Windows XP virus help please
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Windows XP virus help please
All this done over the phone!
Friend appeared to have one of those 'fraud' infections - this one Antimalware 2010 which showed 32 'infections'.
We ran mbam which collected 3.
I sent over Avast install, he ran a boot scan. It was deleting quite a few files he said. He didn't see the end (!).
Left with a bootup which had a rapid sequence of screens flashing up. OK, said I - repair install. First go (its a Dell) wanted iastor.sys and nicinstE.dll. Could not find them so by-passed. No boot. Next time, through CMOS changed the RAID setting, ran repair/install again. (It transpires he has no floppy drive so we cannot use F6). This time only nicinstE.dll called for (and bypassed). Now we can boot, but no exe files run - 'open with' etc. Got them to run by changing file security settings.
Try sfc via 'run' - 'cannot find rundll32.exe'. Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As a far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there. Since I assume he still is infected I left him to run a mbam scan in safe mode and then a 'normal' Avast scan. Waiting for news.
Any help on how to get rundll32.exe replaced appreciated. I have him 'off-line' at the moment and have tried all Google fixes, but am stuck with no access to the run box, so cannot look at reg etc. Can we do it via recovery/expand and will this fix the problem?
Friend appeared to have one of those 'fraud' infections - this one Antimalware 2010 which showed 32 'infections'.
We ran mbam which collected 3.
I sent over Avast install, he ran a boot scan. It was deleting quite a few files he said. He didn't see the end (!).
Left with a bootup which had a rapid sequence of screens flashing up. OK, said I - repair install. First go (its a Dell) wanted iastor.sys and nicinstE.dll. Could not find them so by-passed. No boot. Next time, through CMOS changed the RAID setting, ran repair/install again. (It transpires he has no floppy drive so we cannot use F6). This time only nicinstE.dll called for (and bypassed). Now we can boot, but no exe files run - 'open with' etc. Got them to run by changing file security settings.
Try sfc via 'run' - 'cannot find rundll32.exe'. Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As a far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there. Since I assume he still is infected I left him to run a mbam scan in safe mode and then a 'normal' Avast scan. Waiting for news.
Any help on how to get rundll32.exe replaced appreciated. I have him 'off-line' at the moment and have tried all Google fixes, but am stuck with no access to the run box, so cannot look at reg etc. Can we do it via recovery/expand and will this fix the problem?
Hippopotomonstrosesquipidelian title
Join Date: Oct 2006
Location: is everything
Posts: 1,826
Likes: 0
Received 0 Likes
on
0 Posts
You need to Google first, run Avast second if at all. Check out How to remove XP Antimalware 2010 | My Anti Spyware and note the reg fixes. Running Avast in this instance was a mis-step because of the way the various incarnations of Antimalware work.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Google was first. That solution was a non-starter and we could not run notepad at the beginning.
Any ideas for where we are now?
Any ideas for where we are now?
Last edited by BOAC; 31st Mar 2010 at 14:43.
Join Date: Jul 2001
Location: U.K.
Posts: 805
Likes: 0
Received 0 Likes
on
0 Posts
Although it is a bit of a cop out, re-installation of XP could be considered. I hope he has backups of his personal data! If not, and you can get the current version of XP working well enough, then it may be possible to copy his "my documents" folder into a folder with another name on the hard disc. When it re-installs, windoze will delete the existing "my documents" folder but should leave any other one alone.
P.P.
P.P.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Percy - that's why we went for a repair/install - the problem with the 'blast it with a reformat and put on a clean copy' brigade is that it does not work for some of the more sophisticated virii which lodge on the hard drive in places that are not touched.
If anyone knows the answer to
I'd be grateful!
If anyone knows the answer to
Can we do it via recovery/expand and will this fix the problem?
Last edited by BOAC; 28th Mar 2010 at 16:52.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Tried to expand rundll32.ex_ from XP CDRom in recovery but get 'cannot find file or folder'.
File appears to be correct size, location and installation date but it seems the OS cannot 'locate' it. Is this a path issue or registry?
File appears to be correct size, location and installation date but it seems the OS cannot 'locate' it. Is this a path issue or registry?
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
the problem with the 'blast it with a reformat and put on a clean copy' brigade is that it does not work for some of the more sophisticated virii which lodge on the hard drive in places that are not touched.
(1) It is MUCH safer to reformat and re-install than to try to eradicate a deeply embedded virus, high risk (e.g. rootkit) virus, or a system with multiple viruses eating away at it. It is the only way to re-establish trust with your system, and in these days of online banking etc. it is much wiser to be safe than sorry. Anyone who tells you otherwise doesn't have a clue what they are talking about, and I hope you were not paying for their services.
