Guest Alex Levi Posted August 24, 2008 Posted August 24, 2008 Can anyone tell me what is the following line that I found in my registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key: BM3b6d974d Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s When using Registry monitor I found that my Explorer.exe is writing this key (almost every second) Is this normal? I tried to scan my PC with NAV, Spybot, online scanners and found nothing. Thanks.
Guest Elmo Posted August 24, 2008 Posted August 24, 2008 Re: Registry Startup folder Alex Levi wrote: > Can anyone tell me what is the following line that I found in my registry > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > Key: BM3b6d974d > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s > > When using Registry monitor I found that my Explorer.exe is writing this key > (almost every second) > Is this normal? > > I tried to scan my PC with NAV, Spybot, online scanners and found nothing. > > Thanks. Restart in Safe Mode, and delete the file xqfulqgt.dll. Also run Regedit and remove any entries that mention the file, but I suspect some other process is doing the writing. In "Safe Mode with Networking", try running an Online Scan to see if malware that disables your protection, is running. Try one of these free online virus scans: This one has a choice of a Quick or a Complete check http://www.pcpitstop.com/ Symantec http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym <url:http://security2.norton.com/us/home.asp?j=1&venid=sym&langid=us&plfid=20&pkj=IHBEXIBVEMBQAUWZKTK> then click the Security check link. http://housecall.antivirus.com/ free online virus scan http://www.ewido.net/en/ http://www.pandasoftware.com/products/activescan.htm Also try a virus discussion group for better solutions. -- Joe =o)
Guest Daniel Martín [MVP] Posted August 24, 2008 Posted August 24, 2008 Re: Registry Startup folder Hi, Alex: When I see a DLL with a random name, I think of malware. Why is Explorer.exe constantly writing that key? Maybe some kind of malicious shell extension running in the context of Explorer.exe. Even it is possible that it is a "fake" Explorer.exe process, not the legit one. Use Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) booting from Safe Mode and disable all suspicious startup items. -- Regards, Daniel Martín Microsoft MVP Windows Desktop Experience "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message news:D576E846-7D9E-478B-93A3-98B233D99B89@microsoft.com... > Can anyone tell me what is the following line that I found in my registry > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > Key: BM3b6d974d > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s > > When using Registry monitor I found that my Explorer.exe is writing this > key > (almost every second) > Is this normal? > > I tried to scan my PC with NAV, Spybot, online scanners and found nothing. > > Thanks.
Guest nass Posted August 24, 2008 Posted August 24, 2008 RE: Registry Startup folder "Alex Levi" wrote: > Can anyone tell me what is the following line that I found in my registry > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > Key: BM3b6d974d > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s > > When using Registry monitor I found that my Explorer.exe is writing this key > (almost every second) > Is this normal? > > I tried to scan my PC with NAV, Spybot, online scanners and found nothing. > > Thanks. Your Anti-virus removed the viral infection but still in the Root system and on the Registry, please perform the cleaning steps to make sure nothing lurking in the background to revive the infestation back to action!. Unexplained computer behaviour may be caused by deceptive software http://support.microsoft.com/kb/827315 Go through these Cleaning steps: 1... First, try to clean up your caches, Internet files and delete cookies by doing this: Click Start >> Control Panel >> Double click Network and Internet Connections >> Double click Internet Options. On the IE properties windows you will see these Tabs: General | Security | Privacy | Content | Connections | Programs | Advanced Under General Tab clear your History, Internet Files and Cookies. Then click on Advanced tab and scroll down to under the Browsing Option: [&] Browsing [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. Then click on Programs Tab and click Manage Add-Ons and Disable all non Verified Add-Ons (You should Renable them later one-by-one and see the culprit and update it or remove it. How to manage Add-Ons: http://support.microsoft.com/kb/883256 Scan for malware from here: SuperAntispyware - Free http://www.superantispyware.com/superantispywarefreevspro.html RootkitRevealer v1.71 By Bryce Cogswell and Mark Russinovich http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx Run a scan from here on-line: http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym http://www3.ca.com/securityadvisor/virusinfo/scan.aspx Download Avast Cleaner (offline scanner) from here: http://www.avast.com/eng/avast-virus-cleaner.html You can download this tool "AutoRuns for Windows" http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx And remove the entry from here: Locate this key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = look in the right pane/window and remove the entry for it "C:\Windows\System32\ xqfulqgt.dll". Run disk cleanup and defrag in safe mode. Then run this command: sfc /scannow HTH. nass --- http://www.nasstec.co.uk
