Every 2-3 hours my IBM thinkpad T41 (1.8 Ghz, 768 MB RAM, Windows XP, Office 2003) becomes extremely slow. CPU usage is 100 percent, and rundll32 y using 99% of CPU as per Task Manager. I have tried reinstalling several programs without a satisfactory result. It doesn't matter what programs are open, as even when left without any application running the same thing happens.
How can this be prevented? I am not interested in fixes to apply every time this happens. I would like to have a solution to prevent this from happenning again. Thanks!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
This can be a legit file or it can be a very bad virus file....depending on where it is located on your computer.
http://www.liutilities.com
http://www.neuber.com/task
Do you have updated virus software and have you run a virus scan?
Have you run spybot and adaware to scan for junk on your computer?
Have you run msconfig?
Try to run spybot 1.3 and adaware SE. Also scan your computer for viruses with this link http://housecall.trendmicr
let me know.
(1) I have the latest McAfee ViruScan version, which automatically updates via permanent broadband connection.
(2) Also, I have an updated version of ZoneLabs Zone Alarm Pro.
(3) Running Anonymzer AntiSypware detector does not show any relevant suspects.
My system was running perfectly for the past 3-4 months. The only thing I did recently -but which cannot definitely associate with this problem- was to install IBM's "Rapid Respore Ultra" software. I have not installed or unistalled anything except that software, and shortly after I did the problem started.
Rundll32 is a legitimate file according to Microsoft's support.
I have run MSCONFIG but not while the problem is occurring. By the way, if I run MSCONFIG and selectively uncheck one by one every process, will the problem stop immediately? And, if so won't it happen again upon reboot?
Thanks!
You need to determine if you have any other versions of the file........the Rundll32 is a legit process....the version of the file that is in the sytem32 folder.....if you have a copy of that file anywhere else on your comptuer then it is a virus.
Download, update, and run in safe mode both adaware and spybot...these are among the recommended spyware scanners out there:
Adaware http://www.lavasoftusa.com
And
Spybot http://www.safer-networkin
Also, do a search on your computer for the file and see what you find.
Running just one antispyware program is never enough....spybot and adaware are among the best out there so I always suggest running those 2, but even then....you often times must run other tools or even revert to manual intervention in order to keep a system clean from junk.
You can also try HiJackThis...it'll show you all the processes running on your computer...but be very CAREFUL...this is not a antipsyware program like the others....it shows you all things...good and bad. If you delete everything that hijack this finds then you'll be reinstalling your OS :) So be careful.....but you can use it to see if there may be bad processes running.
You can download it here:
http://www.spywareinfo.com
and use this analyzer site in order to analyze the log....delete what it finds as nasty....for the unknowns, do a google search or ask question if they are legit processes or not.
http://www.hijackthis.de
A couple of items to look at in your running processes, based on my past experience with recent thinkpads:
1) Bluetooth - this is a rundll32 process on an IBM that can use a tremendous amount of CPU time in an office environment because of stray signals from cell phones and other wireless equipment (wifi) that operates in the same frequency band (2.4 Ghz) as bluetooth.
2) with WinXP, you can use the msconfig application to find out what programs are being launched using rundll32 aside from bluetooth, then you can either disable them through msconfig or find them in the registry and comment them out.
I encountered a similar problem which, after weeks of diagnosis in conjunction with MS support, was determined to be caused by McAfee's mclsp.dll loading into the memory space allocated to another process. The clobbered process would then, basically, manifest the 100% CPU scenario. The problem was related to XP logoff/on. That is; everything fine, logoff, logon, immediate 100% CPU.
You might try MS Knowledgebase for mclsp.dll or 100% CPU. Note that there are some 100% CPU problems caused by other than the scenario I described above.
I have found two versions of rundll32.exe located in:
C:\WINDOWS\system32
C:\WINDOWS\SoftwareDistrib
Is the second one illegal?
However, my search also showed there are SEVERAL other files with names like "RUNDLL32.EXE-12083663.pf"
C:\WINDOWS\Prefetch
Any idea how this might be related?
Currently I am making sure my laptop has all the updates suggested by Microsoft. Thanks.
Was it Noadware or Adaware that delisted the adware that Spy Eliminator(?) started bundling with its app? Not certain who else is caught up in the scandal but, while I agree that the possibility of virus/malware/spyware should be eliminated as a possibility, including running more than 1 scanner, care should be exercised or you may be compromising your security by using them. I didn't see webroot's Spy Sweeper listed but it is another scanner that you might consider.
Too bad you can't easily and fully disable McAfee and see if the problem goes away.
Adaware takes a lot of time to search, and I will have to do that when I have more time. Meanwhile, I ran Spybot and detected several tracking cookies (already deleted). Also, the program detected the following:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-371123
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Softwa
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Softwa
What should I do about this? Can I safely delete this?
Yes you can delete them, however, spybot will detect them again and again though you have already removed them. This is a bug in spybot. There is a spybot patch that will fix this:
http://sptimes.com/2005/02
Meanwhile, the other similar files you found may be legal/suspect file. Normally, when you see a similar file with .pf this is the old RUNDLL32 file that was replaced when you installed a patch that affects the file. On the otherhand, the second file may be legit or not legit, spyware/worm developers are very clever that they use stealth attack by making you believe some not-legit files are legit ones. I suggest that you rename the duplicate files to say .old or .bak so that they won't be executed.
Going back to your issue, Selectively unchecking your startup and services that runs at bootup will be the first step to determine what is causing this. Doing the scan (for virus/spyware/worm) and repair (of affected files) will be your net moves.
