Registry Startup folder

[Guest Alex Levi]

Can anyone tell me what is the following line that I found in my registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Key: BM3b6d974d

Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

 

When using Registry monitor I found that my Explorer.exe is writing this key

(almost every second)

Is this normal?

 

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

 

Thanks.

[Guest Elmo]

Re: Registry Startup folder

 

Alex Levi wrote:

> Can anyone tell me what is the following line that I found in my registry

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> Key: BM3b6d974d

> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>

> When using Registry monitor I found that my Explorer.exe is writing this key

> (almost every second)

> Is this normal?

>

> I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

>

> Thanks.

 

Restart in Safe Mode, and delete the file xqfulqgt.dll. Also run

Regedit and remove any entries that mention the file, but I suspect some

other process is doing the writing. In "Safe Mode with Networking", try

running an Online Scan to see if malware that disables your protection,

is running.

 

Try one of these free online virus scans:

 

This one has a choice of a Quick or a Complete check

http://www.pcpitstop.com/

 

Symantec

http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym

 

<url:http://security2.norton.com/us/home.asp?j=1&venid=sym&langid=us&plfid=20&pkj=IHBEXIBVEMBQAUWZKTK>

then click the Security check link.

 

http://housecall.antivirus.com/ free online virus scan

 

http://www.ewido.net/en/

 

http://www.pandasoftware.com/products/activescan.htm

 

Also try a virus discussion group for better solutions.

 

--

Joe =o)

[Guest Daniel Martín [MVP]]

Re: Registry Startup folder

 

Hi, Alex:

 

When I see a DLL with a random name, I think of malware. Why is Explorer.exe

constantly writing that key? Maybe some kind of malicious shell extension

running in the context of Explorer.exe. Even it is possible that it is a

"fake" Explorer.exe process, not the legit one. Use Autoruns

(http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) booting from

Safe Mode and disable all suspicious startup items.

 

--

Regards,

Daniel Martín

Microsoft MVP Windows Desktop Experience

 

 

"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message

news:D576E846-7D9E-478B-93A3-98B233D99B89@microsoft.com...

> Can anyone tell me what is the following line that I found in my registry

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> Key: BM3b6d974d

> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>

> When using Registry monitor I found that my Explorer.exe is writing this

> key

> (almost every second)

> Is this normal?

>

> I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

>

> Thanks.

[Guest nass]

RE: Registry Startup folder

 

 

 

"Alex Levi" wrote:

> Can anyone tell me what is the following line that I found in my registry

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> Key: BM3b6d974d

> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>

> When using Registry monitor I found that my Explorer.exe is writing this key

> (almost every second)

> Is this normal?

>

> I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

>

> Thanks.

 

Your Anti-virus removed the viral infection but still in the Root

system and on the Registry, please perform the cleaning steps to make sure

nothing lurking in the background to revive the infestation back to action!.

Unexplained computer behaviour may be caused by deceptive software

http://support.microsoft.com/kb/827315

 

Go through these Cleaning steps:

1... First, try to clean up your caches, Internet files and delete cookies

by doing this:

Click Start >> Control Panel >> Double click Network and Internet

Connections >> Double click Internet Options.

On the IE properties windows you will see these Tabs:

General | Security | Privacy | Content | Connections | Programs |

Advanced

Under General Tab clear your History, Internet Files and Cookies.

Then click on Advanced tab and scroll down to under the Browsing Option:

[&] Browsing

[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

Then click on Programs Tab and click Manage Add-Ons and Disable all non

Verified Add-Ons (You should Renable them later one-by-one and see the

culprit and update it or remove it.

How to manage Add-Ons:

http://support.microsoft.com/kb/883256

Scan for malware from here:

SuperAntispyware - Free

http://www.superantispyware.com/superantispywarefreevspro.html

RootkitRevealer v1.71

By Bryce Cogswell and Mark Russinovich

http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

 

 

Run a scan from here on-line:

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Download Avast Cleaner (offline scanner) from here:

http://www.avast.com/eng/avast-virus-cleaner.html

 

You can download this tool "AutoRuns for Windows"

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

And remove the entry from here:

 

Locate this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = look in

the right pane/window and remove the entry for it

"C:\Windows\System32\ xqfulqgt.dll".

