rundll32.exe has my computer running very slowly

edit note: This thread was split from Here and the result below is from my instructions:
open a cmd prompt (start~run~cmd) or have one open ahead of time. Then either type this in or if you prefer, have it where you can copy & paste it.

Code:

Tasklist /M /FI  "imagename eq rundll32.exe" > C:\rundll.txt

Then open the c:\rundll.txt file, copy the contents, and paste it here so we can have a look-see.

Now on to Kreem's problem. Newt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hi All! First of all, sorry about my poor english (I'm Spanish)

Well, for a few days I'm getting same problem as Irene and Lubos. A process called rundll32.exe is using 99% of my CPU. I tryed many things to solve this: Ad-Ware programs, several antivirus (I got McAffe with latest virus definitions) and so on.
At last i've found this forum and I executed the command line that Newt said, and here is the result:

rundll32.exe ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, ADVAPI32.dll,
RPCRT4.dll, IMAGEHLP.dll, AxtPanel.dll,
USERENV.dll, comdlg32.dll, SHLWAPI.dll,
COMCTL32.dll, SHELL32.dll, WINSPOOL.DRV,
ole32.dll, OLEAUT32.dll, oledlg.dll,
urlmon.dll, VERSION.dll, WININET.dll,
CRYPT32.dll, MSASN1.dll, WS2_32.dll,
WS2HELP.dll, comctl32.dll, Secur32.dll,
RASAPI32.DLL, rasman.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, WINMM.dll,
sensapi.dll, McVSSkt.dll, rsaenh.dll,
mswsock.dll, wshtcpip.dll, DNSAPI.dll,
winrnr.dll, WLDAP32.dll, rasadhlp.dll

My O.S. is XP-Pro.

I'm "desperado" !!! I can't run any apps or games cause they're slower than a turttle. Please help me!!!

Thanks in advance and best regards form Menorca!!!

 

Hi Kreem. That is a bunch of stuff running. Not surprised things are way slow for you.

I'm going to split this off into a new thread so you can get better advice without any clutter from the original thread. I'm also going to move it to the security section based on some of the stuff you show as running.

Please download Hijackthis v1.98.2 and create a folder for it. C:\hjt or c:\antispyware would be good.

Once you have done that, if you have used msconfig to stop any items from loading at startup, please change so they are all starting (will require a reboot). If you haven't or don't know anything about it, that's fine.

Run Hijackthis and click for it to do a scan. When the scan is finished, click to create a log file. When the log opens in notepad, copy the entire log contents to this thread.

 

Hi Newt:

Yes, I used msconfig to stop some items from loading at startup. I checked them all again and reboot (now are ALL running). There is some more problems in my PC:
- When I boot it (sometimes, not allways) it makes a reset after a few seconds. - The rundll32.exe only takes 99% of CPU when I connect to the internet (I'm using a WinPoet dial coneccion DSL)

Well, I did the scan with the Hijackthis v1.98.2 and here is the result:

StartupList report, 20/09/2004, 14:20:10
StartupList version: 1.52.2
Started from : C:\hjt\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
C:\Archivos de programa\SED\SED.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Kreem\Menú Inicio\Programas\Inicio]
Launch K9.lnk = C:\Archivos de programa\KeirNet\K9\K9.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio]
Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

a-winpoet-service = "C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe "
VSOCheckTask = "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online = "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe "
MCUpdateExe = C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
MCAgentExe = c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
WinTools = C:\ARCHIV~1\ARCHIV~1\WinTools\WToolsA.exe
URLLSTCK.exe = C:\Utils\Antivirus\Norton\UrlLstCk.exe
UpdReg = C:\WINDOWS\Updreg.exe
SunJavaUpdateSched = C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
SESync = "C:\Archivos de programa\SED\SED.exe "
QuickTime Task = "C:\utils\divx\QuickTime\qttask.exe" -atboottime
PinnacleDriverCheck = C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
pdfFactory Pro Dispatcher v1 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
Openwares LiveUpdate = C:\Program Files\LiveUpdate\LiveUpdate.exe
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Nokia Connection Monitor = "C:\Archivos de programa\Archivos comunes\Nokia\NCLTools\NclConf.exe "
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
iTunesHelper = C:\Archivos de programa\iTunes\iTunesHelper.exe
DataLayer = C:\Archivos de programa\Nokia\Nokia PC Suite 5\DataLayer.exe
CTHelper = CTHELPER.EXE
CloneCDTray = "C:\Utils\Grabadora\CloneCD\CloneCDTray.exe" /s
CloneCDElbyCDFL = "C:\Utils\Grabadora\CloneCD\ElbyCheck.exe" /L ElbyCDFL