Guest Alex Levi Posted August 26, 2008 Posted August 26, 2008 RE: Registry Startup folder I tried everything you suggested, tried to remove suspisios programs from startup and with task manager in my account and in safemode, In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After each restart it found it again and again. All online scanners didn't find anything. Also I found some interesting file in my windows folder called BM3b6d974d.txt with the following context: < .... Date ... > Process attached explorer - 0 - 0 < .... Date ... > Start thread connector, thread id: - 2588 - 0 < .... Date ... > Start thread protector, thread id: - 2132 - 0 *** BEGIN EXEPTION REPORT *** EXE C:\WINDOWS\EXPLORER.EXE Module C:\WINDOWS\System32\fwfltkxd.dll .... .... I deleted this file... Also found wininit.ini in my Windows folder (also deleted it): [rename] C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll nul=C:\tempjunk3267.tmp The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but I'm unable to delete it. The DLL attached itself to explorer.exe and winlogon.exe, If I try to remove it from memory (with unlocker.exe), windows automatically crashes (in safe mode too) and the standart delete does not work (file in use error). I don't see other option then formatting my PC. Thanks. "Alex Levi" wrote: > Can anyone tell me what is the following line that I found in my registry > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > Key: BM3b6d974d > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s > > When using Registry monitor I found that my Explorer.exe is writing this key > (almost every second) > Is this normal? > > I tried to scan my PC with NAV, Spybot, online scanners and found nothing. > > Thanks.
Guest Kelly Posted August 26, 2008 Posted August 26, 2008 Re: Registry Startup folder Sypware Cleaners that WORK! Line 393 - Right Hand Side: http://www.kellys-korner-xp.com/xp_tweaks.htm Or see: http://www.kellys-korner-xp.com/xp_s.htm#spy *Note: Update all (except HijackThis) before using. Once the software is updated, go offline to run the scans. -- All the Best, Kelly (MS-MVP/DTS&XP) Taskbar Repair Tool Plus! http://www.kellys-korner-xp.com/taskbarplus!.htm SupportSpace http://www.supportspace.com/pages?aiu=kellyskorner "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message news:72848419-610A-4836-BE62-4AB02006BBF4@microsoft.com... >I tried everything you suggested, > tried to remove suspisios programs from startup and with task manager in > my > account and in safemode, > In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After > each restart it found it again and again. All online scanners didn't find > anything. > > Also I found some interesting file in my windows folder called > BM3b6d974d.txt with the following context: > > < .... Date ... > Process attached explorer - 0 - 0 > < .... Date ... > Start thread connector, thread id: - 2588 - 0 > < .... Date ... > Start thread protector, thread id: - 2132 - 0 > *** BEGIN EXEPTION REPORT *** > EXE C:\WINDOWS\EXPLORER.EXE > Module C:\WINDOWS\System32\fwfltkxd.dll > ... > ... > > I deleted this file... > > Also found wininit.ini in my Windows folder (also deleted it): > > [rename] > C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll > nul=C:\tempjunk3267.tmp > > The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus > but > I'm unable to delete it. The DLL attached itself to explorer.exe and > winlogon.exe, > If I try to remove it from memory (with unlocker.exe), windows > automatically > crashes (in safe mode too) and the standart delete does not work (file in > use > error). > > I don't see other option then formatting my PC. > > Thanks. > > > > "Alex Levi" wrote: > >> Can anyone tell me what is the following line that I found in my registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >> >> Key: BM3b6d974d >> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s >> >> When using Registry monitor I found that my Explorer.exe is writing this >> key >> (almost every second) >> Is this normal? >> >> I tried to scan my PC with NAV, Spybot, online scanners and found >> nothing. >> >> Thanks.
