0

For some reason, RUNDLL32.EXE keeps monopolizing my CPU usage. When I boot up, RUNDLL32.EXE behaves well and only consumes a modest amount of CPU usage. At some (seemingly random) point, though, it decides it wants to monopolize my CPU usage. (When I pull up 'Processes' in the Windows Task Manager, it's not uncommon to see 95%+ of CPU being consumed by RUNDLL32.EXE.) Efforts to terminate the process seem largely unhelpful. I can reboot, which provides a temporary relief (by returning RUNDLL32.EXE to "acceptible" levels) but doesn't provide permanent relief.

I suspect I've got some type of malware on my system (despite daily virus scans via an up-to-date version of Zone Labs Integrity Client), but have been unable to identify and remove it.

Having scanned some previous threads by other people with similiar problems, I've taken the following actions:

Ran Trend Micro's HouseCall. Nothing found.

Ran up-to-date version of AdAware SE. (In settings under 'scanning,' have it set to: 'scan within archives,' 'scan active processes,' 'scan registry,' 'deepscan registry' 'scan my IE Favorites for banned URL's,' 'scan my host's file.' In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.' Also in 'tweaks' under 'cleaning engine' set it to 'Always try to unload Modules before deletion' & 'let Windows remove files in use at next reboot.' Could NOT find and set the 'activate in-depth scan' before starting scan, but ran a full system scan nonetheless.) It found a few items, which I successfully fixed. I rebooted the system, but eventually, my RUNDLL32.EXE problem resurfaced.

Ran up-to-date version of Spybot S&D 1.3. Successfully fixed a few items that were found. Rebooted my system. (Interestingly, I re-scanned the system. It found 'DSO Exploit' again. Not sure what that is and whether I should be concerned that it eventually re-emerged. In any event, I fixed the problem again and rebooted again.) For good measure, I went ahead and immunized my system.

Ran up-to-date version of HijackThis. (I have HijackThis in its own folder on my desktop. Didn't have anything disabled in MSCONFIG. Had my browser closed.) The output log is presented, below. I have yet to fix anything. (When I ran HijackThis, RUNDLL32.EXE was behaving nicely. Not sure if I have to run HijackThis when RUNDLL32.EXE is misbehaving.)

Logfile of HijackThis v1.98.2
Scan saved at 9:57:02 AM, on 10/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\c4ebreg\c4ebreg.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\C4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\Program Files\80211abg\acs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Administrator\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.ibm.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3-3.ibm.com/tools/print/plugin/gpwsx.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8421DA6-1761-4A7C-9AFF-55270468F8DD}: SearchList = ibm.com,austin.ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = watson.ibm.com,ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = watson.ibm.com,ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = watson.ibm.com,ibm.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Any suggestions are welcome. Thanks in advance.

-- Rob

3
Contributors
2
Replies
4
Views
13 Years
Discussion Span
Last Post by Huggybear
0

Several people in my department have had the same
problem. I noticed in your hijack paste that you're
running Pcom. On our machines we noticed that activating
Pcom sessions on VM host systems seemed to precede the problem.
We were never able to isolate the exact
activity that triggered the problem but found a tool
that helped. After we determined that ending rundll32
before it ran at 98%+- CPU usage had no ill effect on
the PC's performance so we used the tool to stop rundll32 during startup and have been happy campers ever since.
The tool can be found at: http://www.mlin.net/StartupCPL.shtml
When installed use it to keep programs that call rundll32 from starting when you boot. It's worked for us.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.