Solved Rundll32.exex Consuming vast system resources on HP Laptop

AndyD · Aug 15, 2012

Hi Everyone,

Very much hoping for some advice to resolve this as I've done my best to troubleshoot but no closer to solving this.

To be fair the HP DV6 series laptop is almost 4-5 years old but does not run anything too intensive. I upgraded it to 3GB ram a while back too - (supplied with 2GB only). The drive still has 50gb free so is not near capacity.

The problem I have been experiencing, is that at various times, often following simply web browsing using IE9, the computer starts to grind to a halt.

Depending on how quickly you catch it, sometimes you can execute task manager and find 3 or 4 instances of rundll32.exe running. There is usually one (1) of these that will show massive system memory utilistion. Sometiemes >500MB and it will be progressively rising until it is terminated.

At the same time as this is happening - the hard drive light is solidly lit and sounds like it is going crazy.

If you don't catch it in time and terminate the processes, I will need to force a power button shutdown.

I don't know when this started but it is quite a while back and used to be fairly infrequent. Now it seems a bit more frequently maybe once every week.

Restarting the computer will resolve the issue unitl the next occurence.

Can anyone suggest what to try to troubleshoot (and hopefully resolve this)?

Thanks

AndyD

Malnutrition · Aug 16, 2012

Welcome to PCHF

Please download FarbarServiceScanner and run it on the computer with the issue.

Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Please download MINITOOLBOX and run it.

Checkmark following boxes:

Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)

Click Go and Attach the result.

1- Please click HERE to download HijackThis.

2- Run the program.

3- Click on the Main Menu button if not already there.

4- Select Do a system scan and save a logfile.

5- Attach the scan log from Notepad into your next reply.

Download Security Check by screen317 from here.

Save it to your Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

AndyD · Aug 16, 2012

Hi,

Thanks for the reply.

I'm back and attach 4 results from the tools suggested to be run.

AndyD · Aug 16, 2012

AndyD said: ↑

Hi,

Thanks for the reply.

I'm back and attach 4 results from the tools suggested to be run.

Another update.

Problem occurred again and I was able to take a print screen of the processes and command lines from task manager,

The command line relating to rundll32 that is causing the problem is inetcpl.cpl\ClearMyTracksByProcess Flags:475

The were 3 instances of this same line. 1 was using 1.3gb Ram.

I also am unable to delete browsing histroy from IE9 and apparently this may be related????

Malnutrition · Aug 16, 2012

Download CCleaner just make sure not to install anything else that may come with it toolbars/etc
Now open Ccleaner then hit the tools button then the startup button then select each entry below and disable it.

O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [WD Quick View] C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Media Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe
O4 - Global Startup: WD Quick View.lnk = C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

Do not disable the items with the line through them.

Uninstall the programs below.

Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)

Run the MSE removal tool.
http://go.microsoft.com/?linkid=9748340

Reboot your machine.

Install Avast free.
http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe

Download Autoruns and Autorunsc unzip Autoruns to your desktop run it.See any entries that read file not found when you see them simply uncheck the entries do this only for the entries that read file not found also uncheck any scheduled task that are set to run on your machine,close the program.
http://download.sysinternals.com/files/Autoruns.zip

Download Ad-ware Cleaner run it as admin. Click the delete button allow it to run and post the log it creates.

http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner

Hit the windows Key and type CMD in the run box when command prompt pops up at the top of the start menu then right click it select run as admin then type chkdsk /r then hit enter when asked to schedule on next reboot then type Y then hit enter then type exit then hit enter and reboot your machine.

After completing the above task then Please download TFC by Old Timer and save it to your desktop.
tempfilecleaner
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it.If TFC doesnt prompt a reboot then please do so manually

The things that I will need in your next reply are the Ad-Ware remover log and a new hijack this log please.

I

AndyD · Aug 17, 2012

OK done all that too. Don't understand it all. But assume with so much now disabled from startup, I assume now alot of things that worked automatically like autodetection of devices etc. etc. won't work for now.

Files attached.

I now have a new error on reboot. Microsoft Security client: Error Code 0x80070002 "an error has occurred during initialisation. If the problem persists please contact the adminsitrator".

