TheTechGuide Forum

General Category => Tech Clinic => Topic started by: jcurrieirocz on December 30, 2004, 05:17:56 PM

Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on December 30, 2004, 05:17:56 PM: Hello: can someone help me thanks!!!!!

Logfile of HijackThis v1.98.2
Scan saved at 5:13:12 PM, on 12/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn (http://\"http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn (http://\"http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw= (http://\"http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw= (http://\"http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw= (http://\"http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (http://\"https://www.spydeleter.com/order2.php?KBID=1063\") (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
Title: I have rundll32 problems....log inside!
Post by: guestolo on December 30, 2004, 09:54:07 PM: Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version, or the Professional series
Open Ad-Aware, ensure to click the check for updates online link and Connect to download the latest updates
RESTART your computer into Safe mode
You can enter safe mode by continually tapping the F8 key when the system is booting up
Or follow these instructions
Start your computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=2#_Section2\")

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back into Normal Mode

I see you have done an Online AV scan at Housecall's,
Can you try one at RAV's
http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")

When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here

Can you also download and save to desktop
LSP fix (http://\"http://www.cexx.org/LSPFix.exe\")
Open the program and let me know what you see in the KEEP side
Also let me know what you see in the REMOVE side
Exit out of the program for now by clicking the X button

Not sure exactly what you mean by this
"I have rundll32 problems"
Can you explain

Let's try replacing rundll32.exe and see if that helps, we may have to do it after a good cleaning on your machine, or try before
Download and save to desktop
rundll32_98.zip (http://\"http://www.freewebs.com/benditup/rundll32_98.zip\")

You will have to Right click on that link and Copy Shortcut
Paste it to the IE address bar and hit GO
UNZIP the contents to your C:\WINDOWS folder

Do all the above if you can and then we'll try some manual cleaning on your log
But first, update your version of Hijackthis to the latest
Open Hijackthis>>Config>>Misc Tools>>Check for updates Online
If for some reason it won't update download the latest version from
This Link--CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or This Link--CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to C:\UNZIPPED\HIJACKTHIS folder and allow it to overwrite the old version if prompted
Post back with a fresh Hijackthis log from version 1.99
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 02, 2005, 04:10:49 PM: ok i tryed everything you said and thing all went ok except when i tryed to dl the rundll zip file a error message came up saying "Your current securety settings do not allow this file to be downloaded" I even messed around changeing my IE securety settings and still got that message no matter where i set them to.

and to reply in order heres what you requested:

A -Adaware scan compleated in safe mode and del all items that came up.

B -I ran Rav and came up with nothing:
Scan started at 1/2/05 3:04:52 PM

Scanning memory...

Scanned
============================
   Objects: 19714
   Directories: 1697
   Archives: 1078
   Size(Kb): 605088
   Infected files: 0

Found
============================
   Viruses found: 0
   Suspicious files: 0
   Disinfected files: 0
   Mail files: 363

C - For the LSP fix in the Keep side i have:

rnr20.dll DNS Name Space Provider
mswsosp.dll (Protocol handler)
msafd.dll (Protocol handler)
rsvpsp.dll (Protocol handler)

and in the remove side there is nothing.

D - By "rundll32 problems" i think i have the virus type seen HERE (http://\"http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html\"). The hole reason i think i have problems is im running "Skygate Personal Firewall" and i can see and have to block a few things so i dont get a bunch of stuff automaticly d/l to my comp and opened on its own...like spyware pop up ads and stuff that shows up in my favorites in IE. Theres somrthing i think on my computer looking to pull stuff into it im guessing. As soon as i unblock some of the stuff thats trying to get thru it infects my computer. So to combat back i am running things right now such as Spywareblaster, Spybot search and destroy, Bazooka scanner, Skygate firewall, Popup stopper and now ad-aware se. But anytime i turn off my firewall i am infected again.

