Doing a little snooping, I was surprised to find a few extra executables in my Task Manager with somewhat suspicious filenames.
There were 2 instances of "rundii32.exe", as opposed to the usual "rundLL32.exe".
Great! Less than 2 weeks ago I got another virus, wasting another day off.
What a way to kill time.
I'm setting a new record here folks!
The culprit (File properties):
| Filename: | rundii32.exe |
| Size: | 1.30 MB (1,372,160 bytes) |
How it got there:
Stupidly I didnt check the comments on the torrent before downloading and installing.
The installer was bundled with a trojan which extracted itself upon execution, making it seem authentic as the application actually installed properly.
The damage:
I'm still not quite sure which strand it was, but it created a file called "rundii32.exe" within the temporary folders "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" (where "%TEMP%" is your system temporary folder).
This may just be in my case, as it is a common trait of installer packagers to put files into directories with that naming convention.
I suppose these executables sit around and steal info.
Also, it adds itself into the startup.
The fix:
A nifty program that scans your running tasks (and startup) is Trend Micro HijackThis.
(Yes, I was surprised to find that Trend bought them out too!)
A quick scan showed that it had added itself to RunOnce, so to remove it...
I fired up TuneUp Utilities Registry Editor again.
Locating the keys within "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", delete the 2 entries which refer to "IXP000.TMP" and "IXP001.TMP".
Now type in "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" into explorer to locate the "rundii32.exe" files and delete them.
That should be enough to clear it.
A through scan with an updated antivirus afterwards should do the trick.
