What is gendel32.exe ?

By Tartan
in Microsoft (Windows)

 Share

Recommended Posts

Proficient

Tartan

Posted
Posted

Ok I found this mysterious program in my C:\ root directory called "gendel32.exe"

I have searched various search engines with no real luck, ran AdAware, spybot S&D, and of course norton anti-virus on it, all with latest updates and reference files. I have found nothing. The file is also referenced in "windows\wininit.ini"

So does anyone have any idea of what this is or does?....apparently if deleted it reappears after reboot. Any help is appreciated.

P.S. Sorry if this is not in the right forum, mods please move if needed.

Link to comment
https://www.neowin.net/forum/topic/134781-what-is-gendel32exe/
Share on other sites
Grand Master

John Veteran

Posted
  • Veteran
Posted

sounds like a virus. reasons:

you say it's in wininit.ini. that file is not part of windows, so gendel32.exe isn't used by windows.

search engines return few results. even if it was a legit file, it would show up.

it's in your root directory. i don't know of any programs/applications that place executables in the root of your hard drive...

most importantly: it reappears when you reboot. this means there is a second copy or another infected file that creates gendel32.exe on bootup.

Proficient

Tartan

Posted
  • Author
Posted
sounds like a virus. reasons:

you say it's in wininit.ini. that file is not part of windows, so gendel32.exe isn't used by windows.

search engines return few results. even if it was a legit file, it would show up.

it's in your root directory. i don't know of any programs/applications that place executables in the root of your hard drive...

most importantly: it reappears when you reboot. this means there is a second copy or another infected file that creates gendel32.exe on bootup.

Yeah it is suspicious, I just don't know why none of the programs I ran detetcted it. :/

Grand Master

John Veteran

Posted
  • Veteran
Posted

first, find out how it's starting. run msconfig and look on the startup tab. find the item that starts gendel32.exe, and post it's location here.

also, run regedit and run a search for gendel32. post the keys that it shows up in, but don't delete them (they might be used by windows).

Proficient

Tartan

Posted
  • Author
Posted
first, find out how it's starting. run msconfig and look on the startup tab. find the item that starts gendel32.exe, and post it's location here.

also, run regedit and run a search for gendel32. post the keys that it shows up in, but don't delete them (they might be used by windows).

Yeah i did both them too, it doesn't appear in either msconfig or regedit. Also zonealarm has never asked for an outgoing connection related with it. So it is a mystery.

Grand Master

John Veteran

Posted
  • Veteran
Posted

check HKCR\exefile\shell\open\command and see what the default value is set to. it should be "%1 *1", but if it's not, post what it's set to. if it's set to something else, then the virus is probably launching every time you open a new program :pinch:

Proficient

Tartan

Posted
  • Author
Posted

Well I edited wininit.ini just now, adding a ' ; ' character to each line and renamed the gendel.exe to gendel.bak and rebooted...after which it hasn't renamed back, so maayyyybee I've stopped it for now. I'm still not sure what it is though seeing as none of the detection programs for adware, spyware and antivirus detects it. I can only assume some website put it there without permission, since I am very careful about the stuff I install etc.

BTW, thanks for your help and ideas gameguy. :)

If anyone does find out what this is, let us know.

Explorer

NoNeX

Posted
Posted

Hi

No need to worry, afaik it's part of the install-software from http://www.install-us.com

One of the programs you have or had installed prolly used that installer and gendel32.exe is either a leftover from some installation or it'll be needed for a prog to uninstall.

Suggestion: rename it to gendel32.exe.bak or something similiar and wait for a program to say "hey, I need gendel32.exe" =)

NoNeX

Proficient

Tartan

Posted
  • Author
Posted
Hi

No need to worry, afaik it's part of the install-software from http://www.install-us.com

One of the programs you have or had installed prolly used that installer and gendel32.exe is either a leftover from some installation or it'll be needed for a prog to uninstall.

Suggestion: rename it to gendel32.exe.bak or something similiar and wait for a program to say "hey, I need gendel32.exe" =)

NoNeX

Ok thanks NoNex. :)

Rookie

Miek

Posted
Posted

I also got this program in C:.

