I've tried the command promt "sfc" tool or whatever to verify all my protected windows files, and cleaned anything out with hijackthis that even looked at me funny (I'm fairly good at deciding what's safe to delete and what isn't). Also took regcleaner to it with a vengeance as well. Absolutely nothing is enabled under "startup" in msconfig (standard practice for me actually), etc etc. Still no luck, about a minute into any computer boot rundll32.exe (and yes it's named properly and in the system32 directory like it belongs) starts itself up and starts giving me all popups all the time.
Here's my hijackthis log (and yes this is all that starts when windows boots, I'm anal about not having funny processes starting at boot):
(EDIT: well, ok rundll32.exe doesn't start at boot, it starts up like a minute or 2 after boot. Also, that MSN Money thing is something that belongs there for sure. The only thing that remotely worries me here is the "winlogon notify" thing at the bottom)
Logfile of HijackThis v1.99.1
Scan saved at 3:00:18 AM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\hijack\HijackThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Panzerfaust\Application Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Panzerfaust\Application Data\Mozilla\Profiles\default\ks780d17.slt\prefs.js)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092962158602
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5343FBD1-3D11-4377-AE09-739584CEBA05}: NameServer = 24.164.100.230
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8C9F147-69D2-4361-9058-3B55875C40DB}: NameServer = 24.164.100.234
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\n6n6lg5s16.dll
Edited by Valakar, 19 June 2005 - 01:17 AM.