
|
|
|
Member Group: Members Posts: 120 Joined: 31-December 08 From: Near London Member No.: 276,454 |
Please use malwarebytes using the instructions below and i will continue to assist you.
Please download MalwareBytes Anti-Malware to your desktop. 1.Ensure that your computer is connected to the internet and your software firewall is disabled until instructed to re-enable it. 2.Double click on the mbam-setup.exe to begin the installation process. 3.When the installation begins, please do not change any of the settings and follow the prompts. 4.Please make sure that when you finish the installation, these options remain checked; 5. *Update MalwareBytes' Anti-Malware 6. *Launch MalwareBytes' Anti-Malware 7.You may now click finish... 8.When MBAM launches, you will be prompted to update before running a scan. If an update is found, MBAM will automatically download and apply the updates and you can then click 'OK' button to close the box and continue. You may now re-enable your firewall 9.Please ensure that while you are on the scanner tab the 'Perform Quick Scan' option is selected, then click the 'Scan' button. 10.If you are asked which drives to scan, please leave all of them ticked, and click 'Start Scan'. 11.The scan will now begin and you will see “Scan in progress” at the top; It may take a while to complete so please be patient. 12.When the scan completes, you will see “The scan completed successfully. Click 'Show Results' to display all objects found” 13.Click the 'OK' button to close the box and continue with the removal process. 14.Back on the main scanner screen, click 'Show Results' to see a list of any found Malware. 15.Ensure that all items are checked and then click the 'Remove Selected' button. 16.When the removal process is complete, a log will open in notepad; this log will be automatically saved and you can view it in the logs section of the program. 17.Copy and paste the contents of the log file that is open into your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the Malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes. -------------------- Please PM me if i have been assisting you and do not reply for 24 hours!
|
|
|
|
|
Jan 7 2009, 11:16 AM
Post
#4
|
|
|
New Member Group: Members Posts: 2 Joined: 7-January 09 Member No.: 279,454 |
QUOTE(Tehsplink @ Jan 7 2009, 09:05 AM) Please use malwarebytes using the instructions below and i will continue to assist you. I discovered malaware and was running it about the same time as your post, and yup it solved it. The trojan I had (Trojan.Vundo) was listed as "easy" on the norton site, and yet I had norton running when I got infected. thanks for your help. |
|
|
|
|
Jan 7 2009, 11:23 AM
Post
#5
|
|
|
Member Group: Members Posts: 120 Joined: 31-December 08 From: Near London Member No.: 276,454 |
That may not have solved it, please can you give us a log of the scan you did with MBAM.
We can then continue to ensure your infection is completely gone  There may still be traces left. -------------------- Please PM me if i have been assisting you and do not reply for 24 hours!
|
|
|
|
|
Jan 7 2009, 12:22 PM
Post
#6
|
|
 Bleepin' Janitor Group: Global Moderator Posts: 20,204 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Welcome to BC yabsie
If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette. Thanks for your cooperation. The BC Staff -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2010  Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 29th July 2010 - 09:29 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.