rundll32.exe prob

Problem seems to be similar to Pauls in other thread in that a rundll32.exe process will sometimes run and use 98% of cpu and slooooowwww everything to a crawl. I have been running this computer for over a year very smooothly. Symptoms started about two months ago. Not sure if this happened right after SP2 or not. The problem is intermitant (about twice a week). Also I forgot that a few times it has been explorer.exe running at 99%.

Sometimes everything gets bogged down and I will check task manager and notice that a rundll32.exe is using 98% of my processor. I have run adaware, spybot, and virus scans numerous times and can't find a culprit.

Here is a list of modules running while it was happening:

Image Name PID Modules
========================= ====== =============================================
rundll32.exe 1944 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, IMAGEHLP.dll,
ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
RPCRT4.dll, WINMM.dll, ole32.dll,
OLEAUT32.dll, MSACM32.dll, VERSION.dll,
SHELL32.dll, SHLWAPI.dll, USERENV.dll,
UxTheme.dll, comctl32.dll, comctl32.dll,
nview.dll, PSAPI.DLL, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, nvwddi.dll,
LgMsgHk.dll, MSVCP60.dll, LgWndHk.dll,
CLBCATQ.DLL, COMRes.dll, Secur32.dll,
shimgvw.dll, gdiplus.dll, SETUPAPI.dll,
appHelp.dll, nvshell.dll, IMM32.dll
rundll32.exe 1988 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, IMAGEHLP.dll,
ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
RPCRT4.dll, WINMM.dll, ole32.dll,
OLEAUT32.dll, MSACM32.dll, VERSION.dll,
SHELL32.dll, SHLWAPI.dll, USERENV.dll,
UxTheme.dll, comctl32.dll, comctl32.dll,
NvMcTray.dll, PSAPI.DLL, LgMsgHk.dll,
MSVCP60.dll, LgWndHk.dll, nview.dll,
NTMARTA.DLL, WLDAP32.dll, SAMLIB.dll,
nvwddi.dll, IMM32.dll

Here is a hijackthis log: (this is not from a time the problem was occuring)

Logfile of HijackThis v1.98.2
Scan saved at 1:14:21 AM, on 10/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
F:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\System32\svchost.exe
F:\My Download Files\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\xp_programs\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [bwprnmon.exe] F:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - F:\XP_PRO~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\xp_programs\yahoo\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\xp_programs\yahoo\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\XP_PRO~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093677000515
O16 - DPF: {66BB2143-EA4B-4323-A703-B973D9A0475E} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://F:\Program Files\AutoCad\AcDcToday.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://F:\Program Files\AutoCad\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://F:\Program Files\AutoCad\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://F:\Program Files\AutoCad\AcPreview.ocx

 

CWShredder didn't find anything.

 

deleted these three cause they looked funny:

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

deleted these three cause I don't need them:

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...74/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

 

Running RAV Antivirus now.

$NtServicePackUninstall$
$NtUninstallKB820291$

Are all these $NtUninstallKB820291$ folders in windows XP legit folders?

 

You might have done better to have waited before removing those since there is other stuff you need to do for complete removal sometimes.

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
Take a look Here for details about the critter and about the other things you need to do if you want the malware gone. Otherwise it will still be active and you'll probably see this entry show up again.

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
File should have been VSCShellExtension.dll and that one is a part of McAfee so you may have partly disabled your AV.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
More McAfee. mcvsshl.dll this time.

And the 016 items are always safe to delete. Any that are needed will be reloaded when you visit a site that needs them. Just slows things down a tiny bit.

Are all these $NtUninstallKB820291$ folders in windows XP legit folders?

If you have more than one Kb820291 entry then you have a problem. But there will be one for each service pack/hot fix you install if you used the option to have it available for later uninstall. Some don't even ask. All that happens if you delete them is you lose the ability to uninsatll whatever they are.

 

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...74/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

These I wasn't concerned about because I recognized them and don't use them anywhere.

