All this done over the phone!

Friend appeared to have one of those 'fraud' infections - this one Antimalware 2010 which showed 32 'infections'.

We ran mbam which collected 3.

I sent over Avast install, he ran a boot scan. It was deleting quite a few files he said. He didn't see the end (!).

Left with a bootup which had a rapid sequence of screens flashing up. OK, said I - repair install. First go (its a Dell) wanted iastor.sys and nicinstE.dll. Could not find them so by-passed. No boot. Next time, through CMOS changed the RAID setting, ran repair/install again. (It transpires he has no floppy drive so we cannot use F6). This time only nicinstE.dll called for (and bypassed). Now we can boot, but no exe files run - 'open with' etc. Got them to run by changing file security settings.

Try sfc via 'run' - 'cannot find rundll32.exe'. Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As a far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there. Since I assume he still is infected I left him to run a mbam scan in safe mode and then a 'normal' Avast scan. Waiting for news.

Any help on how to get rundll32.exe replaced appreciated. I have him 'off-line' at the moment and have tried all Google fixes, but am stuck with no access to the run box, so cannot look at reg etc. Can we do it via recovery/expand and will this fix the problem?

You need to Google first, run Avast second if at all. Check out How to remove XP Antimalware 2010 | My Anti Spyware (http://www.myantispyware.com/2010/03/17/how-to-remove-xp-antimalware-2010/) and note the reg fixes. Running Avast in this instance was a mis-step because of the way the various incarnations of Antimalware work.

Google was first. That solution was a non-starter and we could not run notepad at the beginning.

Any ideas for where we are now?

Although it is a bit of a cop out, re-installation of XP could be considered. I hope he has backups of his personal data! If not, and you can get the current version of XP working well enough, then it may be possible to copy his "my documents" folder into a folder with another name on the hard disc. When it re-installs, windoze will delete the existing "my documents" folder but should leave any other one alone.

P.P.

Percy - that's why we went for a repair/install - the problem with the 'blast it with a reformat and put on a clean copy' brigade is that it does not work for some of the more sophisticated virii which lodge on the hard drive in places that are not touched.

If anyone knows the answer to
Can we do it via recovery/expand and will this fix the problem? I'd be grateful!

Tried to expand rundll32.ex_ from XP CDRom in recovery but get 'cannot find file or folder'.

File appears to be correct size, location and installation date but it seems the OS cannot 'locate' it. Is this a path issue or registry?

the problem with the 'blast it with a reformat and put on a clean copy' brigade is that it does not work for some of the more sophisticated virii which lodge on the hard drive in places that are not touched.

Sorry BOAC but someone has been telling you porkies.

(1) It is MUCH safer to reformat and re-install than to try to eradicate a deeply embedded virus, high risk (e.g. rootkit) virus, or a system with multiple viruses eating away at it. It is the only way to re-establish trust with your system, and in these days of online banking etc. it is much wiser to be safe than sorry. :cool: Anyone who tells you otherwise doesn't have a clue what they are talking about, and I hope you were not paying for their services.

(2) If you re-format correctly prior to re-installing, your statement about "virii which lodge in places that are not touched" can easily be shown to be utter nonsense. If you are really worried, just replace the physical hard drive ... they are so cheap these days....

Anyone who tells you otherwise doesn't have a clue what they are talking about, and I hope you were not paying for their services. - nah! Free and called Google. As far as I am concerned the jury is still out on the value of a reformat other than a zero fill. Anyway, I read what you say and add it to the balance.

Now, anyone able to answer my question - path, registry or where?

A zero fill should be more than good enough to ensure a virus is gone. Otherwise just find something that will trigger a Secure Erase instruction to your controller. :cool:

Now, anyone able to answer my question - path, registry or where?

For something like "Antimalware 2010", all I can do is wish you good luck if you are hell bent on fixing rather than starting afresh.

Read up on "Innovative Marketing Ukraine" to give you an idea why !

So... best of luck ! :ok:

Saab - any ideas on how XP locates rundll32.exe?

All known antimalware reg entries are away. Just left with the rundll problem.

"Innovative Marketing Ukraine" - reminds me of a visit to PPRune HQ

rundll32.exe is usually located in the Windows\system32 folder.

If that was corrupted by the virus, there should be a copy of it in windows\system32\dllcache or in windows\ServicePackFiles\i386.

In Safe mode, copy the file into windows\system32, then reboot.

Ken

any ideas on how XP locates rundll32.exe

Like pretty much everything else, via the PATH system variable.

If you can't get into a command prompt to type Path, you can also see it via System\Properties\Advanced\Environment Variables

Should be something like PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem ;

SD

You can download it from: rundll32.exe file download - Download / repair / restore corrupt or missing rundll32.exe file (http://dll.downloadatoz.com/rundll32.exe-file.html)

SD - thanks - I will try to get him to see if sys32 is in the path. GG - thanks. At least we can boot reliably into safe and normal now.

For both, from the first post,
"Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there."

No further copies of cmd found, but since rd32 is so pivotal in all of this, I cannot find a way to run 'cmd'. Will command.com produce a DOS box? Any other way to run regsvr? Have not tried that in the run box but I suspect it will cough up the same problem. All a bit of a challenge over the phone. I dare not put him online for a remote access until I can be sure the av and firewall are ok - that is if we can even go online! I have asked a local friend of his to download the 'dougknow' exe file fix zip to a USB in the hope we can fix the exe files go to 'open with...' rd32 problem.

As I said, we got into regedit using 'run as' and unticking the 'protect my computer....' box and as far as I can see there is no sign of antimalware there, but I don't know what I am looking for for the rd32 issue. Control panel modules also unavailable due to rd32 issue.

Have you tried typing C:\WINDOWS\system32\cmd.exe into the Run box?

SD

Yes - that did not work but command.com did, so we checked the shell/open/ .exe key and it was set to 'secfile'. Changed to 'exefile' and exe's now open/run ok. 'cmd' works in 'run'. He has an entry in classes/root for 'secfile' which I do not - is this part of the infection? (He has no connection with PGP).

Running a very slow sfc /scannow right now.

regsvr brings up the familiar 'entry point' error??

To close here - all back to 'normal'. Several Mbam scans now clean.