I checked it with help of ResHacker and all strings is in German, eg:

STRINGTABLE

LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL

{

65440, "Samstag"

65441, "%s kann nicht zu %s zugewiesen werden"

65442, "Datei %s kann nicht erstellt werden"

65443, "Datei %s kann nicht ge?ffnet werden"

65444, "Stream-Read-Fehler"

65445, "Stream-Write-Fehler"

65446, "Der Index der Liste ?berschreitet das Maximum (%d)"

65447, "Die Kapazit?t der Liste ist ersch?pft (%d)"

65448, "Zu viele Eintr?ge in der Liste (%d)"

65449, "Operation bei sortierten Stringlisten nicht erlaubt"

65450, "In der Stringliste sind Duplikate nicht erlaubt"

65451, "Ung?ltiger Wert der Eigenschaft"

}

and since "install-us" is from a german company, it can be from that package.

I think I got it from installing the latest version of Nero.

/Michael

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Politically funny images of the World

      By PsYcHoKiLLa · Posted

    • Browser vendors pen open letter to Microsoft saying "enough is enough"

      By matthiew · Posted

      Google are hyprocrites for signing this. They have been pulling the same dirty tactics as Microsoft, only they do it on Android and ChromeOS.
    • Browser vendors pen open letter to Microsoft saying "enough is enough"

      By matthiew · Posted

      In some countries the law has forced Microsoft to display a menu on a fresh install of Windows which asks which web browser you want and it will install that browser. This doesn't add any bloat to Windows. It simply an additional step when setting up a new PC.
    • Browser vendors pen open letter to Microsoft saying "enough is enough"

      By matthiew · Posted

      Chrome is also a first party browser on Android and ChromeOS. And on those systems, Google is pulling the same dirty tactics as Microsoft does on Windows.
    • Unofficial script lets you install unreleased Windows 11 features without Microsoft Account

      By hellowalkman · Posted

      Unofficial script lets you install unreleased Windows 11 features without Microsoft Account by Sayan Sen Microsoft has been steadily evolving the Windows Insider Program over the years, introducing new channels and testing paths that allow enthusiasts to experience upcoming and yet-to-be-released Windows features (some interesting hidden ones too) before they reach the public. However, one long-standing requirement has remained largely unchanged as users are generally expected to enroll in the Program and with a Microsoft account. That's where a third-party tool called "OfflineInsiderEnroll" can help. OfflineInsiderEnroll is said to be a lightweight script that enables access to Windows Insider Program builds on systems that are not signed in with a Microsoft account. Essentially the tool configures the necessary Insider settings locally and hence allows users to select and switch between available preview channels while continuing to receive builds through the normal Windows Update channel. If you are wondering how it manages to do so, it is made possible by a Registry value known as TestFlags. When configured to"0x20", Windows stops communicating with Microsoft's online Insider enrollment services thus preventing locally configured Insider settings from being overwritten. This allows the script to apply its own channel configuration directly through the Registry as Windows Update does not verify whether a device has been officially enrolled in the Insider Program or not. Previously the utility has had already supported the traditional Insider branches including Dev, Beta, and Release Preview. However following Microsoft’s recent restructuring of its preview channels, the script has now been updated. The latest OfflineInsiderEnroll version, 2.6.6, adds support for the newly introduced Insider channel lineup. As such, users can now choose from several Experimental channels in addition to Beta and Release Preview options. The update also retains tools for refreshing the Insider cache, resetting Insider settings, and completely stopping Insider enrollment when needed. Keep in mind though that will need elevated privileges when running the script (run as Admin). You can get the latest version of OfflineInsiderEnroll from this page on its official GitHub repo.

  • Recent Achievements

    • Week One Done
      Dr Jared Dental Studio earned a badge
      Week One Done
    • Week One Done
      RG INVESTMENT GROUP earned a badge
      Week One Done
    • Very Popular
      The Norwegian Drone Pilot earned a badge
      Very Popular
    • Very Popular
      s0nic69 earned a badge
      Very Popular
    • Collaborator
      Asgardi earned a badge
      Collaborator

  • Popular Contributors

    1. 1
      +primortal
      472
    2. 2
      PsYcHoKiLLa
      250
    3. 3
      Skyfrog
      79
    4. 4
      FloatingFatMan
      67
    5. 5
      Michael Scrip
      60
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!