HijackThis Log(Normal boot):
Logfile of HijackThis v1.99.1
Scan saved at 12:33:58 PM, on 8/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vet Start Up] C:\VET\VET98.EXE /PROGRESSIVE
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] c:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
===========================================
Hijack this log(Safe Mode):
Logfile of HijackThis v1.99.1
Scan saved at 3:50:05 PM, on 8/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
================================================
The problem seems to be associated with the RunDLL32.exe process, which, if end-tasked, goes away, taking the popup problem with it, at least for a while. Something is then restarting the process.
The Internet Explorer install has been corrupted, so, while still working partially, thinks it is IE5, it won't repair because so many files are the wrong version, and it won't let me install ie6 over the top, because "A previous installation has pending work requiring a reboot". This means that online scanners like trendmicros housecall won't work.
Edit: I've been directed to Process Explorer by Skate_Punk (IRC). The rundll process in question looks like this:
==========================================
DLLS
Process PID CPU Description Company Name
Idle 0x0 88.30 System Idle Process
KERNEL32.DLL 0xFFEFF8ED 0.29 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFFCF45 Windows 32-bit VxD Message Server Microsoft Corporation
EXPLORER.EXE 0xFFFE7EB1 1.07 Windows Explorer Microsoft Corporation
SWDOCTOR.EXE 0xFFFDA809 7.31 Spyware Doctor PCTools
RUNDLL32.EXE 0xFFFD0375 0.19 Run a DLL as an App Microsoft Corporation
PROCEXP.EXE 0xFFE15E99 2.83 Sysinternals Process Explorer Sysinternals
MPREXE.EXE 0xFFFE33B9 WIN32 Network Interface Service Process Microsoft Corporation
mmtask.tsk 0xFFFE1BF9 Multimedia background task support module Microsoft Corporation
Process: RUNDLL32.EXE Pid: FFFD0375
Name Description Company Name Version
ADVAPI32.DLL Win32 ADVAPI32 core component Microsoft Corporation 4.80.0000.1675
BROWSEUI.DLL Shell Browser UI Library Microsoft Corporation 5.00.2614.3500
COMCTL32.DLL Common Controls Library Microsoft Corporation 5.80.2614.3500
COMDLG32.DLL Common Dialogs DLL Microsoft Corporation 4.72.3510.2300
CRYPT32.DLL Crypto API32 Microsoft Corporation 5.131.1877.0004
DHCPCSVC.DLL
GDI32.DLL Win32 GDI core component Microsoft Corporation 4.10.0000.1998
ICMP.DLL ICMP DLL Microsoft Corporation 5.00.1454.0001
IPCFGDLL.DLL Ipconfig API DLL Microsoft Corporation 5.00.1717.0002
IPHLPAPI.DLL IP Helper API Microsoft Corporation 5.00.1717.0002
KERNEL32.DLL Win32 Kernel core component Microsoft Corporation 4.10.0000.2222
klg.DAT Spyware Doctor PC Tools 3.00.0000.0023
MPR.DLL WIN32 Network Interface DLL Microsoft Corporation 4.10.0000.1998
MSAFD.DLL Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 4.10.0000.1998
MSNET32.DLL Microsoft 32-bit Network API Library Microsoft Corporation 4.10.0000.1998
MSOSS.DLL Microsoft Trust ASN APIs Microsoft Corporation 5.131.1877.0003
MSPWL32.DLL Password list management library Microsoft Corporation 4.10.0000.1998
MSVCRT.DLL Microsoft ® C Runtime Library Microsoft Corporation 6.00.8797.0000
MSVCRT20.DLL Microsoft® C Runtime Library Microsoft Corporation 2.11.0000.0000
MSWSOCK.DLL Microsoft WinSock Extension APIs Microsoft Corporation 4.10.0000.2222
NETAPI32.DLL 32-bit network API DLL Microsoft Corporation 4.10.0000.1998
NETBIOS.DLL
OLE32.DLL Microsoft OLE for Windows and Windows NT Microsoft Corporation 4.71.2900.0000
OLEAUT32.DLL Microsoft Corporation 2.40.4518.0000
OLEDLG.DLL Microsoft Windows OLE 2.0 User Interface Support Microsoft Corporation 5.00.1555.0000
ONBCTL32.DLL
