Rundell32

yrreg · #1 December 3rd, 2004, 10:47 AM

System resources running low. Popups every few minutes. Have ran adware, spybot, avg, housecall and panda still no luck. Rundll32 keeps running in task manager and when I close it resources come back to normal and no popups, but Rundll32 starts up again and same old problems.
Could someone please check my Hijack This and see if I can sort out this problem.
Thanking you Gerry

Logfile of HijackThis v1.98.2
Scan saved at 10:55:54, on 03/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WIN\SYSTEM\KERNEL32.DLL
C:\WIN\SYSTEM\MSGSRV32.EXE
C:\WIN\SYSTEM\MPREXE.EXE
C:\WIN\SYSTEM\mmtask.tsk
C:\WIN\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\WIN\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WIN\EXPLORER.EXE
C:\WIN\SYSTEM\SYSTRAY.EXE
C:\WIN\SYSTEM\GSICON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WIN\SYSTEM\WMIEXE.EXE
C:\WIN\SYSTEM\DDHELP.EXE
C:\WIN\SYSTEM\RNAAPP.EXE
C:\WIN\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WIN\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\NEW FOLDER (2)\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT139749.EXE -auto
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WIN\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WIN\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Spy-Ad Realtime Monitor] "C:\Program Files\Oreware.com\Spy-Ad Exterminator Pro\AdMonStartup.exe" -t 10000
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/tools/activex/fpu.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/support/ocis/SiSAutodetect98.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...terInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...06/mcfscan.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files...fosFinder2.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?325

DELTREE · #2 December 3rd, 2004, 03:32 PM

Read this and I hope it may help you to understand what your problem maybe?http://search.microsoft.com/search/r...us&qu=rundll32
Take Care

tetonbob · #3 December 3rd, 2004, 10:15 PM

Rundll32 is a legitimate file in most cases. It is a valid system file which executes a function of a DLL. The rundll32.exe file is located in the c:\windows\System32 folder. In other cases, rundll32.exe is a virus, spyware, trojan or worm!

Run a search on your computer for the rundll32.exe file. Post back where it is located.

yrreg · #4 December 4th, 2004, 08:34 AM

Hi Deltree,
Checked out the site and could not find my related problem.

Regards Gerry

yrreg · #5 December 4th, 2004, 08:36 AM

Hi tetonbob,
rundll32.exe is located in c:\WIN.

Regards Gerry.

tetonbob · #6 December 4th, 2004, 03:00 PM

I see what I think are a couple of problems in your log, but I'm not an expert reader, so I must defer and hope a mod or HJT helper comes along.

I see you have Spy Ad Exterminator Pro running on your system. It is named as rogue/suspect anti spyware in the Syware Warrior list. I'd consider uninstalling it from your Add/Remove Programs in Contol Panel.

I'm sure you're running the latest and freshly updated versions of Spybot S&D <1.3> and AdawareSE, right?

<edit> My bad on the location in Win98. Your rundll32.exe file is in the correct location for Win98. \windows\system32 is the location in XP. Apologies. <end edit>

yrreg · #7 December 4th, 2004, 10:00 PM

Hi tetonbob,
I don't know were spy ad came from but I didn't install it! Its not in add/remove files and when I search for it by name I end up with over 2000 files? I have updated versions of spybot and adware se.

Regards Gerry