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
File should have been VSCShellExtension.dll and that one is a part of McAfee so you may have partly disabled your AV.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
More McAfee. mcvsshl.dll this time.

Since these are Mcaffee I am not worried about them.

 

Problem occured tonight again only this time when I opened task manager explorer.exe was running at 99%. I managed to get a hijack log while this was happening. Don't know if this will help.

Logfile of HijackThis v1.98.2
Scan saved at 6:22:47 PM, on 10/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
F:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\xp_programs\Teamspeak2_RC2\TeamSpeak.exe
F:\Program Files\Codemasters\OperationFlashpoint\FLASHPOINTBETA.EXE
F:\xp_programs\edit_plus\editplus.exe
C:\WINDOWS\system32\taskmgr.exe
F:\My Download Files\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\xp_programs\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [bwprnmon.exe] F:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - F:\XP_PRO~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\xp_programs\yahoo\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\xp_programs\yahoo\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\XP_PRO~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093677000515
O16 - DPF: {66BB2143-EA4B-4323-A703-B973D9A0475E} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://F:\Program Files\AutoCad\AcDcToday.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://F:\Program Files\AutoCad\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://F:\Program Files\AutoCad\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://F:\Program Files\AutoCad\AcPreview.ocx

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Not a baddie but not needed at startup and just slows things down a little. No harm in removing the startup entry with HJT.

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
Part of Spyware.Isearch so use their instructions for manual removal but certainly uncheck the 016 and delete the install.cab file.

You don't appear to have any Antivirus protection running. It sounds like something is messing with explorer.exe (maybe calling an infected .dll of some sort). Run online virus scans with Housecall and Panda to clean things up (or to make sure you are clean) and get some resident AV running.

 

Seems to me as well that something is taking over a dll either through explorer or rundll32. Seems to be related to the task bar. The task bar loses all functionality when it happens but other things I can slowly get to work.

Ran one with RAV. I will get it all cleaned up and run some different online AV's to make sure. I hate running resident AV. One time NAV messed up my autocad right in the middle of a big project and it cost me a bunch of time. Took me awhile to determine that it was NAV that coused it.

RAV Results:

Scan started at 10/21/2004 12:00:56 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\RECYCLER\S-1-5-21-1390067357-746137067-839522115-1003\Dc18.exe - TrojanDownloader:Win32/Small -> Infected
C:\RECYCLER\S-1-5-21-1390067357-746137067-839522115-1003\Dc19.exe - Trojan:Win32/Istall.B -> Infected
F:\WINDOWS\Application Data\Identities\{E23FC0E4-3B5B-11D6-ABE1-0002E31F0561}\Microsoft\Outlook Express\Deleted Items.dbx->Message.6: (Salgal8056 [Worm Klez.E immunity])->(part0001:TAG .pif) - Win32/Klez.H@mm -> Infected
F:\WINDOWS\Application Data\Identities\{E23FC0E4-3B5B-11D6-ABE1-0002E31F0561}\Microsoft\Outlook Express\Deleted Items.dbx->Message.5: (cboltmore [By phpBB 2.0.0 ])->(part0000->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
F:\WINDOWS\Application Data\Identities\{E23FC0E4-3B5B-11D6-ABE1-0002E31F0561}\Microsoft\Outlook Express\Deleted Items.dbx->Message.5: (cboltmore [By phpBB 2.0.0 ])->(part0001:Group.pif) - Win32/Klez.H@mm -> Infected
F:\WINDOWS\Profiles\Zinco\Application Data\Qualcomm\Eudora\Outlook Express1.fol\Inbox.fol\Inbox.mbx->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
F:\RECYCLED\Df50.exe->(UPXW)->(RARSfx)->bpkhk.dll - SpyTool:Win32/PerfectKeyLogger_147 -> Infected
F:\RECYCLED\Df50.exe->(UPXW)->(RARSfx)->bpkwb.dll->(ASPack 2.12) - SpyTool:Win32/PerfectKeyLogger_147 -> Infected
F:\System Volume Information\_restore{E72639EF-7E36-4061-A69D-CB440FDD0E47}\RP356\A0087589.exe - Trojan:Win32/Tumbo.A -> Infected
F:\System Volume Information\_restore{E72639EF-7E36-4061-A69D-CB440FDD0E47}\RP356\A0087599.exe - Trojan:Win32/Tumbo.A -> Infected
F:\System Volume Information\_restore{E72639EF-7E36-4061-A69D-CB440FDD0E47}\RP356\A0087600.exe - Trojan:Win32/Tumbo.A -> Infected
F:\System Volume Information\_restore{E72639EF-7E36-4061-A69D-CB440FDD0E47}\RP356\A0087601.exe - Trojan:Win32/Tumbo.A -> Infected

