Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Key for Virus Rundll32.exe Call Regenerates


  • Please log in to reply
5 replies to this topic

#1 jimr0707

jimr0707

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 October 2008 - 09:15 PM

I want to thank the forum very much for recently helping me. By following previously posted instructions I was able to remove most of the virtumond.dll virus from my computer. To do this I ran multiple passed of the following programs:

CCleaner
Spybot - Search and Destroy
SUPERAntiSpyware
Vundo Fix
VirtumundoBegone

It appears that I got rid of most of the virus but something still remains because I now get the following error message at startup:

RunDLL
Error loading C:\WINDOWS\system32\dgeknntu.dll
The specified module could not be found.

Here is the sequence of steps I have taken to try to fix this:

1. Using CCleaner, I found the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Name: BM3fad8bb3
Type: REG_SZ
Data: Rundll32.exe "C:\WINDOWS\system32\dgeknntu.dll",s

I tried to delete the key manually through CCleaner. However, when I checked the registry the key was still there.

2. Using regedit, I again tried to delete the registry key. But, when I ran regedit a second time, the key was still there.
3. I rebooted in Safe Mode and deleted the registry key using regedit. When I ran regedit a second time the key was deleted.
4. I rebooted in Safe Mode and ran regedit to verify that the key was still gone. It was still deleted!
5. I rebooted in Normal Mode and the error message did not appear.
6. I rebooted in Normal Mode and the error message did appear.
7. I checked the registry and the "BM3fad8bb3" key had been added back.

So, it appears that a startup program that loads after the registry startup programs is reloading the "BM3fad8bb3" registry key.

How do I find the program that is doing this?

Using msconfig, I've generated boot logs and reviewed them but that didn't provide me with enough information to identify the program.
Also, I've use the Autoruns tool to look at the files that load at startup but I can't identify the program that way either.

My computer is running Windows XP SP2 and is updated with the latest security patches.

Can you please provide some suggestions as to how to proceed?

Edited by jimr0707, 12 October 2008 - 09:24 PM.


BC AdBot (Login to Remove)

 


m

#2 yabsie

yabsie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 07 January 2009 - 09:02 AM

I want to thank the forum very much for recently helping me. By following previously posted instructions I was able to remove most of the virtumond.dll virus from my computer. To do this I ran multiple passed of the following programs:

CCleaner
Spybot - Search and Destroy
SUPERAntiSpyware
Vundo Fix
VirtumundoBegone

It appears that I got rid of most of the virus but something still remains because I now get the following error message at startup:

RunDLL
Error loading C:\WINDOWS\system32\dgeknntu.dll
The specified module could not be found.

Here is the sequence of steps I have taken to try to fix this:

1. Using CCleaner, I found the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Name: BM3fad8bb3
Type: REG_SZ
Data: Rundll32.exe "C:\WINDOWS\system32\dgeknntu.dll",s

I tried to delete the key manually through CCleaner. However, when I checked the registry the key was still there.

2. Using regedit, I again tried to delete the registry key. But, when I ran regedit a second time, the key was still there.
3. I rebooted in Safe Mode and deleted the registry key using regedit. When I ran regedit a second time the key was deleted.
4. I rebooted in Safe Mode and ran regedit to verify that the key was still gone. It was still deleted!
5. I rebooted in Normal Mode and the error message did not appear.
6. I rebooted in Normal Mode and the error message did appear.
7. I checked the registry and the "BM3fad8bb3" key had been added back.

So, it appears that a startup program that loads after the registry startup programs is reloading the "BM3fad8bb3" registry key.

How do I find the program that is doing this?

Using msconfig, I've generated boot logs and reviewed them but that didn't provide me with enough information to identify the program.
Also, I've use the Autoruns tool to look at the files that load at startup but I can't identify the program that way either.

My computer is running Windows XP SP2 and is updated with the latest security patches.

Can you please provide some suggestions as to how to proceed?


I am having the same problem. different details, The reg key and dll names are different, the dll name seems to be randomly generated.
I downloaded regmon from systeminternals to watch who was writing the reg key and the the scary thing is that it appears to be many different programs writing this key, including firefox, spybot and other normally safe programs.

I am not an expert, but that would make me guess that a system dll has been compromised or a virus has attached itself to all these apps. I used trend mirco's online search, AVG8, spybot, windows defender, adaware and had norton resident on the machine when then infection happened. I don;t know how to clean this off.

Any help would be good.

#3 Tehsplink

Tehsplink

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Near London
  • Local time:03:14 AM

Posted 07 January 2009 - 09:05 AM

Please use malwarebytes using the instructions below and i will continue to assist you.


Please download MalwareBytes Anti-Malware to your desktop.


1.Ensure that your computer is connected to the internet and your software firewall is disabled until instructed to re-enable it.
2.Double click on the mbam-setup.exe to begin the installation process.
3.When the installation begins, please do not change any of the settings and follow the prompts.
4.Please make sure that when you finish the installation, these options remain checked;
5. *Update MalwareBytes' Anti-Malware
6. *Launch MalwareBytes' Anti-Malware
7.You may now click finish...
8.When MBAM launches, you will be prompted to update before running a scan. If an update is found, MBAM will automatically download and apply the updates and you can then click 'OK' button to close the box and continue. You may now re-enable your firewall
9.Please ensure that while you are on the scanner tab the 'Perform Quick Scan' option is selected, then click the 'Scan' button.
10.If you are asked which drives to scan, please leave all of them ticked, and click 'Start Scan'.
11.The scan will now begin and you will see “Scan in progress” at the top; It may take a while to complete so please be patient.
12.When the scan completes, you will see “The scan completed successfully. Click 'Show Results' to display all objects found”
13.Click the 'OK' button to close the box and continue with the removal process.
14.Back on the main scanner screen, click 'Show Results' to see a list of any found Malware.
15.Ensure that all items are checked and then click the 'Remove Selected' button.
16.When the removal process is complete, a log will open in notepad; this log will be automatically saved and you can view it in the logs section of the program.
17.Copy and paste the contents of the log file that is open into your next reply and exit MBAM.


Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the Malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Please PM me if i have been assisting you and do not reply for 24 hours!

#4 yabsie

yabsie

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 07 January 2009 - 11:16 AM

Please use malwarebytes using the instructions below and i will continue to assist you.


I discovered malaware and was running it about the same time as your post, and yup it solved it. The trojan I had (Trojan.Vundo) was listed as "easy" on the norton site, and yet I had norton running when I got infected.


thanks for your help.

#5 Tehsplink

Tehsplink

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Near London
  • Local time:03:14 AM

Posted 07 January 2009 - 11:23 AM

That may not have solved it, please can you give us a log of the scan you did with MBAM.
We can then continue to ensure your infection is completely gone :thumbsup:
There may still be traces left.
Please PM me if i have been assisting you and do not reply for 24 hours!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,574 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:14 PM

Posted 07 January 2009 - 12:22 PM

Welcome to BC yabsie

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users