rundell32.exe

[state of confusion]

where to beging a virus completly crippled my hard drive. ive tried to reinstall xp without being able to select the install from the disk also ive read about reinsalling rundell32.exe without any sucess each time i try an open a program i get windows system32 rundell32.exe could not be found also i'm gettin a promt when tryin to open any program which states open with... if anyone could step in an shed some light ty.

[guestolo]

You may want to try this method,

Download this Zipped file xp_fileassoc.zip
UNZIP it to your desktop and Double click on the
xp_fileassoc.bat to run it
Follow the prompts

RESTART your computer afterwards

When your done with that, if you can
Download Hijackthis, this will help to determine if there are any nasties on your computer
Create a Permanent Folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

[state of confusion]

ok iam along for the ride until the point of runing the hijackthis program. the file assoc.zip goes right into command without a prompt. after creating the HJT folder i try an click on the icon with the reading open with what program. my only options are word an note pad an neither one can get the job done.

[guestolo]

Let's try this
Save this file directly to your desktop
xp_file assoc.bat <--removed, I'll upload it again later if needed
Close out all windows, including this one
Double click to run it and then Restart

Try hijackthis again, if no go we should get you to run a couple online virus scanners

Try here at TrendMicros ---Set to Autoclean
http://housecall.trendmicro.com/

and/or try one here at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

At either online virus scanner, you should be given the option to save the report after the scan is complete, can you post that report, thanks

[state of confusion]

i wanted to first that you for walkin me throught this process, while others (windows call center) have taken me for a crazy nyc cab ride. i've followd your instruction to a t ran the fileassoc.bat going right to a cmnd prompt. the HJT icon still is askin for a program to open. i would like to try an run a virus scan but without being able to run the program from this crippled state how would you like to approach this

[guestolo]

Sorry, I edited my reply when you were posting

I gave you a couple links to try above for a couple great online virus scanners
Give them a try and post back
I'll hope to see your post later on tonight, but it may not be till tomorrow

Hold on to xp_fileassoc.bat
We may need it later

One more EDIT
You can also try to restore the association with this .exe fix
Save it to your desktop and UNZIP it
Double click to run the reg. fix
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

If you can't unzip the above

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>Save as
Name the file as exefix.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Double click on exefix.reg and allow it to merge to the registry
If it won't merge try to run it in safe mode
How to start in SAFE MODE

You may, at this point, even have trouble opening Notepad, let me know

[state of confusion]

Logfile of HijackThis v1.98.2
Scan saved at 1:29:20 PM, on 11/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\Software\software.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Documents and Settings\1\Application Data\rtmt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\110079~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\COMMON~1\AOL\110079~1\EE\AOLServiceHost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\DOCUME~1\1\LOCALS~1\Temp\iinstall.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\180Solutions\sais.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001547
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://69.50.191.52/2484/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 54.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: BHO Class - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\ELITES~1\ELITES~1.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100791675\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortEmail Removedexe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Software] C:\WINDOWS\system32\Software\software.exe
O4 - HKLM\..\Run: [zyv] C:\WINDOWS\zyv.exe
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\rundll32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [tgxcr] C:\WINDOWS\tgxcr.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\1\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Areo] C:\Documents and Settings\1\Application Data\rtmt.exe
O4 - HKCU\..\Run: [Idxbuu] C:\WINDOWS\system32\?ttrib.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\Email RemovedEXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW Prefix: http://69.50.191.50/?
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.finefind.net
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {6BAFBC6A-6858-4571-1B60-24AB4B16D002} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/y...ysb_regular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {E9EE579F-F114-4281-8FAC-C2A74C507DFF} - C:\WINDOWS\System32\bkipnkk.dll
O18 - Filter: text/plain - {E9EE579F-F114-4281-8FAC-C2A74C507DFF} - C:\WINDOWS\System32\bkipnkk.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

the exe.fix.zip file what the ticket brought everything back to running order now iam tryin to fix an eleviate all problems on hard disk with out erasing the hard disk ive tried to reinstall xp pro, with the upgrade to the service pack II this windows state since a updated copy of xp is present the system will not reinstall windows any sugestions...
here is a log from the hjt. appears as though more then a few add an spy wear files are present on the hard disk. to cut down on this what would you suggest

[guestolo]

I see this in your log
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\rundll32.exe
Don't touch it yet
Just to be on the safe side, could you download this zipped file
and save it to your desktop, if we need it we have it just in case

rundll32.zip <--removed the link, if needed I'll upload it again
If that link doesn't work right for you, just right click on it and select Copy Shortcut
and paste it in your IE's address bar and hit Go

Let's get you a few free programs that will help clean up this mess quite a bit, you computer should run a lot cleaner afterwards

Can you download them first and then we'll run them
A few of them you can hang onto and update every couple of weeks and run scans

First could you download and Install the standalone version of CWShredder, this is a small download
CWShredder
Run this later

Next: Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Allow to download updates
We'll again run this later

Next:Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download all updates
We'll run this later

One last thing
Download and Install
Windows CleanUp!
Once again, we'll need this later
===================================================

Let's try some fixes on your computer, I recommend that you do all of these in
Safe Mode

So you may want to print these instructions out, or save to a Notepad file on your desktop for easy access

Ensure you download all suggested and Update both Ad-Aware and Spybot

Restart into safe mode

Run CWShredder and let it FIX all problems
Restart your computer, again I suggest back into safe mode

Open Ad-Aware(Ensure it's up to date)
Choose to do a Full system scan--Remove all Critical objects
When the scan is complete it will notify you of Critical objects found
Right click in the Critical pane and select all
Click Next

Restart your computer to finish the cleaning process, again back into safe mode

Open Spybot---Check for Problems
After the scan is complete, by default Red entries should all be checked, if not, check all RED entries, Green are optional
Fix selected
Restart your computer one last time into safe mode


Open CleanUp!
Click the Cleanup button, let it scan for files to remove in your temp folders and such
It will prompt you that some files won't be removed until after you restart your computer.
At this time Restart back into Normal mode

Back in Normal Mode
Don't open a browser yet, instead access IE's Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

This should help cleanup a lot of your problems
Please post back a fresh hijackthis log afterwards and we'll try to manually clean the rest

Could you also Navigate to this folder
C:\WINDOWS\system32
Open it and let me know how many files you have with the name
rundll32.exe
The legitimate one for you and I should be
32.5 kb in size
If you check out it's properties it should say it's from Microsoft
Probably version 5.1.2600.2180
Should also show Date Created and Modified
Can you let me know that info

Could you also look for any other files in your system32 folder that start with the name run
They may not be bad, just checking