 

Run disk cleanup and defrag in safe mode. Then run this command:

sfc /scannow

 

HTH.

nass

---

http://www.nasstec.co.uk

[Guest Alex Levi]

RE: Registry Startup folder

 

I tried everything you suggested,

tried to remove suspisios programs from startup and with task manager in my

account and in safemode,

In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After

each restart it found it again and again. All online scanners didn't find

anything.

 

Also I found some interesting file in my windows folder called

BM3b6d974d.txt with the following context:

 

< .... Date ... > Process attached explorer - 0 - 0

< .... Date ... > Start thread connector, thread id: - 2588 - 0

< .... Date ... > Start thread protector, thread id: - 2132 - 0

*** BEGIN EXEPTION REPORT ***

EXE C:\WINDOWS\EXPLORER.EXE

Module C:\WINDOWS\System32\fwfltkxd.dll

....

....

 

I deleted this file...

 

Also found wininit.ini in my Windows folder (also deleted it):

 

[rename]

C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll

nul=C:\tempjunk3267.tmp

 

The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but

I'm unable to delete it. The DLL attached itself to explorer.exe and

winlogon.exe,

If I try to remove it from memory (with unlocker.exe), windows automatically

crashes (in safe mode too) and the standart delete does not work (file in use

error).

 

I don't see other option then formatting my PC.

 

Thanks.

 

 

 

"Alex Levi" wrote:

> Can anyone tell me what is the following line that I found in my registry

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>

> Key: BM3b6d974d

> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>

> When using Registry monitor I found that my Explorer.exe is writing this key

> (almost every second)

> Is this normal?

>

> I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

>

> Thanks.

[Guest Kelly]

Re: Registry Startup folder

 

Sypware Cleaners that WORK!

 

Line 393 - Right Hand Side: http://www.kellys-korner-xp.com/xp_tweaks.htm

 

Or see: http://www.kellys-korner-xp.com/xp_s.htm#spy

 

*Note: Update all (except HijackThis) before using.

 

Once the software is updated, go offline to run the scans.

--

 

All the Best,

Kelly (MS-MVP/DTS&XP)

 

Taskbar Repair Tool Plus!

http://www.kellys-korner-xp.com/taskbarplus!.htm

 

SupportSpace

http://www.supportspace.com/pages?aiu=kellyskorner

 

"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message

news:72848419-610A-4836-BE62-4AB02006BBF4@microsoft.com...

>I tried everything you suggested,

> tried to remove suspisios programs from startup and with task manager in

> my

> account and in safemode,

> In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After

> each restart it found it again and again. All online scanners didn't find

> anything.

>

> Also I found some interesting file in my windows folder called

> BM3b6d974d.txt with the following context:

>

> < .... Date ... > Process attached explorer - 0 - 0

> < .... Date ... > Start thread connector, thread id: - 2588 - 0

> < .... Date ... > Start thread protector, thread id: - 2132 - 0

> *** BEGIN EXEPTION REPORT ***

> EXE C:\WINDOWS\EXPLORER.EXE

> Module C:\WINDOWS\System32\fwfltkxd.dll

> ...

> ...

>

> I deleted this file...

>

> Also found wininit.ini in my Windows folder (also deleted it):

>

> [rename]

> C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll

> nul=C:\tempjunk3267.tmp

>

> The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus

> but

> I'm unable to delete it. The DLL attached itself to explorer.exe and

> winlogon.exe,

> If I try to remove it from memory (with unlocker.exe), windows

> automatically

> crashes (in safe mode too) and the standart delete does not work (file in

> use

> error).

>

> I don't see other option then formatting my PC.

>

> Thanks.

>

>

>

> "Alex Levi" wrote:

>

>> Can anyone tell me what is the following line that I found in my registry

>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>>

>> Key: BM3b6d974d

>> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>>

>> When using Registry monitor I found that my Explorer.exe is writing this

>> key

>> (almost every second)

>> Is this normal?

>>

>> I tried to scan my PC with NAV, Spybot, online scanners and found

>> nothing.

>>

>> Thanks.

