Serious rundll32.exe infection

January 5, 2010 at 23:41:36
Specs: Windows XP

So recently, I was infected with something bad that's really messing with my computer. Whenever I try to open something to try and fix it, it says that rundll32.exe is infected (along with other files...) and it's not letting me run my stuff. The internet works fine though.

I was also infected with Antivirus LIVE. I know that it's nothing huge, but coupled with whatever's going on with the other virus, it's really taking a toll on my computer. I can't even open my task manager.

Can anyone help?


See More: Serious rundll32.exe infection

Report •


#1
January 6, 2010 at 00:58:11

Install & run Malwarebytes' Anti-Malware then google any remaining problems.

Example > rundll32.exe virus
http://www.google.com.au/#hl=en&q=r...

http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
Forum
http://www.malwarebytes.org/forums/
If it won't run, rename the downloaded mbam-setup.exe file to mb.exe to help work around certain malware that will block it from being run.
If it still will not run.
1: Go to Control Panel > Programs and Features and uninstall Malwarebytes.
Next redownload Malwarebytes but rename it before you download it to your desktop. As you are in the process of downloading when you get to the point that the "enter name of file to save to" box appears, in the "filename" slot, rename mbam-setup.exe to something.exe, then click Save.
If it installed but will not run, navigate to this folder:
2: C:\Programs Files\Malwarebytes' AntiMalware
At the top of the page, Tools > Folder Options > View, click > Show hidden files and folders and untick > Hide extensions for known file types.
Rename all the .exe files in the Malwarebytes' Anti-Malware folder and try to run it again.
When it opens, update 1st.
If it won't update after installing, update manually.
http://www.malwarebytes.org/mbam/da...
Download & install.


Report •

#2
January 6, 2010 at 09:39:06

Based on what I've seen in the past you MIGHT be infected with
Virut. Very nasty virus. Hard to get rid of it. Spybot will
identify it as Virut.bq. Let me know of it is Virut, I'll show where
to get a good tool to fix it.

Report •

#3
January 6, 2010 at 10:41:21

Double check for any viruses or malicious sypware with reimage's free scan http://bit.ly/71u9F2

It gave me a full report, checking everything from my computer's performance to viruses and damaged files that were causing my computer to do strange things. Reimage also gave me a free repair key for recommending their product and I was very impressed with the automatic fix it was able to perform on my PC - all very cost-effective and easy to understand/ use!


Report •

Related Solutions

#4
January 6, 2010 at 10:48:22

Tried it, didn't work, tried renaming it, didn't work, tried the second option and found that it was saying that I couldn't get in because the file was also infected. Every time it gives me an infection popup, it encourages me to activate my antivirus software. So I'm thinking that none of these files are actually infected, but the phony antivirus is me to buy their software.

Problem is, now that I know that what's doing this, they won't let me kill them. They're blocking me from getting into my Add and Remove files.


Report •

#5
January 6, 2010 at 14:56:30

"So I'm thinking that none of these files are actually infected, but the phony antivirus is me to buy their software"

If you hav'nt removed all the Antivirus LIVE files, here is how.

Antivirus LIVE

http://www.google.com.au/#hl=en&q=A...

http://www.2-spyware.com/remove-ant...

Antivirus Live manual removal:
Kill processes:
[random]sysguard.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[random]"
HELP:
how to remove registry entries

Delete files:
[random]sysguard.exe
HELP:
how to remove harmful files

Delete directories:
%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\
%UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS]\[random]sysguard.exe
Other programs to remove Antivirus Live:
• Malwarebytes Anti Malware - Review - Download
• Windows Defender - Review - Download


Report •

#6
January 7, 2010 at 15:25:20

I went to my Local Settings file and found these:

mimo.sys
otydyduze.sys
sypygesowi.ban
umyguq.sys
vynaqenuh.inf
wiluxu.exe
xomy.sys
ysusyfasis.lib
zelyx.com

Do I kill them or what?


Report •

#7
January 7, 2010 at 17:38:02

"Do I kill them or what?"

Probably kill them, but google them 1st.

Did you run malwarebytes? If so, be specific.


Report •

#8
January 8, 2010 at 12:56:32

I tried downloading it, but AL isn't letting me run it.

Report •

#9
January 8, 2010 at 13:42:00

"I tried downloading it, but AL isn't letting me run it."

This is what I mean by being specific, what are you refering to by saying "it"

If others had posted after me, as has happened above, no one knows what "it" is.

I assume you mean malwarebytes

Did you try these as ways I posted earlier?

"If it installed but will not run, navigate to this folder:

2: C:\Programs Files\Malwarebytes' AntiMalware
At the top of the page, Tools > Folder Options > View, click > Show hidden files and folders and untick > Hide extensions for known file types.

Rename all the .exe files in the Malwarebytes' Anti-Malware folder and try to run it again."

Another way, if after doing the above, try all of the above with malwarebytes in Safe mode.


Report •

#10
January 8, 2010 at 13:46:56

Yes I mean Malwarebytes, the "it" that I'm supposed to be downloading.

AL isn't letting the Malwarebytes setup run though.


Report •

#11
January 8, 2010 at 14:12:04

I also gave you instructions on how to remove AL manually, give me exact details of what you did.

Report •

#12
January 8, 2010 at 14:18:11

Everything but removing the registry values as I can't backup my computer right now because I don't have any data discs or a hard drive large enough to do it...

Report •

#13
January 8, 2010 at 14:28:12

I just googled AL again, here are instructions to tackle it a different way, make sure you do every step & like it say's > Print out these instructions as we may need to close every window that is open later in the fix.

Antivirus LIVE

http://www.google.com.au/#hl=en&sou...

http://www.bleepingcomputer.com/vir...


Report •

#14
January 8, 2010 at 16:33:18

AL wouldn't let me run the setup on this computer, so I ran it on my laptop. Two problems came up:

1. My laptop isn't connected to the internet because our new router has no wireless and won't send my laptop an IP address when I use the Ethernet cable so I can't update MBAM.

2. AL isn't letting me run MBAM at all on this computer. I've been trying to bypass this, but every time, AL ends up shutting MBAM down.


Report •

#15
January 8, 2010 at 16:52:32

"2. AL isn't letting me run MBAM at all on this computer"

You have to manually or find a way to remove AL.

Google finds this.

http://www.2-spyware.com/remove-ant...

4. Now download renamed Process Explorer (explorer.com) and terminate Antivirus Live processes. Should be [random]sysguard.exe, for example: wmcqsysguard.exe.

http://www.2-spyware.com/images/dat...

NOTE: Do not reboot your computer after using Process Explorer and terminating Antivirus Live processes.

Now you should be able to download an automatic Antivirus Live removal tool or another anti-spyware application. Most importantly, do not purchase it. If you have already done that, please contact your credit card company and dispute the charges.


Report •


Ask Question