rundll32.exe prob

Logfile of HijackThis v1.98.2
Scan saved at 12:16:54 AM, on 10/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
F:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
F:\WINDOWS\Desktop\Game Stuff\ofpwatch.exe
F:\Program Files\Codemasters\OperationFlashpoint\FLASHPOINTBETA.EXE
C:\WINDOWS\System32\wisptis.exe
F:\My Download Files\security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\xp_programs\adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [bwprnmon.exe] F:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &NeoTrace It! - F:\XP_PRO~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093677000515
O16 - DPF: {66BB2143-EA4B-4323-A703-B973D9A0475E} (Snapfish Outlook Import ActiveX Control) - http://www.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://F:\Program Files\AutoCad\AcDcToday.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://F:\Program Files\AutoCad\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://F:\Program Files\AutoCad\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://F:\Program Files\AutoCad\AcPreview.ocx

 

Log looks pretty clean unless I missed something. And your AV is certainly showing up - good on ya.

I think at this point a device manager removal of the nVidia stuff and a reboot to let it load from the beginning with the updates would be worth a try.

Also a couple of general clean-up/fix-up things if you haven't done them recently.

start => run => sfc /scannow
and from a cmd prompt
chkdsk /r

I'm wondering about the presence of only two instances of svchost.exe. You may not have all the junk running that I do so may not need as many but two seems too few. Mine right now has

Code:

Image Name                   PID Services                                     
========================= ====== =============================================
svchost.exe                  632 DcomLaunch, TermService                      
svchost.exe                  692 RpcSs                                        
svchost.exe                  732 AudioSrv, BITS, Browser, CryptSvc, Dhcp,     
                                 dmserver, ERSvc, EventSystem, helpsvc,       
                                 lanmanserver, lanmanworkstation, Netman,     
                                 Nla, RasMan, Schedule, seclogon, SENS,       
                                 SharedAccess, ShellHWDetection, TapiSrv,     
                                 Themes, TrkWks, W32Time, winmgmt, wscsvc,    
                                 wuauserv, WZCSVC                             
svchost.exe                  776 Dnscache                                     
svchost.exe                  872 LmHosts, RemoteRegistry, SSDPSRV, WebClient  
svchost.exe                 1312 stisvc

 

Since updating the two windows patches and the nvidia drivers I have not noticed the problem. Only been a couple days though. Will do on the suggestions. Normally I have about 4 svchost running.

Thanks for all the help Newt.

Will keep thread updated if there are any new delvelopments for anyone else who might have a similar problem.

 

Not sure because I was afk but I think I had the same prob with explorer.exe tonight. The reason I say that is that the computer restarted on it own and then had explorer.exe running in the task manager process list which I normally never see.

Code:

Image Name                   PID Modules                                      
========================= ====== =============================================
explorer.exe                1704 ntdll.dll, kernel32.dll, msvcrt.dll,         
                                 ADVAPI32.dll, RPCRT4.dll, GDI32.dll,         
                                 USER32.dll, SHLWAPI.dll, SHELL32.dll,        
                                 ole32.dll, OLEAUT32.dll, BROWSEUI.dll,       
                                 SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,        
                                 CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,     
                                 NETAPI32.dll, WININET.dll, WLDAP32.dll,      
                                 VERSION.dll, UxTheme.dll, ShimEng.dll,       
                                 AcGenral.DLL, WINMM.dll, MSACM32.dll,        
                                 USERENV.dll, comctl32.dll, comctl32.dll,     
                                 appHelp.dll, CLBCATQ.DLL, COMRes.dll,        
                                 cscui.dll, CSCDLL.dll, themeui.dll,          
                                 Secur32.dll, MSIMG32.dll, xpsp2res.dll,      
                                 ACTXPRXY.DLL, SAMLIB.dll, SETUPAPI.dll,      
                                 LINKINFO.dll, ntshrui.dll, ATL.DLL,          
                                 urlmon.dll, NETSHELL.dll, rtutils.dll,       
                                 credui.dll, WS2_32.dll, WS2HELP.dll,         
                                 iphlpapi.dll, msi.dll, LgMsgHk.dll,          
                                 MSVCP60.dll, LgWndHk.dll, WINSTA.dll,        
                                 webcheck.dll, WSOCK32.dll, stobject.dll,     
                                 BatMeter.dll, POWRPROF.dll, WTSAPI32.dll,    
                                 wdmaud.drv, msacm32.drv, midimap.dll,        
                                 MPR.dll, drprov.dll, davclnt.dll,            
                                 browselc.dll, AcroIEHelper.dll,              
                                 SDHelper.dll, olepro32.dll, SXS.DLL,         
                                 msohev.dll, shdoclc.dll, rsaenh.dll

By the way Newt I normally have 6 instances of svchost.exe running.

 

Hmmmm.

Interesting that ShimEng.dll is loaded. It is certainly a legit file but AFAIK and as noted in the article, is only called to repair a specific type of problem.

You have two instances of comctl32.dll running. Makes me wonder if one is legit and another, located elsewhere, isn't. You might want to check.

Also worthwhile to make sure you have the latest drivers for your Logitech mouse and then remove/reinstall it.

Otherwise I'm stumped. All the items running under explorer are legit except for the one possibility noted.

 

Most of the time when the problem occurs and I reset the computer with reset button (the only way since the task bar is foobarred) when the computer boots back up I will get a shell notification error in Asus Probe. this did happen right before I ran the tasklist explorer command.

If the problem occurs again I will start uninstalling and reinstalling drivers.
Thanks