E - I am not able for some reason (i cant figure out) to d/l the rundll zip

F - Heres my new log:

Logfile of HijackThis v1.99.0
Scan saved at 3:42:16 PM, on 1/2/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")

Thank you for your time i hope i can get my problems licked!
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 02, 2005, 04:37:21 PM: Well, let's try this
LSP fix and Hijackthis has shown that the Winsock hijacker is no longer present

Download this removal tool for SDBot virus>>>save it to you desktop but don't run it yet
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe (http://\"ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe\")

Could you also download and save to desktop the Standalone version of CWShredder
CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet

Could you also go to this site and see if you can download the your version of Rundll32.zip (http://\"http://www.spywareinfo.com/~merijn/winfiles.html#rundll32\")
Save it to your desktop
Don't unzip it yet

Try your other browser if you can't get IE to download the above tools
I'm assuming that you have Netscape installed

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as IEfix.reg
This will restore you default start page and search settings back to Microsofts defaults

Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Please print this out or save to a notepad file
Disconnect from the Internet
Restart your computer into safe mode

Navigate to your Temp folders and delete the Whole contents, or whatever you can, but Don't delete the Temp directories themselves
C:\Windows\Temp
C:\Windows\Temporary Internet Files

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe

O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Run the Removal tool from f-secure
Wait for the results

Double click on IEfix.reg and allow it to merge to the Registry

Next Run CWShredder and click the FIX button, let it fix all problems

Unzip rundll32.exe to your C:\WINDOWS folder

Restart your computer back to Normal Mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a Fresh Hijackthis log
Could you also open up Spybot and click on HELP>>ABOUT
Let me know version and Latest detection date, thanks

Do as much of the above as you can before posting back a new hijackthis log
Also let me know if your having troubles with Norton's AV
This line indicates you may be
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Notice the file missing at the end
Title: I have rundll32 problems....log inside!
Post by: Guest on January 03, 2005, 12:27:36 PM: Ok here goes:

i did everything you said some worked and some didnt.

A: i downloaded the 2 exe files and the zip file DONE

B: I created the reg file DONE

C:disconnected and restarted in safe mode, del the contents of both temp folders like you said DONE

D: ran hijack this and del the 4 items i checked off. DONE

E: i ran the fsecure but it came up "No infection found" DONE

F: I clicked the .reg file i made and let it merge to the registry successfully DONE

G: I tryed to run cwshredder but got an "Error starting program" A required .dll file, OLEACC.DLL was not found. (NOT DONE)

H: I tryed to Unzip rundll32.exe to my C:\WINDOWS folder and got an error:
Extracting to "C:\WINDOWS\"
Use Path: yes Overlay Files: yes
Error: The process cannot access the file because
it is being used by another process.
Cannot create C:\WINDOWS\rundll32.exe
(NOT DONE)

I: I Restart my computer back to Normal Mode and did everything you said in Internet Options via Control Panel DONE

J: heres my new log:
Logfile of HijackThis v1.99.0
Scan saved at 12:18:28 PM, on 1/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")

K: my version of Spybot is 1.3 and today when you asked me to look the last detection date was 2004/10/26 so then i checked for an update and dl the latest and did a scan and del the items it found and cheacked the detection again and now it is 2004/12/17

L: the norton antivirus i did have was a trial and it ran out and i del. it off my comp back a few months ago so i dont use it anymore anyhow.
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 03, 2005, 03:42:58 PM: Can you try this for me
Download this version of CWShredder.exe (http://\"https://ssl.perfora.net/tools.radiosplace.com/CWShredder.exe\")

Don't run it yet
Instead----
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on IEFix.reg and let it merge

Try running that version of CWShredder and click the FIX button

Restart your computer when It's done

Post back a fresh hijackthis log
Do what you can from above before posting back

Do you have your Windows CD? If CWShredder won't run we may have to run
System File Checker and replace some files
This can be done by going to START>>RUN>>type in sfc and hit OK