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Wintask = c:\WINDOWS\Fonts\csrss.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SuperAdBlocker = C:\Utils\Internet\Super AD Blocker\SAdBlock.exe
Steam =
Mozilla Quick Launch = "C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Comprobación de actualizaciones de es.mcafee.com (KREEM-Kreem).job

--------------------------------------------------

Enumerating Download Program Files:

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
CODEBASE = http://www.cult3d.com/download/cult.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\System32\mcinsctl.dll
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/es/4,0,0,83/mcinsctl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37954.2110416667

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\System32\McGDMgr.dll
CODEBASE = http://bin.mcafee.com/molbin/shared/mcgdmgr/es/1,0,0,20/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7.487 bytes
Report generated in 0,060 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



I also did another rundll32.exe scan (with all processes running from msconfig) and here it is:


Nombre de imagen PID M¢dulos
========================= ====== =============================================
rundll32.exe 1644 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, ADVAPI32.dll,
RPCRT4.dll, IMAGEHLP.dll, 6bo4svc.dll,
USERENV.dll, comdlg32.dll, SHLWAPI.dll,
COMCTL32.dll, SHELL32.dll, WINSPOOL.DRV,
ole32.dll, OLEAUT32.dll, oledlg.dll,
urlmon.dll, VERSION.dll, WININET.dll,
CRYPT32.dll, MSASN1.dll, WS2_32.dll,
WS2HELP.dll, comctl32.dll, Secur32.dll,
RASAPI32.DLL, rasman.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, WINMM.dll,
sensapi.dll, McVSSkt.dll, rsaenh.dll,
mswsock.dll, wshtcpip.dll, DNSAPI.dll,
winrnr.dll, WLDAP32.dll, rasadhlp.dll


Thanks in advance for your help!

Colour edited - difficult to read - PeteC

 

Thanks Kreem but not quite the Hijackthis log we needed. I think the part about msconfig led you on the wrong track. We need the regular scan log. Take a look at the pictures for specific directions.

 

Before posting another HJT log, go to Add/Remove programs and uninstall WINTOOLS.

Download and run SpyBot and allow it to remove what it finds.

And, run this online virus check

Hopefully, one of the latter will detect and remove the csrss.exe porgram living in the fonts folder.

 

Hi Newt & WhitPhil:

Sorry Newt, here is the correct scan. There is a few programs already uninstalled form my PC that still appear on it, as K9.

WhitPhil, WinTools was uninstalled BEFORE I post my first Log file.
Spybot (v. 1.3 with the latest update) did not find any problems on my PC, just a few cookies that I removed.
I also run Ad-Aware SE Personal (nothing was found!)
The Trend Micro online virus check did not find any virus in my PC.

I've noticed that when I boot the PC and connect to the internet, everything seems fine. Then, when I run Mozilla or IE, rundll32.exe starts to get more and more CPU until it reaches 99% in just 3-4 seconds.
Also, if I stop that process form taskmanager, Pc works OK again with no error messages.

Well, here is the log file:

Logfile of HijackThis v1.98.2
Scan saved at 21:02:39, on 21/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARCHIV~1\mcafee.com\agent\mcagent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
C:\Archivos de programa\SED\SED.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - c:\windows\system32\ConfuSearch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinTools] C:\ARCHIV~1\ARCHIV~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Utils\Antivirus\Norton\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SESync] "C:\Archivos de programa\SED\SED.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\utils\divx\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Archivos de programa\Archivos comunes\Nokia\NCLTools\NclConf.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DataLayer] C:\Archivos de programa\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Utils\Grabadora\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Utils\Grabadora\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Utils\Internet\Super AD Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Startup: Launch K9.lnk = C:\Archivos de programa\KeirNet\K9\K9.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Descargar TODO con FlashGet - C:\Utils\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Descargar usando FlashGet - C:\Utils\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\flashget.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/es/4,0,0,83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/es/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2066B62E-3160-4F7E-A77E-BC6DE6C26761}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4FC019-DC51-49D7-BB06-E43258D65EC0}: NameServer = 80.58.34.97 80.58.4.33
O17 - HKLM\System\CS1\Services\Tcpip\..\{2066B62E-3160-4F7E-A77E-BC6DE6C26761}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{2066B62E-3160-4F7E-A77E-BC6DE6C26761}: NameServer = 80.58.0.33,80.58.32.97

Thaks you all for your help!!!

