Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 4th, 2008, 2:46pm
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   The dreaded rundll32.exe		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: The dreaded rundll32.exe  (Read 685 times)
Brian49
Junior Member
**





   


Posts: 71
The dreaded rundll32.exe
« on: Feb 20th, 2008, 10:54am »		 Quote Quote  Modify Modify
I'm in search of advice, please. Whenever rundll32.exe is running on my system, the CPU load goes up to 100% and stays there until I kill all instances of rundll32.exe. As far as TrojanHunter can currently tell, there are no trojans on my system. However, I've read and heard from several knowledgeable sources that problems with rundll32.exe can be malware-related. I wonder if any kind person here has some light to shed on this, please? Running Vista Home Basic and TH 5 with latest updates. By the way, a Google search for `rundll32.exe + CPU + 100%' generates nearly half a million hits. Many thanks.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #1 on: Feb 20th, 2008, 11:17am »		 Quote Quote  Modify Modify
Let's see if we can determine for sure if you have an infection.
 
1.  Install HiJackthis and post a HJT scan log back here.  The link below is the installation procedure for HJT.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #2 on: Feb 20th, 2008, 11:49am »		 Quote Quote  Modify Modify
Thanks for responding. I had in fact already run HijackThis. I can't see anything untoward in the log, but perhaps I'm missing something:
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:49, on 20/02/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal
 
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\X-Mouse\XMouseButtonControl.exe
C:\Program Files\NOD32\egui.exe
C:\Program Files\Stardock\CursorFX\CursorFx.exe
C:\Program Files\Tray Minimizer\4t-min.exe
C:\Program Files\Macro Express\MacExp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91AgentS1.exe
C:\Program Files\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Internet%20Explorer/Undertow%20unsaturated%20 215.jpg
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =  
O4 - HKLM\..\Run: [XMouseButton] C:\Program Files\X-Mouse\XMouseButtonControl.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISR_MONITOR] C:\$ISR\$APP\ISRMonitor.exe
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\Tray Minimizer\4t-min.exe
O4 - Startup: Macro Express 3.lnk = C:\Program Files\Macro Express\MacExp.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/brows erextensions.pl?exbrowser=ie&exversion=0.4&pass=90J2ZYMH&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/brows erextensions.pl?exbrowser=ie&exversion=0.4&pass=90J2ZYMH&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/brows erextensions.pl?exbrowser=ie&exversion=0.4&pass=90J2ZYMH&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/brows erextensions.pl?exbrowser=ie&exversion=0.4&pass=90J2ZYMH&id=menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/brows erextensions.pl?exbrowser=ie&exversion=0.4&pass=90J2ZYMH&id=menu_ie_report
O13 - Gopher Prefix:  
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\0\ISRService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Program Files\Stardock\Object Desktop\WindowBlinds\vistasrv.exe
 
--
End of file - 4836 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #3 on: Feb 20th, 2008, 1:21pm »		 Quote Quote  Modify Modify
HJT does not show anything malicious.  However it is showing one entry that is not correct.
 
Quote:
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\  

 
Do you have SuperAntiSpyware on your system?  If so, this entry should be  
 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SuperAntispyware\SASWinLO.dll
 
If you do not have SAS on your system, delete the entry below using HJT's Fix Checked option.
 
O20 - Winlogon Notify: !SASWinLogon - C:\Windows\  
 
You should also run a remote scan with Kaspersky and see if it detects anything.
 
http://www.kaspersky.com/virusscanner
 
-  Use IE7 to access this website.  It needs to download/install an ActiveX component to perform the scan.
 
-  Be sure NOD32 is disabled for the scan.
 
-  Run a FULL scan of your system.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #4 on: Feb 20th, 2008, 3:42pm »		 Quote Quote  Modify Modify
Well done in spotting the SAS glitch - I once had it on my system, but no longer.
 
Kaspersky draws a blank.
« Last Edit: Feb 20th, 2008, 3:42pm by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #5 on: Feb 20th, 2008, 4:57pm »		 Quote Quote  Modify Modify
Okay, it looks like your problem is not being caused by an infection.  
 
The next thing to check is if your hardware drivers are up to date.  Look in your device manager and get the model numbers and driver version number of your video card, your sound card, and your printer.  Then go to the websites of manufacturers and determine if you have the latest drivers.  
 
If you do not know how to do the above, just let me know and I'll provide more specific instructions.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #6 on: Feb 21st, 2008, 4:34am »		 Quote Quote  Modify Modify
That isn't going to be a very fruitful avenue, I'm afraid. I always have the latest drivers, and check for updates with almost obsessive frequency. Windows reports no problems with any of my hardware devices.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #7 on: Feb 21st, 2008, 5:00am »		 Quote Quote  Modify Modify
Okay...understand.
 
How many rundll32.exe do you have running in memory at any one time?
 
