rundli32.exe - Dangerous
rundli32.exe
Manual removal instructions:
Antivirus Report of rundli32.exe:
rundli32.exe
It appears when you infected with the LADE VIRUS.
W32.Lade is a worm that spread itself through IRC.
It attempts to remove antivirus software installed on the PC and may attempt to format the hard drive partitions C, D, E, F, and G at system restart.
Also Known as Backdoor.IRC.Lade
W32.Lade performs the following actions:
1. Drops a copy of itself to %Windir%\System\rundli32.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Checks whether mIRC is installed, and if found, drops its own version of Script.ini, which contains code to spread itself by mIRC, to the mIRC folder.
3. Drops the batch file, %Windir%\Winstart.bat, which contains code to remove antivirus software when you restart the computer.
4. Adds values for "w32.BeanLadean.B.worm" to the following registry keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5. Adds the value:
"rundli32"="%Windir%\System\rundli32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
6. May edit the C:\Autoexec.bat to attempt to format hard drive partitions C, D, E, F, and G at system restart, depending on circumstances.
Removal instruction:
1. Run a full system scan with your antiviral programm.
If any files are detected as infected with W32.Lade, click Delete.
2. Deleting the values from the registry
Find the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Delete the value:
"rundli32"="%Windir%\System\rundli32.exe"
Then go to the keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
and delete any values that refer to:
"w32.BeanLadean.B.worm"
rundli32.exe | Malware |
rundli32.exe | Dangerous |
rundli32.exe | High Risk |
W32.Lade is a worm that spread itself through IRC.
It attempts to remove antivirus software installed on the PC and may attempt to format the hard drive partitions C, D, E, F, and G at system restart.
Also Known as Backdoor.IRC.Lade
W32.Lade performs the following actions:
1. Drops a copy of itself to %Windir%\System\rundli32.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
2. Checks whether mIRC is installed, and if found, drops its own version of Script.ini, which contains code to spread itself by mIRC, to the mIRC folder.
3. Drops the batch file, %Windir%\Winstart.bat, which contains code to remove antivirus software when you restart the computer.
4. Adds values for "w32.BeanLadean.B.worm" to the following registry keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5. Adds the value:
"rundli32"="%Windir%\System\rundli32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
6. May edit the C:\Autoexec.bat to attempt to format hard drive partitions C, D, E, F, and G at system restart, depending on circumstances.
Removal instruction:
1. Run a full system scan with your antiviral programm.
If any files are detected as infected with W32.Lade, click Delete.
2. Deleting the values from the registry
Find the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Delete the value:
"rundli32"="%Windir%\System\rundli32.exe"
Then go to the keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
and delete any values that refer to:
"w32.BeanLadean.B.worm"
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.