We will also want to totally clean you of Nortons AV, if that's the outdated trial version I see running in your 04 run entries
Not sure what version you have but Symantec's has instructions
I'll assume 2004
Follow the instructions from this link (http://\"http://service1.symantec.com/SUPPORT/nav.nsf/docid/2004020915570606?Open&src=&docid=2003091115080306&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=\")
We should get you protection on your computer once it's uninstalled completely
I have a link to a free AV
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 04, 2005, 11:56:38 AM: ok ive tryed unistalling norton and i think its gone i cant find any evidence of it on my comp anywere but hijack seems to be still showing it. What was that link you have for me... i have been looking for a good free AV.
I did everything you asked and it all went good that cwshredder worked, heres the new log:

Logfile of HijackThis v1.99.0
Scan saved at 11:53:48 AM, on 1/4/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 04, 2005, 12:08:40 PM: oh forgot to say i still have 3 applications are still coming up in my firewall, i still have to keep blocked or i get infected. heres a screenshot of those applications (notice the first, third and fourth):

here (http://\"http://memimage.cardomain.net/member_images/7/web/691000-691999/691054_63_full.jpg\")
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 04, 2005, 01:01:50 PM: Ahh, I'm starting to see what infection you may have
Can you do me a favor
Download and Unzip to a folder
findit.zip (http://\"http://www.thatcomputerguy.us/downloads/findit9xme.zip\")
Open the folder and double click on the Find.bat file
Ignore any File not found messages
It runs for a minute or longer, and produces a log
Please copy and paste the log on your next response.

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

One last request
Download and save to desktop
VX2 Finder (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Open it and click the "Click to Find VX2.betterinternet"
When it's done scanning click the Make log and post it back here

Please don't try and reboot your computer until we have tried some fixes
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 04, 2005, 11:03:19 PM: ok
Heres everything findit gave me:

Beginning Strings.exe search...this portion of the search
can take several minutes, please allow it to run until
the log appears.
header.txt
system.txt
hidden.txt
useragent.txt
locate.txt
qoologic.txt
aspack.txt
umonitor.txt
runkey.txt
1 file(s) copied

After copying and pasting your logfile, please press a key.

Press any key to continue . . .

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

MXPRINT DLL 312,680 10-08-04 10:51a MxPRINT.DLL
DKKMAINT DLL 312,680 10-08-04 10:51a DkKMAINT.DLL
CHMMCTRL DLL 312,680 10-08-04 10:51a ChMMCTRL.DLL
MMPRINT2 DLL 312,680 10-08-04 10:51a MmPRINT2.DLL
NISWAN32 DLL 312,680 10-08-04 10:51a NiSWAN32.DLL
WGOCK32 DLL 312,680 10-08-04 10:51a WgOCK32.DLL
6 file(s) 1,876,080 bytes
0 dir(s) 5,459.91 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

MXPRINT DLL 312,680 10-08-04 10:51a MxPRINT.DLL
DKKMAINT DLL 312,680 10-08-04 10:51a DkKMAINT.DLL
CHMMCTRL DLL 312,680 10-08-04 10:51a ChMMCTRL.DLL
MMPRINT2 DLL 312,680 10-08-04 10:51a MmPRINT2.DLL
NISWAN32 DLL 312,680 10-08-04 10:51a NiSWAN32.DLL
WGOCK32 DLL 312,680 10-08-04 10:51a WgOCK32.DLL
FOLDER HTT 12,746 08-13-01 1:58p folder.htt
DESKTOP INI 266 08-13-01 1:58p desktop.ini
8 file(s) 1,889,092 bytes
0 dir(s) 5,459.89 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{01F6C7C1-1918-11D9-B016-00095B1FAD7B}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mxprint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
dkkmaint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
chmmctrl.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
mmprint2.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
niswan32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
wgock32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,876,080 bytes 1.79 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\lame_enc.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioFile.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioInformation2.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioPlayer.dll: .aspack
C:\WINDOWS\SYSTEM\NCTWMAFile.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\MxPRINT.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\MxPRINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\DkKMAINT.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\DkKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MmPRINT2.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\MmPRINT2.DLL: UMonitor
C:\WINDOWS\SYSTEM\NiSWAN32.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\NiSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WgOCK32.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\WgOCK32.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"RegShave"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"FLMLABTECMOUSE"="C:\\Program Files\\Labtec\\Labtec Mouse Software\\2.0\\mouse32a.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"WORKFLOW"="D:\\WORKFLOW.EXE"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"msnappau"="\"c:\\program files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"KodakCCS"="C:\\WINDOWS\\System32\\Drivers\\KodakCCS.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

heres my dllcompare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mxprint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\dkkmaint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\chmmctrl.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\mmprint2.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\niswan32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\wgock32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
________________________________________________