Open TH scanner GUI, go to Tools in the top menu and run "Process Viewer".
 
Expand each rundll32.exe and see if you can determine which programs they are running from.  This may provide a clue as to which programs are potentially conflicting.  
 
Did this problem start occurring after you did something new on your system....such as just after you installed Perfect Disc 2008 or right after you updated this month's Windows Update?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #8 on: Feb 21st, 2008, 6:17am »		 Quote Quote  Modify Modify
It's hard to remember exactly when the problem started, partly because it took me ages to realise the link between ultra-high CPU activity and rundll32.exe. As far as I know, it predates any recent Windows or major program updates. When it is running at all, it's usually only one instance.
 
The TH process viewer throws up such long lists of processes that I'm uncertain what to do with the information. Any guidance would be appreciated.
 
I have a general problem with Windows updates, in that most of them fail to install on my system. I've searched the web for solutions to this, but without success. It seems to be a common issue.
 
I tried stopping the PerfectDisk service. It doesn't appear to make any difference.
 
One DLL that is guaranteed to trigger the problem is wininet.dll, which is hosted by rundll32.exe and is called by my favourite audio player (XMPlay) when handling any mp3 audio stream. The folks on the XMPlay forum have only two suggestions: that my system is infected, or that I should `upgrade' to Windows XP.
 
I'd be glad to know what you make of this, please, if we aren't trespassing by continuing to discuss it on this particular forum.
« Last Edit: Feb 21st, 2008, 6:19am by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #9 on: Feb 21st, 2008, 6:37am »		 Quote Quote  Modify Modify
Quote:
One DLL that is guaranteed to trigger the problem is wininet.dll, which is hosted by rundll32.exe and is called by my favourite audio player (XMPlay) when handling any mp3 audio stream. The folks on the XMPlay forum have only two suggestions: that my system is infected, or that I should `upgrade' to Windows XP.

 
The above indicates to me that XMPlay is not fully Vista compatible.
 
What happens if you run XMPlay in XP-SP2 compatibility mode?  
 
Quote:
I have a general problem with Windows updates, in that most of them fail to install on my system. I've searched the web for solutions to this, but without success. It seems to be a common issue.  

 
What error is given when these updates fail?
 
Also are you running First Defense on your system or is the service below a leftover.
 
Quote:
O23 - Service: FirstDefense-ISR Service (ISRService) - Raxco Software, Inc. - C:\$ISR\0\ISRService.exe
« Last Edit: Feb 21st, 2008, 6:40am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #10 on: Feb 21st, 2008, 8:18am »		 Quote Quote  Modify Modify
I've now tried running XMPlay in XP compatibility mode. Unfortunately, it doesn't make any difference.
 
Windows updates: error code 80070002. I've been through the standard Microsoft advice about resetting the SoftwareDistribution folder.
 
First Defense is installed and active on my system (and has saved my bacon many a time).
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #11 on: Feb 21st, 2008, 9:43am »		 Quote Quote  Modify Modify
I think you will be better served by connecting to one of the Vista User forums and seeing if the Vista gurus there can help you figure out the rundll32.exe and Windows Update problem.  One forum that I have found useful is the one at the link below.
 
http://www.annoyances.org/exec/forum/winvista
 
I run Vista Business and it has been more or less trouble free.  You have a cadre of programs on your system that I am not really familiar with  (First Defense, Window Blinds, 4t-min.exe, MacExp.exe).  I'd be "trial and erroring" any further advice on resolving your 2 problems.  
 
I do feel that you can rest assured that the problems are not being caused by malware or any other type of infection.  Something on your system has become corrupted or is incompatible, in my opinion.  
 
I assume that you have run SFC /scannow and CHKDSK /r /f to check the file integrity and disk integrity of your system, eh?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #12 on: Feb 21st, 2008, 12:07pm »		 Quote Quote  Modify Modify
Thanks very much for your kind help. I've certainly run CHKDSK on more than one occasion. SFC lets me down by announcing that `Windows Resource Protection could not perform the requested operation' before even completing the verification stage (another not uncommon issue, evidently). It's now clear that there's a problem wth one or more system files, but fixing it without reinstalling Vista is the devil's own job.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: The dreaded rundll32.exe
« Reply #13 on: Feb 21st, 2008, 12:15pm »		 Quote Quote  Modify Modify
You're very welcome.  Sorry that I could not pinpoint what is going on.  Hopefully you will get it straightened out before Vista SP1 is released next month.  It'll be interesting to see how the Service Pack installation goes with First Defense on your system.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: The dreaded rundll32.exe
« Reply #14 on: Feb 28th, 2008, 3:56am »		 Quote Quote  Modify Modify
I've been able to do a repair install of Vista. I can now run SFC, and install Windows updates, but the dratted rundll32.exe problem is still there. By the way, I find I have to uninstall and reinstall FirstDefense after repairing Vista (and after doing partition work).
IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register