 

I suggest the removal of these lines.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - c:\windows\system32\ConfuSearch.dll
O4 - HKLM\..\Run: [WinTools] C:\ARCHIV~1\ARCHIV~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SESync] "C:\Archivos de programa\SED\SED.exe "
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

I can see that you use McAffee, but the following appears to be starting up the System Tray icon for Norton. Maybe you want to remove it?
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Utils\Antivirus\Norton\UrlLstCk.exe

 

Dear Freinds:

I did what markp62 said, but my Pc is still having same problems (reset in a few seconds when I boot, coutinous pop-ups with adesses like http://e.rn11.com/a/a174-admed-ron or http://adserver.sharewareonline.com/AdServer/MemTurbo/Adm/ad-armorie.htm, icons on my desktop like "Free Casino" and rundll32.exe getting 99% my CPU)

Hope you can help me, thanks a lot!

 

Scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Hi all again!

This is the LOG file for RAV online scan: as you can see, it found a virus!

Scan started at 23/09/2004 7:50:09

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\mIRC\s\sockets.mrc - IRC/Generic* -> Suspicious
C:\mIRC\s\Trivial\ircaptrivial.mrc - IRC/Generic* -> Suspicious
C:\WINDOWS\system32\lspak.dll - TrojanDownloader:Win32/Agent.BR -> Infected
C:\WINDOWS\system32\rulesak.dll - TrojanDownloader:Win32/Agent.BT -> Infected
C:\WINDOWS\system32\updak.dll - TrojanDownloader:Win32/Agent.BR -> Infected
C:\WINDOWS\Temp\lspak.dll - TrojanDownloader:Win32/Agent.BR -> Infected
C:\WINDOWS\Temp\rulesak.dll - TrojanDownloader:Win32/Agent.BT -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\7MUZ2VET\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\7MUZ2VET\stc[2].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\7MUZ2VET\stc[3].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\7MUZ2VET\stc[4].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\8RABZDS6\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Temp\Archivos temporales de Internet\Content.IE5\GQIAK3V5\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
F:\mIRC\s\sockets.mrc - IRC/Generic* -> Suspicious
F:\mIRC\s\Trivial\ircaptrivial.mrc - IRC/Generic* -> Suspicious

Scanned
============================
Objects: 86687
Directories: 6403
Archives: 1580
Size(Kb): 1102469
Infected files: 11

Found
============================
Viruses found: 3
Suspicious files: 4
Disinfected files: 0
Mail files: 161

Now, here is another HijackThis scan, as noahdfear said:

Logfile of HijackThis v1.98.2
Scan saved at 14:20:26, on 23/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
c:\archivos de programa\mcafee.com\agent\mcagent.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET Broadband Connection\winpppoverethernet.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCUpdateExe] c:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\mcagent.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\ARCHIV~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O8 - Extra context menu item: Descargar TODO con FlashGet - C:\Utils\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Descargar usando FlashGet - C:\Utils\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Utils\Internet\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/es/4,0,0,83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/es/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2066B62E-3160-4F7E-A77E-BC6DE6C26761}: NameServer = 80.58.0.33,80.58.32.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD4FC019-DC51-49D7-BB06-E43258D65EC0}: NameServer = 80.58.4.33 80.58.34.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{2066B62E-3160-4F7E-A77E-BC6DE6C26761}: NameServer = 80.58.0.33,80.58.32.97

Thanks for your help!

 

You should install MoveOnBoot, then delete thrdr files using it. It adds a new item to the right click menu, select Move on Boot when wanting to delete files, reboot and they are gone.
First disable Disable System Restore, reboot and then delete these files.
C:\mIRC\s\sockets.mrc
C:\mIRC\s\Trivial\ircaptrivial.mrc
C:\WINDOWS\system32\lspak.dll
C:\WINDOWS\system32\rulesak.dll
C:\WINDOWS\system32\updak.dll
F:\mIRC\s\sockets.mrc
F:\mIRC\s\Trivial\ircaptrivial.mrc
Delete everything in the C:\windows\Temp folder, so that is it empty.


I see nothing in the current HJT log that needs work.

 

AT LAST! I did what markp62 said and now it seems to work fine! No pop ups, and rundll32.exe does not take any excessive CPU!

Thanks you all for you help!

 

Cool, and you are welcome from all of us.