rundll32.exe not found (after Antivirus XP 2010)

  Diemmess 13:28 04 Mar 2010

Friend's Dell laptop was infected with Antivirus XP 2010.
He is one who knows little of his computer but uses it constantly for Email messages between his friends and local matters.

I managed to get rid of the malware with SuperAntispyware, and am now facing several problems.
repeated pop upon booting of "rundll32 not found" "OK"

Needless to say he has no system backup, SP2 not SP3, and obviously dubious anti malware cover - he says he uses Firefox own protecton.

Can I simply copy rundll32.exe from my own XP (sp3) or what must I do?

  james105051 13:45 04 Mar 2010

You can try running sfc /scannow to replace the missing file, or

Try this

Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Windows Registry Editor Version 5.00
@="\"%1\" %*"

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

  MAJ 13:52 04 Mar 2010

james105051 it doesn't look like Diemmess is having problems running exe files as he hasn't said so, but of course the reg file will do no harm.

Diemmess, check that the rundll32.exe is in the C:\Windows\System32 folder. If it is then THAT file is the correct file and not the one being searched for on startup. It's possible the remnants of the infection is causing the problem after SAS removed it.

  Sea Urchin 13:55 04 Mar 2010

I would run Malwarebytes as well

  MAJ 13:59 04 Mar 2010

Correct, Sea Urchin

  Diemmess 14:34 04 Mar 2010

rundll32exe IS in Windows system32

I can use My Computer, but if I try to open Firefox or run sfc /scannow, the little window opens asking which program do I wish to use!
The same applies with malwarebytes

This probably means following james105051 and making a fix that way?

I have to take up to the next hour away from this, and hope to give/receive better news then.

  MAJ 14:45 04 Mar 2010

If that is the case, then the damage caused hasn't been repaired, so run james105051's reg file, which should allow you to run exe files again, then run MBAM to clean up. Don't forget, when all is clean again, to turn off System Restore to delete all possibly infected restore points. Scan again and if all is still clean, reactivate System Restore to create a new, clean restore point.

  Diemmess 15:35 04 Mar 2010

Thanks, I have spent another 30 minutes trying to make the registry accept that script. it errors saying it can only accept binary...

When saving into notepad I have tried ALL files and .txt

When under command the cursor shows not C:\ but C:\documen~1\HISNAM~1>
Should I go back to C:\> before attempting to push the hieroglyphs down its throat?

Not entirely sure about spaces in the sample script and assume all on one line? or not!

Wife from garden needs a barrow load of compost!

  MAJ 18:43 04 Mar 2010

Try it manually then, Diemmess. Can you run the registry editor? Go to Start > Run and type in:


and click OK. If the registry editor opens, let us know and we will let you know how to do it manually.

  MAJ 19:04 04 Mar 2010

Try this one, Diemmess. Copy and paste the code below into Notepad (not Word or any other word processor). Then go to File > Save As, change the "Save as Type" field to "All Files (*.*)", give it a name, but make sure it has a .reg extension, Fix.reg for example. Then go to where you saved it and double click on it.When asked if you want to merge to the registry, choose Yes and reboot your PC. Then try to run MBAM again.

Windows Registry Editor Version 5.00

"Content Type"="application/x-msdownload"


  Diemmess 19:41 04 Mar 2010

Thanks again MAJ

Wise after the event.
I eventually found that I could run regedit by using safe mode and as administrator.

I wish I had run sfc first!
I found the string down to [HKEY_CLASSES_ROOT\exefile\shell\open\command]
It offered default and in the data section merely
\"%1\" %*

I added what I thought was the missing @=" to the front and an * at the end.

Saved it and ---- disaster I can't even reopen the editor "Access denied"

That was all before your later posts.

I have just returned the Laptop to the owner who is not ungrateful, even if we are both mighty disappointed.
Inevitably it will go to the reasonable local shop tomorrow having copied off the data first.

Will finish the story when it is all back together.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy S9 review

ManvsMachine and other artists put Apple's iMac Pro to the test using powerful rendering tools

What to expect at Apple's 27 March education event

Comment filmer l’écran d’un iPhone ?