Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rundll32. exe application not found


  • This topic is locked This topic is locked
5 replies to this topic

#1 emort520

emort520

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 07 March 2010 - 08:42 PM

Hello. Yesterday my computer was infected with a virsus that disabled my internet and kept poping up with a XP Anitivrus Pro 2010 window. I ran malware bytes which removed three infected items and my kaspersky antivirus 2009 program, which show nine threats(im not sure if they were removed). When I rebooted my computer, kaspersky came up with a warning for Trojan.Win32.FraudPack.aoal, which kaspersky took action of removing and rebooting the computer. Once the computer was rebooted, the virus popup stopped coming up. Then I ran a microsoft PC safety scan which came up negative. Now the problem I am having is that all of my programs including control panel, sounds, performance etc can not be accessed, without having to browse for the exe file. I get the message c:\windows\system32\rundll32.exe application not found. I have already checked the c:\windows\system32 and c:\windows\sevicepack folders to ensure that they have the rundll32.exe file in them, and they do. Any help would be greatly appreciated. Thank you!

Edited by Orange Blossom, 07 March 2010 - 09:49 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:08:54 AM

Posted 07 March 2010 - 09:08 PM

It sounds like the virus made copy of its self on the restore point I would run kaspersky and malware in safemode just to be sure your computer is clean

http://www.bleepingcomputer.com/virus-remo...ivirus-pro-2010 is the guide for removing that virus and known registry keys.

http://www.dll-files-download.com/R/2008-01-13/15185.html this is a generic rundll32.exe file. Its located in the system32 folder Yes i have one in that folder

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:54 AM

Posted 07 March 2010 - 09:50 PM

Hello,

Instead of doing the above, please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 gregfortune

gregfortune

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:54 AM

Posted 09 March 2010 - 12:58 PM

".aoal" is actually a new variant that I reported to Kaspersky on the 6th of March and the behavior is a little different from previous versions. It showed up in a new location under a new name (<USER>\Local Settings\Application Data\av.exe) and is a hidden, system file. In addition, it adds several hooks into the registry that launches av.exe when applications like Firefox, IE and others are launched. When av.exe is removed, those registry entries break and the applications can no longer be launched. It's quite possible that it can use other names/locations as well, but I've only seen the one instance of it.

Your applications are broken because the registry hooks are likely still in place, but it can't find the referenced file. To fix this, you should search your registry for av.exe. You'll see a line that looks something like
c:\some path\av.exe /START "%1 " %*

I don't remember the "%1 " %* part exactly so it may differ slightly. Everything up to and including /START is hostile and can be removed. That will leave you with something like
"%1 " %*

After making that change, the application in question should run correctly. Perhaps Kaspersky's removal procedure didn't clean up the registry correctly.

Below is a copy of my e-mail with Kaspersky:
This message has been generated by the automated submission tracking system. If we already detect these files, the message below tells you how we identify this threat. Your submission will be passed to a virus analyst.

av_evil.exe - Trojan.Win32.FraudPack.aoal

New malicious software was found in this file. The next antivirus database update will include detection for this malware. Thank you for your help.

Best regards, Kaspersky Lab


>> Fake anti-virus product. Adds registry entries associated with Firefox, IE and a few others that cause the program to launch at the same time as the other processes. Appears to fork the requested process and then reparent it several seconds later. Although I see descriptions of it, none of the AV or malware products I tried detected it and the Kaspersky online scan passes it too. The only file I found associated with it was in <USER>\Local Settings\Application Data\av.exe. I ended up renaming the file to av_EVIL.exe and creating a blank av.exe file in it"s place. av_EVIL.exe that I"m uploading was originally called av.exe. Unfortunately, I no longer have the registry entries, but it was something like:
>> path\av.exe /START "%1 " %*.
>>
>> uploaded files:
>> av_EVIL.exe

#5 emort520

emort520
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 09 March 2010 - 08:51 PM

Thank you very much for the information. I have been working long hours these last two days and have not had a chance to work on my computer. I will post again with the progress I make from your help. Thanks again.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:54 AM

Posted 12 March 2010 - 05:56 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/302204/xp-anitivrus-pro-2010-and-trojanwin32fraudpackaoal-attack/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users