Guest ju.c Posted August 26, 2008 Posted August 26, 2008 Re: Registry Startup folder I love that Virtumonde trojan! I've disassembled it and it is a work of art. But of course I hate it too. Virtumonde uses winlogon to stay resident and at boot up copies itself to RAM. If you delete it it just copies itself from memory. The best way to remove it, all of it, is to just use the free SUPERAntiSpyware: http://www.superantispyware.com/ I've tried just about every scanner and the only one to get rid of all of Virtumonde was SUPERAntiSpyware. ju.c "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message news:72848419-610A-4836-BE62-4AB02006BBF4@microsoft.com... > I tried everything you suggested, > tried to remove suspisios programs from startup and with task manager in my > account and in safemode, > In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After > each restart it found it again and again. All online scanners didn't find > anything. > > Also I found some interesting file in my windows folder called > BM3b6d974d.txt with the following context: > > < .... Date ... > Process attached explorer - 0 - 0 > < .... Date ... > Start thread connector, thread id: - 2588 - 0 > < .... Date ... > Start thread protector, thread id: - 2132 - 0 > *** BEGIN EXEPTION REPORT *** > EXE C:\WINDOWS\EXPLORER.EXE > Module C:\WINDOWS\System32\fwfltkxd.dll > ... > ... > > I deleted this file... > > Also found wininit.ini in my Windows folder (also deleted it): > > [rename] > C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll > nul=C:\tempjunk3267.tmp > > The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but > I'm unable to delete it. The DLL attached itself to explorer.exe and > winlogon.exe, > If I try to remove it from memory (with unlocker.exe), windows automatically > crashes (in safe mode too) and the standart delete does not work (file in use > error). > > I don't see other option then formatting my PC. > > Thanks. > > > > "Alex Levi" wrote: > >> Can anyone tell me what is the following line that I found in my registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >> >> Key: BM3b6d974d >> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s >> >> When using Registry monitor I found that my Explorer.exe is writing this key >> (almost every second) >> Is this normal? >> >> I tried to scan my PC with NAV, Spybot, online scanners and found nothing. >> >> Thanks.
Guest nass Posted August 26, 2008 Posted August 26, 2008 RE: Registry Startup folder Hi Alex, Can you send me your hijackthis log at my address. download Hijackthis and send me the log. (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) my address is : to_you_ross(at remove this and repalce with the obvious)yahoo.co.uk ( _ is underscore) HTH. nass --- http://www.nasstec.co.uk "Alex Levi" wrote: > I tried everything you suggested, > tried to remove suspisios programs from startup and with task manager in my > account and in safemode, > In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After > each restart it found it again and again. All online scanners didn't find > anything. > > Also I found some interesting file in my windows folder called > BM3b6d974d.txt with the following context: > > < .... Date ... > Process attached explorer - 0 - 0 > < .... Date ... > Start thread connector, thread id: - 2588 - 0 > < .... Date ... > Start thread protector, thread id: - 2132 - 0 > *** BEGIN EXEPTION REPORT *** > EXE C:\WINDOWS\EXPLORER.EXE > Module C:\WINDOWS\System32\fwfltkxd.dll > ... > ... > > I deleted this file... > > Also found wininit.ini in my Windows folder (also deleted it): > > [rename] > C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll > nul=C:\tempjunk3267.tmp > > The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but > I'm unable to delete it. The DLL attached itself to explorer.exe and > winlogon.exe, > If I try to remove it from memory (with unlocker.exe), windows automatically > crashes (in safe mode too) and the standart delete does not work (file in use > error). > > I don't see other option then formatting my PC. > > Thanks. > > > > "Alex Levi" wrote: > > > Can anyone tell me what is the following line that I found in my registry > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > > > Key: BM3b6d974d > > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s > > > > When using Registry monitor I found that my Explorer.exe is writing this key > > (almost every second) > > Is this normal? > > > > I tried to scan my PC with NAV, Spybot, online scanners and found nothing. > > > > Thanks.
Recommended Posts