627 items found: 627 files (6 H/S), 0 directories.
Total of file sizes: 121,955,562 bytes 116.30 M

--------------------End log---------------------

Heres my vx2finder log:

Log for VX2.BetterInternet File Finder (ver126)

Files Found---
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL
C:\WINDOWS\SYSTEM\DkKMAINT.DLL
C:\WINDOWS\SYSTEM\MmPRINT2.DLL
C:\WINDOWS\SYSTEM\MxPRINT.DLL
C:\WINDOWS\SYSTEM\NiSWAN32.DLL
C:\WINDOWS\SYSTEM\WgOCK32.DLL

User Agent String---
{01F6C7C1-1918-11D9-B016-00095B1FAD7B}

there you go hope that helps us out!!!
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 04, 2005, 11:18:33 PM: You look like you have an older infection

Run vx2finder9x.exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files.

Once deleted:
a. Press 'User Agent$'
b. Press 'Restore Desktop'
c. Press 'Import Reg'

Again Open Ad-Aware and check for updates and perform a full system
scan
Remove all Critical objects

Restart your computer

Once back in Windows post a fresh Hijackthis log
Open VX2 finder and click to find vx2.betterinternet
Make a log and post it back here too, thanks

We should hopefully just have some final cleanup in your Hijackthis log and we should get you that AV on your system and a couple other tools to keep you clean
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 06, 2005, 05:50:53 PM: ok
theres a little problem....when i pressed import reg. a window came up saying "Look2me Import look2me.reg to repair Quicklaunch toolbar" i hit yes thinking it was something you wanted me to do but maybe i shouldnt of. because now there is quick launch icons on my startup bar (normaly where my page or aplication tabs are) that i dont want there. How do i remove them.....is look2me junk or what is it??? Ive seen that name on my firewall and i blocked it,,should I???

heres the new logs:
Logfile of HijackThis v1.99.0
Scan saved at 5:29:59 PM, on 1/6/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")

looks like nothing i guess???

Log for VX2.BetterInternet File Finder (ver126)

Files Found---

User Agent String---
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 06, 2005, 09:39:25 PM: This line may indicate that you had Norton's AV installed as part of Norton Internet Security Suite
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Possibly part of Nortons Firewall, did you check out that link to remove NIS?

Do another scan with Hijackthis and put a check next to these entries:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer

I assume if you removed Norton's you may not have any Anti-Virus to install in your computer
If that's the case you may want to install
If you don't have any AV software
I recommend that you go to this link
http://free.grisoft.com/doc/1 (http://\"http://free.grisoft.com/doc/1\")
Download and Install the free version of AVG 7 Free
After installation, restart if prompted
Allow it to update and run a Full System Scan
Not to safe being without any AV installed

To enhance your privacy and security
You should set up protection against future attacks

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

If you could
Post back with a fresh Hijackthis log and one last log from Find.bat<<I know that this may take some time to run, but let's ensure your clean

Quote
.is look2me junk or what is it
YES---Junk,junk,jun
Google and see what you find out
The look2me infection you have/had does have a way of effecting the desktop
The tool you ran helps to restore it
Try right clicking an empty spot on the Bottom taskbar
Left click Toolbars and uncheck Quick Launch
Title: I have rundll32 problems....log inside!
Post by: Guest on January 07, 2005, 02:20:27 PM: ok great looks like it all worked! A few quick questions tho

A--My firewall is only showing one application that i have blocked and it is the 1st one in the list on the screenshot i showed you in an previous post. But theres no traffic thru it anymore.
Can you tell me if i should have that application set to allow instead of block?? Or leave it to block??

