0

Hi there,

I am trying to delete all internet temporary files but when i go to internet properties and attempt to do that, it says "Windows Host Process Rundll32 has stopped working". I have run HijackThis and am posting the log here. Could someone please help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:19 PM, on 8/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Debbie\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [googletalk] C:\Users\Debbie\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F249305-BED0-40EA-8ACE-23652CADBAE9}: NameServer = 85.255.112.232,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA8EAB1E-6271-4ECF-8E51-9C1B39DCB817}: NameServer = 85.255.112.232,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.232,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.232,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.232,85.255.112.234
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\Windows\system32\msihost.exe (file missing)

--
End of file - 6854 bytes

4
Contributors
11
Replies
12
Views
8 Years
Discussion Span
Last Post by stvrich
0

You don't go to internet properties to empty files. You either use Disk Clean up or do this from within the browsers. Open IE, go to Tools, Browsing History, Settings button. When that opens Click View Files, when that opens go up to Edit, Select All, Then Delete Selected Items on the Left Side will show. Click that and they all should be deleted.
In FireFox, go to Tools, Options. Privacy, Show Cookies, Click the Remove All Cookies.

Or you can do it in one operation;
Download CCleaner and use it to clean temp files. Run it with the default settings. This should empty them. You don't need to be online to empty internet temp files. Install the program, open it up, click the Analyze button, when it is finished then click the Run Cleaner button.

0

Well,

how do i fix the error "Windows host process (Rundll32) has stopped working" when i try to clear temporary files under control -> Internet Options -> Delete cookies and browsing history

i know you said to run the cleaner and i did do that and it cleared the temp files...but i think my original question was why Rundll32 is not working and vista is giving me an error for it

thx

0

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Well I finally got the log, here it is:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/21/2009 1:00:04 AM
mbam-log-2009-08-21 (01-00-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209564
Time elapsed: 1 hour(s), 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ESQULserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4f249305-bed0-40ea-8ace-23652cadbae9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4f249305-bed0-40ea-8ace-23652cadbae9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4f249305-bed0-40ea-8ace-23652cadbae9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ca8eab1e-6271-4ecf-8e51-9c1b39dcb817}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.232,85.255.112.234 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

0

i guess i can re-install IE if that's what's causing the problem and you guys don't see anything wrong with the log....

i'll wait to see if i can fix it w/ anyone's suggestions before re-installing IE

0

You never updated MBA-M as requested in my previous reply. If you want us to be successful, you need to follow closely the instructions given :).
Please repeat the procedure after updating.

0

i guess i can re-install IE if that's what's causing the problem and you guys don't see anything wrong with the log....

i'll wait to see if i can fix it w/ anyone's suggestions before re-installing IE

There is no indication at this time that there is a problem with Internet Explorer it self. Leave it alone. Infections are present on the machine and therefore this is the likely reason for the difficulty in removing temp files and the cause of the Host Process Rundll32 problem.

Please continue with the steps given by Crunchie and update MBA-M and run it again. There is NO NEED to reinstall Internet Explorer at this time. If Crunchie or myself later see this would be needed we will certainly tell you to do so. For now please continue with the clean up steps we have given you. Update MBA-M run the Full Scan again, remove items found, Reboot the Computer. Then run a NEW HiJackThis scan and save the log. Post back with both new logs.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.