Hi folks, I'm new to this forum and am in need of assistance. Generally I've been able to handle most of the viruses/whatnot that I bump into, but this one is maddening.

Basically, my computer acts normally until I try to uninstall something. When I select uninstall (either via add/remove programs, or through the uninstall option that come with games), nothing happens and suddenly everything slows to a crawl.

At that point, rundll32.exe has just started up in my task manager, and is then using up 99% of my CPU =(.

I've tried various basic things- using ad aware, using spybot search and destroy, using registry booster to clear out junk, searching my directories for suspicious stuff. etc. And none of it has helped.

Here is my highjackthis log.

Thank you very much in advance for anyone who has any help. I am going out of town wednesday, and would be much better off if I solved this before I left.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:38 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\explorer.exe
G:\Program Files\HIGHJACKTHIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] G:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - https://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.3.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39EAE483-0AF9-40EA-BC3A-ABBAA4FDBC3E}: NameServer = 192.168.0.1
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

Recommended Answers

All 8 Replies

The following entry in your HJT log, and the relative "sparseness" of the log as a whole, indicates that you probably have items disabled through MSConfig:
O4 - HKLM\..\Run: [MSConfig] G:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

We'll need to see a HJT log from a scan done when Windows was booted with all programs/processes enabled, so please go into MSConfig, choose the "Normal startup" option, reboot the computer, and run another HJT scan.

Whoops, sorry about that. Here's the log with normal startup.

Thank you again for your assistance

Logfile of HijackThis v1.99.1
Scan saved at 12:07:39 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\msiexec.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\HIGHJACKTHIS\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ViewMgr] G:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] G:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PHIME2002ASync] G:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] G:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NVMixerTray] "G:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "G:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [nTrayFw] G:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] G:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "G:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DAEMON Tools] "G:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] "G:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] G:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [EA Core] G:\Program Files\Electronic Arts\EA Downloader\Core.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - https://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.3.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39EAE483-0AF9-40EA-BC3A-ABBAA4FDBC3E}: NameServer = 192.168.0.1
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

Update: I checked the modules for rundll32, and here's what I found.


Image Name PID Modules
========================= ====== =============================================
rundll32.exe 940 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, IMAGEHLP.dll,
ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
RPCRT4.dll, WINMM.dll, ole32.dll,
OLEAUT32.dll, MSACM32.dll, VERSION.dll,
SHELL32.dll, SHLWAPI.dll, USERENV.dll,
UxTheme.dll, IMM32.DLL, LPK.DLL, USP10.dll,
comctl32.dll, comctl32.dll, Ctor.dll,
msctfime.ime

That msctfime.ime doesn't seem like it should be in there, should it? Just a guess. If that's the case, how do I disable rundll from using a module? Sorry, I'm kind of new to all this, so I might be completely off =0

Another observation. I fired up CommView, and noticed that there is alot of information being sent to me from various unknown sources. They're all coming through port 55049. Here are some examples of the hostnames

c-71-233-145-61.hsd1.ma.comcast.net
cpe-67-9-167-31.austin.res.rr.com
a88-114-34-244.elisa-laajakaista.fi

Then, there is a bunch of information being sent OUT of my computer via http to these locations:

red.as-us.falkag.net
69-44-123-39.wcg.net
eqvaadvip4.doubleclick.net
www.myaffiliateprogram.com
www.globalspec.com

Whatever this bug is that I have, it's quite nasty =\. Oddly, rundll32 doesn't seem to need to be running for all this garbage to be coming and going out of my connection

Hi Pgilestx...

Wondering if you got any relief from this yet. I am having some issues with dumprep grabbing 99+% of the cpu and loading the system to a dead stop, practically.. I know you were seeing the rundll mainly, but did you have any issues trying to stop a "hung" program?

another newbie...

Greets Pogle,

Unfortunately no- no solution on this yet. I've asked for help on half a dozen website forums, and none of them have any clue how to fix this =\. I've finally decided that when I get back from my work trip I'll just be reinstalling windows.

As for your problem though, dump prep often comes up when windows has trouble closing a program. If it's an old computer there's a reasonable chance that this is happening because your computer is having a hard time closing stuff. Otherwise, it's probably some sort of spyware. You should consider going to the top of the forum and reading "PC cleaning procedures and detection tools". There are several different programs in that thread which might be able to fix your problem. If not, check out the directions for using Hijackthis and then post a log on this forum along with a detailed description of your problem. Someone can surely help, since that doesn't sound like too nasty of a problem.

Goodluck

I've just started having this problem too. rundll32.exe maxes out and my computer runs at 100%.

It goes away for a little while when I reboot, but seems to be getting worse. I'll track this one and see if anyone finds anything.

Good luck.

No good tracking this thread. It's over 2 years since the last post :D

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.