B--Ok I ran the rav av and it found and del a "Trogen Horse Backdoor.Agent.4.m"
I also already had SpywareBlaster so i updated it and ran it along with IE-Spyad after i d/l it like you said. I remeber back when i had norton it told me it could not del the trogen virus so i hope the rav got rid of it for good.

C--I also did a google and found this app to remove look2me if you wanted to know http://www.spywareinfo.com/~merijn/files/kill2me.zip (http://\"http://www.spywareinfo.com/~merijn/files/kill2me.zip\")
I d/l it an ran it.

D-- Ill post you one more log of hijack just to make sure i got everything.... oh i knowticed that the startpage thing you are getting me to tick off keeps coming back i wonder whats up with that. Im going to post it in a min i got to reboot....
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 07, 2005, 02:27:06 PM: Logfile of HijackThis v1.99.0
Scan saved at 2:22:46 PM, on 1/7/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/ (http://\"http://v4.windowsupdate.microsoft.com/\")
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: I have rundll32 problems....log inside!
Post by: Guest on January 10, 2005, 11:50:43 AM: ttt
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 10, 2005, 08:40:06 PM: Hi again, sorry for the delay in posting back

At Sygates' forums here is the standard for that entry you are denying access

Quote
Should I Allow the win32 kernel core or ntkernel component?

Products:
Sygate® Personal Firewall
Sygate® Personal Firewall Pro

Operating systems:
All supported operating systems.

Details:
As a rule, if you are unsure about any application you should not allow it to access the Internet. Only the applications that you specifically know what they are should be allowed. Under most cases blocking the windows kernel should not create a problem. However, in some rare instances certain Internet Service Providers (ISP) will send you an ICMP message to verify that you are online and blocking this may cause them to turn off the service. If this happens, simply enable ICMP using the Advanced Rule editor.

To do this open Sygate® Personal Firewall and click on the Tools menu and then on Advanced Rules. You may have to click OK on a warning message before entering the Advanced Rule Editor.
Once you are in the Advanced Rule Editor click Add, this will cause a new rule to come up. Give the new rule a name, such as "Allow ICMP", and click on Allow this traffic option.
Then click on the Ports and Protocols tab and select the ICMP option. Enable Echo Reply - 0 and Echo Request - 8.
Then click OK to add in that rule, and then click OK to exit the Advanced Rule Editor.

Keywords:
ICMP, win32Kernel, allow, block

I would of liked to seen the Rav report that you will get at the end of the scan

But, we should try something else to ensure that your clean
This is a great Trojan Scanner

Could you Download and Install the Trial version of Trojan Hunter from this link>>It's good for 30 days
http://www.trojanhunter.com/trojanhunter.jsp (http://\"http://www.trojanhunter.com/trojanhunter.jsp\")

After you have it installed it is Important to manually update to the Latest Ruleset
You can find the download from here
http://www.trojanhunter.com/trojanhunter/updating/ (http://\"http://www.trojanhunter.com/trojanhunter/updating/\")
Simply save the Zipped file to your desktop and UNZIP it to your Trojan Hunter folder>>Allow to overwrite if prompted
The default install location of Trojan Hunter should be
C:\PROGRAM FILES\Trojan Hunter

After you have updated run a full scan on your hard drive
Let me know if it finds anything
And the location of any bad files if found

Hold onto Trojan Hunter for the full 30 days, before it expires it wouldn't hurt to manually update and run another scan
When uninstalling, simply disable TrojanGuard from running if you have it enabled
and then Uninstall it

Could you post back a fresh hijackthis log afterwards also and one more log from findit.bat
Thanks
Title: I have rundll32 problems....log inside!
Post by: Guest on January 11, 2005, 01:34:03 PM: ok like it said i made a new rule for allowing ICMP cause i think that what was happening.

Ok so rav i cant seem to fingure out how to post a log from it to here but it looks ok anyhow i did a 1st test on the 7th and it found the trogen and del it then i did another compleate scan that same day and it found nothing. And today i did another updated complete scan and nothing was found again.