RASAPI32.DLL Dial-Up Networking Dynamic Linked Library Microsoft Corporation 4.10.0000.2222
RNR20.DLL Windows Socket2 NameSpace DLL Microsoft Corporation 4.10.0000.2222
RPCRT4.DLL Remote Procedure Call DLL Microsoft Corporation 4.71.2900.0002
RUNDLL32.EXE Run a DLL as an App Microsoft Corporation 4.10.0000.1998
SECUR32.DLL Microsoft Win32 Security Services Microsoft Corporation 4.10.0000.2222
SHDOCVW.DLL Shell Doc Object and Control Library Microsoft Corporation 5.00.2614.3500
SHELL32.DLL Windows Shell Common Dll Microsoft Corporation 4.72.3612.1700
SHFOLDER.DLL Shell Folder Service Microsoft Corporation 5.00.2919.0200
SHLWAPI.DLL Shell Light-weight Utility Library Microsoft Corporation 5.00.2614.3500
SVRAPI.DLL 32-bit common Server API library Microsoft Corporation 4.10.0000.1998
swpg.DAT Spyware Doctor PC Tools 3.00.0000.0035
TAPI32.DLL Microsoft® Windows Telephony API Client DLL Microsoft Corporation 4.10.0000.2222
URLMON.DLL OLE32 Extensions for Win32 Microsoft Corporation 5.00.2614.3500
USER32.DLL Win32 USER32 core component Microsoft Corporation 4.10.0000.2222
VERSION.DLL Win32 VERSION core component Microsoft Corporation 4.10.0000.1998
WININET.DLL Internet Extensions for Win32 Microsoft Corporation 5.00.2614.3500
WINSPOOL.DRV Win32 WINSPOOL core component Microsoft Corporation 4.10.0000.1998
WS2_32.DLL Windows Socket 2.0 32-Bit DLL Microsoft Corporation 4.10.0000.2222
WS2HELP.DLL Windows Socket 2.0 Helper for Windows 98 Microsoft Corporation 4.10.0000.1998
WSOCK32.DLL BSD Socket API for Windows Microsoft Corporation 4.10.0000.1998
===============================================
Handles
Process PID CPU Description Company Name
Idle 0x0 86.80 System Idle Process
KERNEL32.DLL 0xFFEFF8ED 0.10 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFFCF45 Windows 32-bit VxD Message Server Microsoft Corporation
EXPLORER.EXE 0xFFFE7EB1 1.08 Windows Explorer Microsoft Corporation
SWDOCTOR.EXE 0xFFFDA809 9.85 Spyware Doctor PCTools
RUNDLL32.EXE 0xFFFD0375 0.10 Run a DLL as an App Microsoft Corporation
PROCEXP.EXE 0xFFE15E99 2.07 Sysinternals Process Explorer Sysinternals
MPREXE.EXE 0xFFFE33B9 WIN32 Network Interface Service Process Microsoft Corporation
mmtask.tsk 0xFFFE1BF9 Multimedia background task support module Microsoft Corporation
Process: RUNDLL32.EXE Pid: FFFD0375
Type Name
Device VIP
Device WSOCK2
Device VDHCP
Event InitUMonitor
File C:\WINDOWS\SYSTEM\SKLWOA.DLL
File C:\WINDOWS\LOCALS~1\TEMPOR~1\CONTENT.IE5\INDEX.DAT
File C:\WINDOWS\COOKIES\INDEX.DAT
File C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
MappedFile AutoUnhookMap$fffd0375$5a000000
MappedFile AutoUnhookMap$fffd0375$010e0000
MappedFile rpcrt4sharedmem
MappedFile fileAllocatorMutex
MappedFile C:_WINDOWS_Local Settings_Temporary Internet Files_Content.IE5_index.dat_16171008
MappedFile C:_WINDOWS_Cookies_index.dat_245760
MappedFile C:_WINDOWS_History_History.IE5_index.dat_1523712
Mutex Winsock2ProtocolCatalogMutex
Mutex Winsock2ProtocolCatalogMutex
Mutex ZonesCounterMutex
Mutex ZonesCacheCounterMutex
Mutex OleCoSharedStateMtx
Mutex OLESCMSRVREGLISTMUTEX
Mutex OLESCMGETHANDLEMUTEX
Mutex OLESCMROTMUTEX
Mutex OleDfSharedMemoryMutex
Mutex ScmWIPMutex
Mutex WininetStartupMutex
Mutex WininetConnectionMutex
Mutex WininetProxyRegistryMutex
Mutex _!MSFTHISTORY!_
Mutex c:!windows!local settings!temporary internet files!content.ie5!
Mutex c:!windows!cookies!
Mutex c:!windows!history!history.ie5!
Mutex MPRMutex
Mutex svrapi
Mutex OLESCMLOCKMUTEX
Process RUNDLL32.EXE(FFFD0375)
Semaphore DocfileAllocatorMutex
Thread RUNDLL32.EXE(FFFD0375): FFFC36FD
Thread RUNDLL32.EXE(FFFD0375): FFFD5595
Thread RUNDLL32.EXE(FFFD0375): FFFD5595
Edited by Magilla, 12 August 2005 - 01:52 AM.