(2) If you re-format correctly prior to re-installing, your statement about "virii which lodge in places that are not touched" can easily be shown to be utter nonsense. If you are really worried, just replace the physical hard drive ... they are so cheap these days....
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Anyone who tells you otherwise doesn't have a clue what they are talking about, and I hope you were not paying for their services.
Now, anyone able to answer my question - path, registry or where?
Join Date: Aug 2002
Location: Earth
Posts: 3,663
Likes: 0
Received 0 Likes
on
0 Posts
A zero fill should be more than good enough to ensure a virus is gone. Otherwise just find something that will trigger a Secure Erase instruction to your controller.
For something like "Antimalware 2010", all I can do is wish you good luck if you are hell bent on fixing rather than starting afresh.
Read up on "Innovative Marketing Ukraine" to give you an idea why !
So... best of luck !
Now, anyone able to answer my question - path, registry or where?
Read up on "Innovative Marketing Ukraine" to give you an idea why !
So... best of luck !
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Saab - any ideas on how XP locates rundll32.exe?
All known antimalware reg entries are away. Just left with the rundll problem.
"Innovative Marketing Ukraine" - reminds me of a visit to PPRune HQ
All known antimalware reg entries are away. Just left with the rundll problem.
"Innovative Marketing Ukraine" - reminds me of a visit to PPRune HQ
Join Date: Jan 2008
Location: Over the hill and far away
Age: 76
Posts: 174
Likes: 0
Received 0 Likes
on
0 Posts
rundll32.exe is usually located in the Windows\system32 folder.
If that was corrupted by the virus, there should be a copy of it in windows\system32\dllcache or in windows\ServicePackFiles\i386.
In Safe mode, copy the file into windows\system32, then reboot.
Ken
If that was corrupted by the virus, there should be a copy of it in windows\system32\dllcache or in windows\ServicePackFiles\i386.
In Safe mode, copy the file into windows\system32, then reboot.
Ken
Spoon PPRuNerist & Mad Inistrator
any ideas on how XP locates rundll32.exe
If you can't get into a command prompt to type Path, you can also see it via System\Properties\Advanced\Environment Variables
Should be something like
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem ;
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
You can download it from: rundll32.exe file download - Download / repair / restore corrupt or missing rundll32.exe file
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
SD - thanks - I will try to get him to see if sys32 is in the path. GG - thanks. At least we can boot reliably into safe and normal now.
For both, from the first post,
"Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there."
No further copies of cmd found, but since rd32 is so pivotal in all of this, I cannot find a way to run 'cmd'. Will command.com produce a DOS box? Any other way to run regsvr? Have not tried that in the run box but I suspect it will cough up the same problem. All a bit of a challenge over the phone. I dare not put him online for a remote access until I can be sure the av and firewall are ok - that is if we can even go online! I have asked a local friend of his to download the 'dougknow' exe file fix zip to a USB in the hope we can fix the exe files go to 'open with...' rd32 problem.
As I said, we got into regedit using 'run as' and unticking the 'protect my computer....' box and as far as I can see there is no sign of antimalware there, but I don't know what I am looking for for the rd32 issue. Control panel modules also unavailable due to rd32 issue.
For both, from the first post,
"Try to expand same from CD using 'run' box 'cmd'. Cannot find rundll32.exe. As far as I can see 'run' looks for the first cmd it can find, starting in the profile folder?? Next task willl be to see if there is a zero-byte cmd there."
No further copies of cmd found, but since rd32 is so pivotal in all of this, I cannot find a way to run 'cmd'. Will command.com produce a DOS box? Any other way to run regsvr? Have not tried that in the run box but I suspect it will cough up the same problem. All a bit of a challenge over the phone. I dare not put him online for a remote access until I can be sure the av and firewall are ok - that is if we can even go online! I have asked a local friend of his to download the 'dougknow' exe file fix zip to a USB in the hope we can fix the exe files go to 'open with...' rd32 problem.
As I said, we got into regedit using 'run as' and unticking the 'protect my computer....' box and as far as I can see there is no sign of antimalware there, but I don't know what I am looking for for the rd32 issue. Control panel modules also unavailable due to rd32 issue.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Yes - that did not work but command.com did, so we checked the shell/open/ .exe key and it was set to 'secfile'. Changed to 'exefile' and exe's now open/run ok. 'cmd' works in 'run'. He has an entry in classes/root for 'secfile' which I do not - is this part of the infection? (He has no connection with PGP).
Running a very slow sfc /scannow right now.
regsvr brings up the familiar 'entry point' error??
Running a very slow sfc /scannow right now.
regsvr brings up the familiar 'entry point' error??