I d/led and updated Trojan Hunter and ran it and found nothing also today. heres the log:
-----------------------------------------------------
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Error: Directory not found: D:\
No trojan files found
-----------------------------------------------------
Heres a new findit log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

5,447.13 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 12,746 08-13-01 1:58p folder.htt
DESKTOP INI 266 08-13-01 1:58p desktop.ini
2 file(s) 13,012 bytes
0 dir(s) 5,447.11 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\lame_enc.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioFile.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioInformation2.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioPlayer.dll: .aspack
C:\WINDOWS\SYSTEM\NCTWMAFile.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"RegShave"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"FLMLABTECMOUSE"="C:\\Program Files\\Labtec\\Labtec Mouse Software\\2.0\\mouse32a.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"WORKFLOW"="D:\\WORKFLOW.EXE"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"msnappau"="\"c:\\program files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"KodakCCS"="C:\\WINDOWS\\System32\\Drivers\\KodakCCS.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.1\\THGUARD.EXE\""

-------------------------------------------------------------------------
Heres a new hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 1:22:54 PM, on 1/11/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 12, 2005, 12:15:18 PM: ttt
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 15, 2005, 03:50:06 PM: guestolo: ohh if you didnt know all the guests in this thread are me i forgot to put my name in. So how is my comp looking now???
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 15, 2005, 08:50:13 PM: Can you do me a favor

Set Windows to Show Hidden files
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Navigate to C:\WINDOWS\INF\IEReset.inf

Right click on it and open it up
Copy and paste it back here, thanks
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 16, 2005, 10:17:46 AM: here she is:

[Version]
Signature="$CHICAGO$"
AdvancedINF=2.5,"You need a new version of advpack.dll"

[RestoreHomePage]
AddReg=RestoreHomePage.reg

[RestoreBrowserSettings]
AddReg=RestoreBrowserSettings.reg
DelReg=DeleteTemplates.reg, DeleteAutosearch.reg

[RestoreHomePage.reg]
HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

[RestoreBrowserSettings.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","Provider",0,""
HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"http://ie.search.msn.com/*"

[DeleteTemplates.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

[DeleteAutosearch.reg]
HKCU,"Software\Microsoft\Internet Explorer\Main","AutoSearch"

[Strings]
SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
SAFESITE_VALUE="ie.search.msn.com"
MS_START_PAGE_URL="http://www.msn.com"
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 21, 2005, 11:43:21 AM: ttt
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 23, 2005, 07:56:39 PM: Sorry for overlooking your post

The IEReset.inf looks ok
I wonder if you could try something for me

Open an empty Notepad window
START>>RUN>>Type in notepad
Hit OK>>Leave the notepad file open

Go back to IEReset.inf
Open it and copy and paste the whole contents of it to that empty Notepad file and then save it to MyDocuments
This is just for backup purposes or we have a backup here also

Go back to IERESET.inf and delete the Whole contents

Copy and paste the Whole contents of the quote box into the now empy IERESET file

Quote
[Version]Signature="$CHICAGO$"
AdvancedINF=2.5,"You need a new version of advpack.dll"

[RestoreHomePage]
AddReg=RestoreHomePage.reg

[RestoreBrowserSettings]
AddReg=RestoreBrowserSettings.reg
DelReg=DeleteTemplates.reg, DeleteAutosearch.reg

[RestoreHomePage.reg]
HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

[RestoreBrowserSettings.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%

; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","Provider",0,""

HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"http://ie.search.msn.com/*"

[DeleteTemplates.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

[DeleteAutosearch.reg]
; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
HKCU,"Software\Microsoft\Internet Explorer\Main","AutoSearch"

[Strings]
START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
SAFESITE_VALUE="ie.search.msn.com"

; IMPORTANT NOTE:
; IE branding dll (iedkcs32.dll) uses the following entries to restore the default MS values.
; In the vanilla version of IE, the values must be the same as their corresponding non MS_* values.
; For example, START_PAGE_URL and MS_START_PAGE_URL must have the same URL in the IE version released by MS.
MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Close out the file and let it save the new settings

Download and save to Desktop
IEFIX.reg (http://\"http://www.spywareinfo.com/downloads/tools/IEFIX.reg\")

