i noticed that i have 4 rundll32 running when i do ctr-alt-del. I asked a question about this and replies told me to post a hijack this log: http://www.computing.net/windows95/wwwboard/forum/154503.html i ran norton, spyware, and adaware a day or 2 ago and found no viruses and just a couple of tracking cookies. i just ran shields up and got a "stealth" for everything except the internet server thing (which i assume is because of my home network). can someone please take a look at this and tell me if anything is wrong? Thank you! ___________________________________________ Logfile of HijackThis v1.97.7 Scan saved at 10:25:25 PM, on 1/20/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\SSDPSRV.exe C:\WINDOWS\SYSTEM\NVSVC.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.exe C:\WINDOWS\RUNDLL32.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.exe C:\PROGRAM FILES\QUICKIDRIVE TOOLS1.1\QUICKIDRIVE.exe C:\PROGRAM FILES\ATI MULTIMEDIA\REMCTRL\ATIX10.exe C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.exe C:\WINDOWS\RUNDLL32.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\RUNDLL32.exe C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.exe C:\WINDOWS\RUNDLL32.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\WINZIP\WINZIP32.exe C:\WINDOWS\TEMP\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.176.201.9/ie/?loc=searchurl&q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing) O2 - BHO: (no name) - {20A66F2F-31CE-11D5-8BF7-0090CC12D082} - C:\WINDOWS\SYSTEM\LIGHTFRAMEIECOM.DLL O2 - BHO: (no name) - {CC4BADDC-B2EB-3366-2D95-03AFBF29BC4E} - C:\windows\system\krauplrj.dll (file missing) O2 - BHO: (no name) - {96FAEA6E-B8F0-EDA2-DA81-523B99DFFFEB} - C:\windows\system\rtilvlmu.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.exe O4 - HKLM\..\Run: [QUICKIDRIV] c:\program files\quickidrive tools1.1\quickidrive.exe sys_auto_run C:\Program Files\QuickiDrive Tools1.1 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakLogon O4 - HKCU\..\Run: [ATI Remote Control] C:\PROGRAM FILES\ATI MULTIMEDIA\REMCTRL\ATIX10.exe O4 - HKCU\..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Startup: Event Reminder.lnk = c:\PROGRA~1\PRINTM~1\PMREMIND.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.exe O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: ATI TV (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab O16 - DPF: Yahoo! Pool - http://yog24.games.snv.yahoo.com/yog/y/plq53_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab O16 - DPF: Yahoo! Literati - http://yog5.yahoo.com/yog/y/tq5_x.cab O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} (McAfee.com Component Download Manager Class) - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.es/activescan/as/asinst.cab O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.yahoo.com/java/y/mlbst8298_x.cab O16 - DPF: Yahoo! NHL StatTracker - http://aud3.sports.yahoo.com/java/y/nhlst8242_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37920.5041203704 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17df6c4c21d2a1cbb901/netzip/RdxIE601.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp

Hi Kyle. The rundll32.exe's your list shows are all related to your graphics card, ICS or tweak ui, which, should you want to, you can disable using MSconfig. O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakLogon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme The above all appear to be legitimate files/processes. Before fixing the ones below move Hijackthis.exe to a permanent folder, in a temp folder we have no backup capability. Then run Hijack this and have it fix the following, after having closed all browser and explorer windows O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing) O2 - BHO: (no name) - {CC4BADDC-B2EB-3366-2D95-03AFBF29BC4E} - C:\windows\system\krauplrj.dll (file missing) O2 - BHO: (no name) - {96FAEA6E-B8F0-EDA2-DA81-523B99DFFFEB} - C:\windows\system\rtilvlmu.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17df6c4c21d2a1cbb901/netzip/RdxIE601.cab Should you want to be able to read .pdf files on line with acreobat you need to reinstall it. HTH

Is it normal for these programs to run rundll32.exe? might it just be because it was a bad install? I dont think my vid card drivers installed very well, and i have already had to reinstall a couple of times. is ICS "internet connection sharing"? I didn't think ICS was used if you had a router.

Visit http://www.sysinfo.org/ for further information on those files quote \icsdclt.dll Internet Connection Sharing allows more than one computer to simultaneously access the internet with a single connection. Also required when networking two machines

mark, thanks for the link. I went through my msconfig and cleaned out everything i didn't need. There are a few suspicious entries though. The first i have 2 of the following entries: LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme i have double checked to make sure both entries are exactly the same because sysinfo.org had a couple loadpowerprofiles that were slightly mispelled. The other, there is a check box that is checked, but there is no name next to it. Everything to the right of the checked box is blank. I have a feeling that this is something bad. Would you recomend unchecking it? Thanks again

I forgot, there is one other one that didn't have a listing on sysinfo.org There is a checkbox that is checked, directly next to that it says "REMOTESERVER" and directly next to that it is blank. thanks

2 x LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme is if I recall, not unusual with W98 and not a problem, The remote server I have no idea about, but if you disable it in msconfig, if it is required the program that requires it will kick up a fuss once started and give an error message, thus telling you which program it belongs too and whether you want it to run at start up. It is always best to disable 1 item at a time so you can check what effect they have on your system.