AndyD · Aug 17, 2012

Ps. Problem still occurring after all the above. Although there only appeared to be one instance of rundll32.exe running according to task manager processes just reviewed now, it was using >1.3GB of RAM and causing the computer to virtually grind to a halt as per usual scenario. Solid HDD light too.

Malnutrition · Aug 18, 2012

Lets make sure that no malware is on your machine.Complete the instructions below then Attach the requested logs in your next reply,and our security team will be with you A.S.A.P.
http://www.pchelpforum.com/xf/threads/prework-please-read-before-posting.131846/

AndyD · Aug 19, 2012

Hi, Logs requested from prework attached.
Thanks
AndyD

Malnutrition · Aug 19, 2012

Our security team will be with you shortly.

Pancake · Aug 19, 2012

Please download Malwarebytes Anti-Malware from Malwarebytes.org
Alternate link: Download Mirror

(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.
If Malwarebytes fails to download please use the following link:

http://malwarebytes.org/mbam-download-exe-random.php

AndyD · Aug 20, 2012

Malwarebytes Log pasted below.

Problem still persists following scan and remove processes being run. Seem I can induce the problem by running the clear temporary internet files within Internet Explorer. When I do this the Inetcpl.cpl/ClearMyTracks process consumes up to 1.4gb of memory and brings things to a stand still as just happened again now. The viewed website history was not deleted either.

Log Paste:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.20.04
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Andrew Duncan :: ANDREW_DUNCANPC [administrator]
Protection: Enabled
20/08/2012 10:19:37
mbam-log-2012-08-20 (13-50-42).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 463041
Time elapsed: 2 hour(s), 14 minute(s), 42 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Andrew Duncan\Favorites\Downloads\Computer Folders\Updates & Installs\SoftonicDownloader_for_copy-all-to-one.exe (PUP.OfferBundler.ST) -> No action taken.
C:\Users\Andrew Duncan\Favorites\Downloads\Computer Folders\Updates & Installs\SeTool2_Lite_1.11\SeTool2\SeTool 2 Lite 1.11\setool2lt.exe (Malware.Packer.T) -> No action taken.
(end)

AndyD · Aug 20, 2012

PS. Just for clarity regarding the log above that completed after the scan. I have run the remove process for the two files identified (and restarted computer). But the original system resource utilisation issue of rundll32.exe using command Inetcpl.cpl/ClearMyTracks persists.

Have tried quite a bit of googling around this and there are quite a few occurrences of this being a reported problem on the net but very few where there appears to be a final resolution especially one that works....

Pancake · Aug 20, 2012

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

Refer to this image:
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click PCHelpForum.exe to run it.
You will see the following image:

Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

AndyD · Aug 21, 2012

Hi,

Combo fix log pasted below:

ComboFix 12-08-20.02 - Andrew Duncan 21/08/2012 9:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1907 [GMT 1:00]
Running from: c:\users\Andrew Duncan\Favorites\Downloads\Computer Folders\PC Checks\pt2\pt3\Pt4\pt5\PCHelpForum.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\programdata\hpe2D75.dll
c:\programdata\hpeF0EE.dll
c:\windows\system32\KBL.LOG
.
.
((((((((((((((((((((((((( Files Created from 2012-07-21 to 2012-08-21 )))))))))))))))))))))))))))))))
.
.
2012-08-21 08:20 . 2012-08-21 08:21 -------- d-----w- c:\users\Andrew Duncan\AppData\Local\temp
2012-08-21 08:20 . 2012-08-21 08:20 -------- d-----w- c:\users\Sarah Duncan\AppData\Local\temp
2012-08-21 08:20 . 2012-08-21 08:20 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-08-21 08:20 . 2012-08-21 08:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-20 09:18 . 2012-08-20 09:18 -------- d-----w- c:\users\Andrew Duncan\AppData\Roaming\Malwarebytes
2012-08-20 09:18 . 2012-08-20 09:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-20 09:18 . 2012-08-20 09:18 -------- d-----w- c:\programdata\Malwarebytes
2012-08-20 09:18 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-17 19:52 . 2012-08-17 19:52 -------- d-----w- c:\users\Andrew Duncan\AppData\Local\ElevatedDiagnostics
2012-08-17 06:35 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-17 06:35 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-17 06:35 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-17 06:35 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-17 06:35 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-17 06:35 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-08-17 06:35 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-08-17 06:35 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-08-17 06:34 . 2012-08-17 06:34 -------- d-----w- c:\programdata\AVAST Software
2012-08-17 06:34 . 2012-08-17 06:34 -------- d-----w- c:\program files\AVAST Software
2012-08-17 06:28 . 2012-08-17 06:56 1966 ----a-w- C:\FixitRegBackup.reg
2012-08-17 06:02 . 2012-08-17 06:02 -------- d-----w- c:\program files\CCleaner
2012-08-16 09:31 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-08-16 08:47 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F2FB0728-9178-477F-9F8D-0A13EE2B7079}\mpengine.dll
2012-08-16 08:45 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 19:29 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-31 18:06 . 2012-07-31 18:06 -------- d-----w- c:\users\Sarah Duncan\AppData\Local\Apple
2012-07-31 08:09 . 2012-07-31 08:09 -------- d-----w- c:\users\Sarah Duncan\AppData\Roaming\Hewlett-Packard
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 20:03 . 2012-04-25 06:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 20:02 . 2011-05-16 05:37 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-26 07:32 . 2012-06-26 07:32 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-26 07:32 . 2010-05-29 01:27 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-05 16:47 . 2012-07-11 07:45 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 07:45 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 07:45 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-26 13:03 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-26 13:03 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-26 13:02 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-26 13:02 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-26 13:03 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-26 13:03 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-26 13:02 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-26 13:02 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:12 . 2012-06-26 13:02 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 00:04 . 2012-07-11 07:45 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 07:45 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-6-29 3977728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Media Server Tray Tool.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Media Server Tray Tool.lnk
backup=c:\windows\pss\Logitech Media Server Tray Tool.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-09 10:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-09 10:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-29 20:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 19:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 04:34 1891416 ----a-w- c:\garmin\gStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 03:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-15 06:54 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 18:33 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 01:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnScreenDisplay]
2007-09-04 20:54 554320 ----a-w- c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]
2010-04-06 05:31 185800 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-09-19 21:31 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-10-01 02:34 181544 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 19:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2009-06-09 00:25 7539232 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 13:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 14:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2011-10-14 03:36 2299176 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 08:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-09 10:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Quick View]
2012-04-30 15:18 5235608 ----a-r- c:\program files\Western Digital\WD Quick View\WDDMStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X-Lite 4]
2010-08-11 16:16 2863616 ----a-w- c:\program files\CounterPath\X-Lite 4\X-Lite4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 07:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 20:04]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 06:07]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 06:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 94.76.205.113:30003
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{92A64E7D-A306-4DFB-A5EF-A6C8AC22ED4F}: NameServer = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://access.mwbex.com/MLWebCacheCleaner.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-hpqSRMon - (no file)
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-Norton Download Manager{NIS_Production_94_136_NUC} - c:\users\Public\Downloads\Norton\{NIS_Production_94_136_NUC}\NISDownloader[1].exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-21 09:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\relog_ap.dll
.
Completion time: 2012-08-21 09:24:18
ComboFix-quarantined-files.txt 2012-08-21 08:24
.
Pre-Run: 55,172,009,984 bytes free
Post-Run: 55,156,572,160 bytes free
.
- - End Of File - - FBA94C534F3350BBC77C8A58D2B76AF8

Log in or Join Us

Solved Rundll32.exex Consuming vast system resources on HP Laptop

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

Result.txt

FSS.txt

Security Check.txt

hijackthis.log

Google Advertisement

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

AdwCleaner[S1].txt

hijackthisv2.txt

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

Extras.Txt

OTL.Txt

aswMBR.txt

Malnutrition Moderator

Pancake Security Team

AndyD Bronze Member

AndyD Bronze Member

Pancake Security Team

AndyD Bronze Member

Rundll32.exex Consuming vast system resources on HP Laptop

Solved Rundll32.exex Consuming vast system resources on HP Laptop

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

Google Advertisement

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

AndyD Bronze Member

Malnutrition Moderator

AndyD Bronze Member

Attached Files:

Malnutrition Moderator

Pancake Security Team

AndyD Bronze Member

AndyD Bronze Member

Pancake Security Team

AndyD Bronze Member

Rundll32.exex Consuming vast system resources on HP Laptop

Useful Searches