Restart into safe mode

Navigate back to IERESET.inf
RIGHT click on it and Choose INSTALL from the menu

Do another scan with Hijackthis and put a check next to these entries:

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on IEFIX.reg and allow it to merge to the registry

RESTART back to Normal mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a fresh Hijackthis log
Title: I have rundll32 problems....log inside!
Post by: irish-paddy on January 24, 2005, 04:24:45 PM: I WAS FOLLOWING UR CONVERSATIONS AND TRIED A FEW THINGS/ MOST OF THINGS U SAID guestolo. thanks 4 the help

im having some troubles too if u could help (dont mean to interrupt)

/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> I only started my internet connection on the 14th jan 2005. i dont really have a clue about viruses and firewalls etc.

My internet is broadband and i stupidly/accidently turned off my firewall. the longest me connection ever lasted was 2mins.

i have spent the last week and a half learning and trying to remove spywares/viruses etc. etc. etc.

ITS WORKING ALOT BETTER NOW BUT I DONT REALLY KNOW WHAT I DONE AND IM SURE SOMETHING IS STILL WRONG AS IT WONT LET ME OPEN NORTON ANTI-VIRUS EVEN AFTER MANY UNINSTALLATION/RE-INSTALLATIONS. it also doesnt let me open "hijackthis" except in safe mode and i cant get onto nortons website either. i want to use ebay etc. but am too scared to use credit card.

WOULD REALLY REALLY appreciate help from anyone.
cheers
irish paddy

p.s.
heres my log thing if anyone cares

Logfile of HijackThis v1.99.0
Scan saved at 16:10:56, on 24/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe (file missing)
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on January 25, 2005, 12:35:06 PM: here is the new one:
i did everything you said but that entry wasnt in hijack this when i did the 1st scan

Logfile of HijackThis v1.99.0
Scan saved at 12:31:38 PM, on 1/25/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab (http://\"http://www3.ca.com/securityadvisor/virusinfo/webscan.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041208/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
Title: I have rundll32 problems....log inside!
Post by: guestolo on January 25, 2005, 09:45:19 PM: That log looks fine now /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

This entry
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE

Related to Broadjumps troubleshooting software
Many consider it is unneeded on startup and a waste of resources

If you decide to fix that entry with Hijackthis
Keep the backup until your sure everything's running fine
I would opt to fix it, I will leave that up to you

Restart your computer afterwards

How's everything on your end?

Sorry it took me so long to get back at times, but that one entry was a bit puzzling

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!

If a scan with Hijackthis is longer after the installation of IE-Spyad, not to worry, it's just the added entries to your Restricted Sites

Your time is almost up with TrojanHunter's trial version
If you decide to hold onto it for the full 30 days and want to run another scan
Ensure to Manually update the latest ruleset again by clicking on this link
http://www.misec.net/trojanhunter/updating/ (http://\"http://www.misec.net/trojanhunter/updating/\")
Save the zipped file and unzip to the Trojan hunter folder
This couldn't hurt to do this one last time /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

When your time is up with Trojan Hunter, remember to first Disable TrojanGuard
Right click it's icon by the system clock and Exit it or Enter your Task Manager
(Ctrl+Alt+Del) and end task on THGUARD.EXE
Then uninstall the program

Let me know how everythings running, thanks
Title: I have rundll32 problems....log inside!
Post by: jcurrieirocz on February 03, 2005, 10:46:17 AM: yep everything looks fine on my end.....thanks a lot you are a computer god!! haha

I hope somehow you get repaid for all your hard work on this site!!! Its very hard to find help like this without a butch a bs thru the internet. Thank you again for your time and thank you to this site!!
Later
Jeff Currie
PE, Canada
Title: I have rundll32 problems....log inside!
Post by: guestolo on February 04, 2005, 03:24:25 AM: Thanks for posting back Jeff
I'll lock this topic as your problems are resolved
If you need it reopened, please PM the site Admin or a MOD
Supply a link to this thread

Anyone else with similiar problems please start your own topic and include a Hijackthis log