Registry Startup folder

[Alex Levi]

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

Thanks.

 

[Elmo]

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

Thanks.

Restart in Safe Mode, and delete the file xqfulqgt.dll. Also run
Regedit and remove any entries that mention the file, but I suspect some
other process is doing the writing. In "Safe Mode with Networking", try
running an Online Scan to see if malware that disables your protection,
is running.

Try one of these free online virus scans:

This one has a choice of a Quick or a Complete check
http://www.pcpitstop.com/

Symantec
http://security.symantec.com/default.asp?productid=ssr&langid=ie&venid=sym

<url:http://security2.norton.com/us/home.asp?j=1&venid=sym&langid=us&plfid=20&pkj=IHBEXIBVEMBQAUWZKTK>
then click the Security check link.

http://housecall.antivirus.com/ free online virus scan

http://www.ewido.net/en/

http://www.pandasoftware.com/products/activescan.htm

Also try a virus discussion group for better solutions.

 

[Daniel Martín [MVP]]

Hi, Alex:

When I see a DLL with a random name, I think of malware. Why is Explorer.exe
constantly writing that key? Maybe some kind of malicious shell extension
running in the context of Explorer.exe. Even it is possible that it is a
"fake" Explorer.exe process, not the legit one. Use Autoruns
(http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) booting from
Safe Mode and disable all suspicious startup items.

 

[nass]

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

Thanks.

Your Anti-virus removed the viral infection but still in the Root
system and on the Registry, please perform the cleaning steps to make sure
nothing lurking in the background to revive the infestation back to action!.
Unexplained computer behaviour may be caused by deceptive software
http://support.microsoft.com/kb/827315

Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx


Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

You can download this tool "AutoRuns for Windows"
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
And remove the entry from here:

Locate this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = look in
the right pane/window and remove the entry for it
"C:\Windows\System32\ xqfulqgt.dll".

Run disk cleanup and defrag in safe mode. Then run this command:
sfc /scannow

HTH.
nass

 

[Alex Levi]

I tried everything you suggested,
tried to remove suspisios programs from startup and with task manager in my
account and in safemode,
In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After
each restart it found it again and again. All online scanners didn't find
anything.

Also I found some interesting file in my windows folder called
BM3b6d974d.txt with the following context:

< .... Date ... > Process attached explorer - 0 - 0
< .... Date ... > Start thread connector, thread id: - 2588 - 0
< .... Date ... > Start thread protector, thread id: - 2132 - 0
*** BEGIN EXEPTION REPORT ***
EXE C:\WINDOWS\EXPLORER.EXE
Module C:\WINDOWS\System32\fwfltkxd.dll
....
....

I deleted this file...

Also found wininit.ini in my Windows folder (also deleted it):

[rename]
C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll
nul=C:\tempjunk3267.tmp

The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but
I'm unable to delete it. The DLL attached itself to explorer.exe and
winlogon.exe,
If I try to remove it from memory (with unlocker.exe), windows automatically
crashes (in safe mode too) and the standart delete does not work (file in use
error).

I don't see other option then formatting my PC.

Thanks.

 

[Kelly]

Sypware Cleaners that WORK!

Line 393 - Right Hand Side: http://www.kellys-korner-xp.com/xp_tweaks.htm

Or see: http://www.kellys-korner-xp.com/xp_s.htm#spy

*Note: Update all (except HijackThis) before using.

Once the software is updated, go offline to run the scans.
--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

SupportSpace
www.supportspace.com/pages?aiu=kellyskorner

I tried everything you suggested,
tried to remove suspisios programs from startup and with task manager in
my
account and in safemode,
In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After
each restart it found it again and again. All online scanners didn't find
anything.

Also I found some interesting file in my windows folder called
BM3b6d974d.txt with the following context:

< .... Date ... > Process attached explorer - 0 - 0
< .... Date ... > Start thread connector, thread id: - 2588 - 0
< .... Date ... > Start thread protector, thread id: - 2132 - 0
*** BEGIN EXEPTION REPORT ***
EXE C:\WINDOWS\EXPLORER.EXE
Module C:\WINDOWS\System32\fwfltkxd.dll
...
...

