Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

likagulina / narudoku.dll


  • Please log in to reply
3 replies to this topic

#1 Kevin Christo

Kevin Christo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 November 2008 - 01:56 PM

There's one registry entry that keeps repopulating even when removed. I don't/didn't see any suspicious processes running except for rundll32.exe which I killed. But, the

"SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN" keeps on repopulating with the following entry:

likagulina : rundll32.exe "c:\windows\system32\narudoku.dll", s

There's no such file named narudoku.dll. But, I don't know how and where this registry repopulation is coming from.
I've already scanned the system with Spybot and Malwarebytes Anti-malware. Both removed a bunch but I can't figure
out where this is coming from.

I've scanned with Vundofix as well and it finds nothing.

Google search turns up 0 results on either of those search terms!

Edited by Orange Blossom, 28 November 2008 - 02:31 PM.
Move from HiJack This forum to Am I Infected as there are no logs. ~ OB


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 28 November 2008 - 02:44 PM

welcom :thumbsup: maybe fully update the malawarebytes program you have , reboot the computer and run a scan and let us see its report plus the previous one for checking ?

#3 Kevin Christo

Kevin Christo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 28 November 2008 - 03:22 PM

This is my log ... The narudoku.dll file was originally deleted my MBAM but the system still kept looking for it at the RUN in the registry. Deleted the RUN -- it would keep readding itself after rebooting or within 5 minutes.


Malwarebytes' Anti-Malware 1.30
Database version: 1431
Windows 5.1.2600 Service Pack 2

11/28/2008 3:21:07 PM
mbam-log-2008-11-28 (15-21-05).txt

Scan type: Quick Scan
Objects scanned: 77118
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\likagulina (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\narudoku.dll (Trojan.Agent) -> No action taken.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:29 AM

Posted 28 November 2008 - 04:41 PM

The "No Action Taken" response in your log generally means you did not click the Remove All button. You should rescan and do so. Then see what the log shows.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. The Cannot find or error loading error message usually occurs when the associated .dll has been removed. The file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

If the file was removed but not the entry, Windows will display an error message indicating that the file was not found or there was an error loading. You need to remove this orphaned registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click here if your not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file with the error message.
Right-click on the file and choose delete.
Reboot your computer and see if the startup error returns.

THANKS to quietman7 for this fix!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users