[Guest ju.c]

Re: Registry Startup folder

 

I love that Virtumonde trojan!

 

I've disassembled it and it is a work of art.

 

But of course I hate it too.

 

Virtumonde uses winlogon to stay resident and at boot up copies itself to RAM. If you delete it it

just copies itself from memory.

 

The best way to remove it, all of it, is to just use the free SUPERAntiSpyware:

http://www.superantispyware.com/

 

I've tried just about every scanner and the only one to get rid of all of Virtumonde was

SUPERAntiSpyware.

 

 

ju.c

 

 

"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message

news:72848419-610A-4836-BE62-4AB02006BBF4@microsoft.com...

> I tried everything you suggested,

> tried to remove suspisios programs from startup and with task manager in my

> account and in safemode,

> In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After

> each restart it found it again and again. All online scanners didn't find

> anything.

>

> Also I found some interesting file in my windows folder called

> BM3b6d974d.txt with the following context:

>

> < .... Date ... > Process attached explorer - 0 - 0

> < .... Date ... > Start thread connector, thread id: - 2588 - 0

> < .... Date ... > Start thread protector, thread id: - 2132 - 0

> *** BEGIN EXEPTION REPORT ***

> EXE C:\WINDOWS\EXPLORER.EXE

> Module C:\WINDOWS\System32\fwfltkxd.dll

> ...

> ...

>

> I deleted this file...

>

> Also found wininit.ini in my Windows folder (also deleted it):

>

> [rename]

> C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll

> nul=C:\tempjunk3267.tmp

>

> The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but

> I'm unable to delete it. The DLL attached itself to explorer.exe and

> winlogon.exe,

> If I try to remove it from memory (with unlocker.exe), windows automatically

> crashes (in safe mode too) and the standart delete does not work (file in use

> error).

>

> I don't see other option then formatting my PC.

>

> Thanks.

>

>

>

> "Alex Levi" wrote:

>

>> Can anyone tell me what is the following line that I found in my registry

>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

>>

>> Key: BM3b6d974d

>> Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

>>

>> When using Registry monitor I found that my Explorer.exe is writing this key

>> (almost every second)

>> Is this normal?

>>

>> I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

>>

>> Thanks.

[Guest nass]

RE: Registry Startup folder

 

 

Hi Alex,

Can you send me your hijackthis log at my address.

download Hijackthis and send me the log.

(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)

my address is : to_you_ross(at remove this and repalce with the

obvious)yahoo.co.uk

 

( _ is underscore)

HTH.

nass

---

http://www.nasstec.co.uk

 

"Alex Levi" wrote:

> I tried everything you suggested,

> tried to remove suspisios programs from startup and with task manager in my

> account and in safemode,

> In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After

> each restart it found it again and again. All online scanners didn't find

> anything.

>

> Also I found some interesting file in my windows folder called

> BM3b6d974d.txt with the following context:

>

> < .... Date ... > Process attached explorer - 0 - 0

> < .... Date ... > Start thread connector, thread id: - 2588 - 0

> < .... Date ... > Start thread protector, thread id: - 2132 - 0

> *** BEGIN EXEPTION REPORT ***

> EXE C:\WINDOWS\EXPLORER.EXE

> Module C:\WINDOWS\System32\fwfltkxd.dll

> ...

> ...

>

> I deleted this file...

>

> Also found wininit.ini in my Windows folder (also deleted it):

>

> [rename]

> C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll

> nul=C:\tempjunk3267.tmp

>

> The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but

> I'm unable to delete it. The DLL attached itself to explorer.exe and

> winlogon.exe,

> If I try to remove it from memory (with unlocker.exe), windows automatically

> crashes (in safe mode too) and the standart delete does not work (file in use

> error).

>

> I don't see other option then formatting my PC.

>

> Thanks.

>

>

>

> "Alex Levi" wrote:

>

> > Can anyone tell me what is the following line that I found in my registry

> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

> >

> > Key: BM3b6d974d

> > Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

> >

> > When using Registry monitor I found that my Explorer.exe is writing this key

> > (almost every second)

> > Is this normal?

> >

> > I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

> >

> > Thanks.