Scanned
============================
Objects: 170187
Directories: 12003
Archives: 9739
Size(Kb): 1851528
Infected files: 11

Found
============================
Viruses found: 6
Suspicious files: 1
Disinfected files: 0
Mail files: 3948

 

If you insist on using the internet with no resident AV app on your PC, then we are both wasting time with trying to clean things up.

 

Roger that I will get one. Thanks for the help.

 

Working on getting a resident AV program.

Ran Panda online with 0 files infected.

Scanned Yes 423252 0
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0

 

Ran Houscall online with no files found.

 

Resident AV will save you lots of grief. The free version of AVG is good and puts a minimal load on the system. You barely notice it.

The list of stuff that RAV found - did you manage to make all of it go away? And if so, are you still having issues?

 

Problem occured tonight again. (rundll32.exe using 99% of CPU)

managed to run a tasklist command on it while it was happening.

tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt

Results:

Image Name PID Modules
========================= ====== =============================================
rundll32.exe 232 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, IMAGEHLP.dll,
ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
RPCRT4.dll, WINMM.dll, ole32.dll,
OLEAUT32.dll, MSACM32.dll, VERSION.dll,
SHELL32.dll, SHLWAPI.dll, USERENV.dll,
UxTheme.dll, comctl32.dll, comctl32.dll,
nview.dll, PSAPI.DLL, NTMARTA.DLL,
WLDAP32.dll, SAMLIB.dll, nvwddi.dll,
LgMsgHk.dll, MSVCP60.dll, CLBCATQ.DLL,
COMRes.dll, Secur32.dll, shimgvw.dll,
gdiplus.dll, LgWndHk.dll, SETUPAPI.dll,
appHelp.dll, nvshell.dll

 

are you running an nvidia card, and have some widget running in your system tray?

 

Are you current on the security patches that have been released since SP2? There are things like buffer overflow that can be used to cause problems via a perfectly legit .dll file.

All the listed .dll files are legit.

If all else fails, suspect video so maybe a reinstall of nVidia.

 

I got an AV (local) and am running it now. I have to look closer at what RAV found and see what to do about that stuff.

I remember the Ibar thing showing up before and getting rid of it. I can't find anything in the registry related to it.

Possibly it is windows related. Will get the latest patches.

 

Yes I do have a Nvidia card...GForce 4 TI 4600. I did have a widget running in the task bar yes. Its a display property thing. Its not running now and I don't remember turning it off. Also my Asus MB has a Nvidia chipset.

Got two small Windows updates and updated my nvidia drivers.

Ran my local symantec AV.
Results:

Scan type: Manual Scan
Event: Threat Found!
Threat: PWS.Hooker.Trojan
File: F:\xp_programs\Teamspeak2_RC2\KeyPress.dll
Location: Quarantine
Computer: PETERSEN-1971RM
User: Zinco
Action taken: Quarantine succeeded
Date found: Friday, October 22, 2004 8:21:26 PM

I delted it and reinstalled teamspeak.

 

Turns out that is not actually a virus (keypress.dll) teamspeak changed or renamed it in newer versions so that it does not show in virus checkers.