This is a problem that can have multiple causes. In the computer I was working on, the Bamital trojan had made it impossible to do anything. The trojan would prevent you from doing anything and wanted you to pay a ransom. This was different than Crytowall, which holds your files for ransom, in that this trojan held your computer for ransom. In the process of removing the trojan, I also removed a legitimate Windows file which caused the problem.

This message “The program can’t start because xxxxxx.dll is missing from your computer” is because that necessary DLL file is missing or corrupt. In my case, Bamital replaced the 32-bit advapi32.dll file so that whenever I ran a 32-bit program, the ransom lock screen appeared; 64-bit programs ran normally. When I removed Bamital using another computer, it deleted the replaced file which meant I had to restore the now missing file.

Windows Vista and later now holds multiple copies of DLL files. You can use that to restore the missing or corrupt DLL file. The files are located in the %windir%\winsxs folder (i.e. c:\windows\winsxs\). Once in that folder, use Windows explorer to search for the file without the extension. Since my message was “The program can’t start because advapi32.dll is missing from your computer”, I searched for just advapi32 and nothing else.

Remember: Unless you are using a 32-bit Windows, there are 32-bit and 64-bit versions of these files. If in doubt, restore both versions. The folder name for all 32-bit DLL files begins with x86 but the folder names for 64-bit files will begin with amd64. The 32-bit version goes in the %windir%\sysWOW64\ folder. The 64-bit version, or the only version if this is a 32-bit Windows, goes in the %windir%\system32 folder.

After finding the folders with the needed files, I chose the one with the most recent date. My antivirus program told me it deleted the advapi32.dll 32-bit file so I knew I only needed to copy the correct file back to the c:\windows\sysWOW64\ folder.

After restoring the file, my programs began to work as normal with no more ransom.

One last note: It is a very good idea to go ahead and run the sfc /scannow command.

Now about that Bamital trojan. It had me stumped at first. I noticed that some programs opened normally but some didn’t. I thought the malware had modified the .exe settings in the registry and that simply fixing that would fix my problem. But when it didn’t, I was confused. What I didn’t understand is why some programs opened fine while others didn’t. (I eventually later on figured it was only 64-bit programs that opened fine.)

So I took the laptop home and scanned it with Eset in my computer. It detected the Bamital trojan and deleted the advapi32.dll file. I figured Bamital just chose that file at random. Now some programs gave the message I started off with above. But no more ransom.

I didn’t know at first that advapi32.dll is a legitimate Windows file. So I attempted to use the regsvr32.exe command to unregister the DLL file. It didn’t work. I attempted to remove any entries of advapi32.dll from the registry. Windows wouldn’t let me. (Good thing too.) Finally after a few Google searches did I realize that I actually needed that file. That is when I got a good copy from the %windir%\winsxs\ folder and all was well.

Advertisements