I deleted this file...

Also found wininit.ini in my Windows folder (also deleted it):

[rename]
C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll
nul=C:\tempjunk3267.tmp

The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus
but
I'm unable to delete it. The DLL attached itself to explorer.exe and
winlogon.exe,
If I try to remove it from memory (with unlocker.exe), windows
automatically
crashes (in safe mode too) and the standart delete does not work (file in
use
error).

I don't see other option then formatting my PC.

Thanks.

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this
key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found
nothing.

Thanks.

 

[ju.c]

I love that Virtumonde trojan!

I've disassembled it and it is a work of art.

But of course I hate it too.

Virtumonde uses winlogon to stay resident and at boot up copies itself to RAM. If you delete it it
just copies itself from memory.

The best way to remove it, all of it, is to just use the free SUPERAntiSpyware:
http://www.superantispyware.com/

I've tried just about every scanner and the only one to get rid of all of Virtumonde was
SUPERAntiSpyware.


ju.c

I tried everything you suggested,
tried to remove suspisios programs from startup and with task manager in my
account and in safemode,
In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After
each restart it found it again and again. All online scanners didn't find
anything.

Also I found some interesting file in my windows folder called
BM3b6d974d.txt with the following context:

< .... Date ... > Process attached explorer - 0 - 0
< .... Date ... > Start thread connector, thread id: - 2588 - 0
< .... Date ... > Start thread protector, thread id: - 2132 - 0
*** BEGIN EXEPTION REPORT ***
EXE C:\WINDOWS\EXPLORER.EXE
Module C:\WINDOWS\System32\fwfltkxd.dll
...
...

I deleted this file...

Also found wininit.ini in my Windows folder (also deleted it):

[rename]
C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll
nul=C:\tempjunk3267.tmp

The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but
I'm unable to delete it. The DLL attached itself to explorer.exe and
winlogon.exe,
If I try to remove it from memory (with unlocker.exe), windows automatically
crashes (in safe mode too) and the standart delete does not work (file in use
error).

I don't see other option then formatting my PC.

Thanks.

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

Thanks.

 

[nass]

Hi Alex,
Can you send me your hijackthis log at my address.
download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
my address is : to_you_ross(at remove this and repalce with the
obvious)yahoo.co.uk

( _ is underscore)
HTH.
nass
---
http://www.nasstec.co.uk

I tried everything you suggested,
tried to remove suspisios programs from startup and with task manager in my
account and in safemode,
In Safe Mode my spybot v1.6 found the virtumonde.dll and deleted it. After
each restart it found it again and again. All online scanners didn't find
anything.

Also I found some interesting file in my windows folder called
BM3b6d974d.txt with the following context:

< .... Date ... > Process attached explorer - 0 - 0
< .... Date ... > Start thread connector, thread id: - 2588 - 0
< .... Date ... > Start thread protector, thread id: - 2132 - 0
*** BEGIN EXEPTION REPORT ***
EXE C:\WINDOWS\EXPLORER.EXE
Module C:\WINDOWS\System32\fwfltkxd.dll
...
...

I deleted this file...

Also found wininit.ini in my Windows folder (also deleted it):

[rename]
C:\tempjunk3267.tmp = C:\WINDOWS\system32\rqRIaAqn.dll
nul=C:\tempjunk3267.tmp

The file rqRIaAqn.dll is reported by spybot as the virtumonde.dll virus but
I'm unable to delete it. The DLL attached itself to explorer.exe and
winlogon.exe,
If I try to remove it from memory (with unlocker.exe), windows automatically
crashes (in safe mode too) and the standart delete does not work (file in use
error).

I don't see other option then formatting my PC.

Thanks.

Can anyone tell me what is the following line that I found in my registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Key: BM3b6d974d
Value: Rundll32.exe "C:\WINDOWS\system32\xqfulqgt.dll",s

When using Registry monitor I found that my Explorer.exe is writing this key
(almost every second)
Is this normal?

I tried to scan my PC with NAV, Spybot, online scanners and found nothing.

Thanks.