Hi Nope NopeBH,
Yes, you can safely delete that folder, it is not a required system folder.
RunDLL startup process bad command line
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
Hello,
I reach you guys after spending hours trying to understand and fix what's going on here on my computer.
I'm not a computer engineer but I know how to deal with windows, however this time, I've been spending way too much time for something that I couldn't fix and that is very annoying. Any help is welcome.
First, I don't want to reinstall Windows. I know this would fix my issue, but I have far way too many softwares installed and dont want to reinstall everything.
Problem : Classic "RunDLL" error message at startup. see screengrab. Show at each startup.
Troubleshoot i've been through and hints that I've found :
I reckon my computer have been infected with a virus, that my malwarebytes have quarantined and destroy, but there is still some device startup indication that make runDLL try to load this malicious DLL "BPO_Me something". Somehow, I don't find it anywhere in Autoruns nor task planifier.
The path not tilde-reduced is this one : "C:\Users\lader\AppData\Local\WindowBridge\EveltFicjer".
I know it because when i use Windows Run to go to the tilde path, it open this full path.
Here is the content of the folder (which is not hidden. I've no trouble navigating to this folder, but there isn't this malicious "BPO_ME~1.DLL" - I reckon my anti malware had remove it.
I've spend HOURS in AUTORUN and PROCESS MONITOR from sysinternals trying to find some hints..
I didn't find ANY entry that correspond to this specific rundll call in Autorun.
However i've found a few more informations on process monitor. I've add a filter with the specific path as follow and i've got some interesting output
output :
See the "Command Line" row ?
I found the same output in wmic command :
wmic process where "name='rundll32.exe'" >C:\users\lader\desktop\log.txt
>CommandLine >C:\WINDOWS\SysWOW64\RUNDLL32.EXE C:\Users\lader\AppData\Local\WINDOW~1\EVELTF~1\BPO_ME~1.DLL fdBta_Srcugabt
So If I understand what I see, I reckon this command line is the one that call at each startup this malicious DLL.
Here's my problem : I CAN'T GET RID OF THIS LINE. Am I doing something wrong here ? Do I miss the point ? How to erase this command line ? How to make windows ignore it ?
I've search through the registry, and find some occurence of this malicious dll at this path :
Ordinateur\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
I've removed the "H and "J" value, that contains the path C:\Users\lader\AppData\Local\WINDOW~1\EVELTF~1\BPO_ME~1.DLL, hoping that this will do the fix. But not at all. And the "G" value keeps refilling it itself with this "AppData\local\window~1\EVELTF~1" line.
So I'm a little bit lost.. I don't know what to do next.
Sorry if it's a bit messy, and again thank you for any help. Wish you all a happy new year.
Cheers
Windows for home | Windows 10 | Performance and system failures
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
5 answers
Sort by: Most helpful
-
Anonymous
2022-12-31T15:40:17+00:00 -
Anonymous
2022-12-31T14:56:45+00:00 Of course, how stupid I am..
I didn't uncheck it because I thought that would disable "the whole" rundll thing, thus make windows not work correctly.. But this is not related, isn't it ?
I disable it and the message don't appear anymore, so thank you very much !
Do you think I can delete the whole \local\WINDOW~1\ folder ? Everything in it seems suspicious, or is there some real working files ?
Thank you for your kind input, I wish you a very pleasant new year's eve.
-
Anonymous
2022-12-31T12:32:54+00:00 Hi Nope NopeBH,
That does seem to be the correct entry you have found, untick that entry in Autoruns and test if the problem is fixed.
-
Anonymous
2022-12-31T12:28:03+00:00 Hi Dave, thank you for taking the time to answer this submission.
Autoruns search don't find anything when i look for "BPO_Me", or "BPO", or any term contained in the suspicious path.
However, I find the same command line when I look for rundll (see bottom of screenshot)
Addentum to the first post of the topic :
Here are the values that i removed from the registry :
Ordinateur\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU :
MRU > ajihgcdfeb
j>C:\Users\lader\AppData\Local\WINDOW~1\EVELTF~1\1
h>C:\Users\lader\AppData\Local\WINDOW~1\EveltFicjer\1
g>C:\Users\lader\AppData\Local\WINDOW~1\1Ordinateur\HKEY_USERS\S-1-5-21-4126627384-3990980677-**********-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
url1> C:\Users\lader\AppData\Local\WindowBridge\EveltFicjer -
Anonymous
2022-12-31T11:31:48+00:00 Hi Nope NopeBH,
I am Dave, I will help you with this.
Click the link below to download a small free utility that does not require installation.
https://download.sysinternals.com/files/Autorun...
When the file downloads, unzip it.
Run Autoruns64 as Administrator
1
In the search box in Autoruns, type this and press Enter:
BPO_Me
If that finds any entries, please provide a screenshot
2
In the search box in Autoruns, type this and press Enter:
rundll
If that finds any entries, please provide a screenshot