Got a call the other day from a client whose mom was completely stymied in her efforts to actually, you know, use her computer.
Everything she clicked on – internet, email, docs – refused to work. Instead, she’d get a popup message with a rather cryptic (yet more informative than most) error: “Program name Bad image C:\windows\system32\0020.DLL is not a valid windows image”.
It turns out this was a symptom of a rather badly written little piece of malware. I say this, because if a virus, spyware, or adware disables a computer, the first thing a user will do it get it fixed. Really, folks. If you want to write good viruses which actually do their jobs (usually sending masses of spam) then make them do it without visible effect.
But I digress. I did a bit of searching, and found a fix. We couldn’t just run a virus-checker, since that did nothing but produce the “not a valid windows image” error. This one required manual termination.
I fixed this one over the phone, walking the client through it step by step. Normally I try not to do registry edits over the phone, since there is a good chance of miscommunication, thus making things worse. In this case, though, they were an hour away, during rush hour, so the phone seemed the best option.
We had to do two things – remove the registry entry that caused 0020.dl to run, and remove 0020.dll itself.
First, we got rid of the file. (We couldn’t edit the registry first, since we got the error when we tried to open regedit.
To remove the errant file, we opened up “My Computer”. In “My Computer”, we opened the hard drive (“Local Drive (C:)”). At this point, Windows warns, something like this: “Do you really want to do this? The contents are normally kept hidden”. We said yes. We then continued deeper into the system, double-clicking on the Windows folder, and then on system32. You might recognize this as the path that was in the original error message – “C:\windows\system32\0020.dll”.
Once we were in the system32 folder, we looked through the list and found 0020.dll. I wanted to remove it, and any other files in this folder that were created at the same time. We found one other file called “WORK.DAT” that had the same “date created”. We threw both files away.
Now that the file was gone, we could again open programs, so we opened regedit (Click “Start”, then type “regedit” in the search box, and hit return in Vista or Windows 7, or if you’re in Windows XP, click Start, then Run, then type regedit, and hit return).
In regedit, there is a list of items on the left, all starting with “HKEY_”. We opened the HKEY_Local_Machine folder by clicking the plus sign next to it (it’s a triangle instead of a plus sign in Windows 7). Then, in the list of items under HKEY_Local_Machine, we found “Software”. We opened that one, then “Microsoft”, then looked for “Windows NT”, then for “Current Version”, then finally in “Current Version”, we looked for and found “Windows”.
Now we were here, in the registry hierarchy: HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows . In the right-hand pane of the regedit window, we could a list of items. One in particular, we needed to change. Doubleclick on “AppInit_DLLs”, and we saw that it had a value entered of “C:\windows\system32\0020.dl”. We highlighted this and hit “delete”, then clicked “ok”. Then we restarted, and all was well.
As a final step, I had them fire up their antivirus software and update it, then run a full scan.