Lapukman
If you use Spybot Search and Destroy or another spyware removal tool, it may find an item called DSO Exploit. This exploit is a bug in Internet Explorer that under certain circumstances would allow untrusted software to run on the computer. In other words, its a hole in Internet Explorer that hackers could use to gain access to your system.
However, if you are running the latest version of Internet Explorer and have all your Windows Updates installed, the bug has been patched and is not a threat to your computer system. Even though Spybot may still show it as a threat.
If you have the latest Internet Explorer version and all your Windows Updates, you can safely ignore the DSO Exploit as a potential problem when Spybot Search and Destroy or other spyware removal tools discover it. However if you would rather fix the exploit so it does not show up again, follow these steps to edit your Windows Registry. Please be careful however, incorrect changes to the Windows Registry can cause Windows to not boot.
excerpt taken from http://www.pchell.com/supp
1) Make a note of the location of the exploit shown in Spybot, something similar to:
HKEY_USERS\S-1-5-21-161489
2) Click on Start, Run, and type REGEDIT and Press Enter to open the Windows Registry Editor
3) Find the location of the exploit above in the registry by clicking on the pluses(+) next to each title
4) After opening the Zones section and clicking on '0' look to the right window, under 'name' is the key '1004' and the type is REG_SZ simply right click and delete this REG_SZ value.Then right click and create new>DWORD Value, name it 1004, then right click on that and goto modify, give it the Hex Value of 3, Click ok.
If there is only a DWORD Value for the key (in this case 1004), then double click on the key and change the HEX value to 3 and click Ok.
5) Close the Registry Editor and Reboot your computer
6) The DSO Exploit should now be removed and it should no longer appear in the Spybot Search and Destroy log as a problem.
Adaware only detected the following:
Vendor:Possible Browser Hijack attempt
Category:Misc
Object Type:File
Size:75 Bytes
Location:C:\...\Jorge Arteaga\Favorites\Stores\B
Last Activity:2/20/2005 12:47:36 PM
Risk Level:Low
TAC index:3
Comment:Problematic URL discovered: http://www.cdnow.com/cgi-b
Description:Possible attempt to control/redirect the browser. This object referrs to a "blacklisted" site. If the site listed is the site intended (in other words, it is set to the setting you wish it to be set to), add this listing to your ignorelist. If not, then selecting this item will reset your browser to the default setting for this item.
I have already deleted the potential threat. We'll see what happens next.
Regarding your post:
" Comment from JorgeArteaga
Date: 02/18/2005 11:13AM PST
Author Comment
I have found two versions of rundll32.exe located in:
C:\WINDOWS\system32
C:\WINDOWS\SoftwareDistrib
Is the second one illegal?
However, my search also showed there are SEVERAL other files with names like "RUNDLL32.EXE-12083663.pf"
C:\WINDOWS\Prefetch"
Experience has shown me that usually every single virus is additionaly stored in C:\WINDOWS\Prefetch - so yes that rundll32.exe could be a potential virus as stated here:
http://www.liutilities.com
System process which windows needs to run are usually in system32 folder... not in Prefatch. There for it isn't normal for files to be run off prefetch folder.
To be honest with you I would go with luv2smile advice. Do the following:
1. Download Hijackthis and execute it.
2. Save the logfile and go to www.hijackthis.de to analyze the file
3. The site will tell you what files are suspicious and which are safe and should not be deleted.
4. Post the log file here. Sometimes the site cannot detect viruses that easy. We on the other hand can.
5. While some Pro around here looks at your log file go to http://housecall.trendmicr
The scanner should pick up many if not all viruses. We will then tell you what entrys to fix through hijackthis (and www.hijackthis.de will also) .. and once your all finish .. your PC should start working like a charm ...
Remeber to post the log here so we can help you out, and to scan it on the site in case we miss something ...
I have followed almost every step you have suggested (except editing the registry, which I would prefer not to do). Below is the result of running "Hijackthis" I hope it provides some clues. Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 11:03:12 AM, on 2/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\ibmpms
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\S24EvM
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\system32\TpShoc
C:\PROGRA~1\ThinkPad\PkgMg
C:\PROGRA~1\ThinkPad\UTILI
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tf
C:\Program Files\ThinkPad\ConnectUtil
C:\PROGRA~1\mcafee.com\vso
C:\PROGRA~1\mcafee.com\age
C:\WINDOWS\mHotkey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
c:\progra~1\mcafee.com\vso
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\system32\RunDll
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\ctfmon
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Hewlett-Packard\Digi
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTK
C:\Program Files\ThinkPad\PkgMgr\HOTK
C:\Program Files\Hewlett-Packard\Digi
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSV
C:\WINDOWS\System32\RegSrv
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\TpKmpS
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\HPZipm
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Hewlett-Packard\Digi
C:\WINDOWS\system32\wuaucl
C:\PROGRA~1\WINZIP\winzip3
C:\Downloads\HijackThis.ex
R0 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMg
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\B
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\T
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstar
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: j2 Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {2359626E-7524-4F87-B04E-2
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-0
O16 - DPF: {FA9740A2-5802-42E2-B509-8
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSV
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvM
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLa
After analyzing the log from Hijack this in www.hijackthis.de the result shows some SAFE entries, UNKNOWN entries, and NASTY entries. However, the only nasty entry is actually related to the web address of my company's intranet site.
Perhaps the problem is related to one of those "Possibly Nasty" items. Please advise. Thanks!
Do you know what the [BMMGAG] rundll32.exe entry in your log file (unknown) is? You have a few other 'unknowns', a nasty that indicates it should be fixed by hijackthis, and some other questionable entries. However, given your posts and the direct relationship of the mentioned entry I would, if I were you, want to know what it was, and why it's running. If you don't know, or can't find out, consider creating a system restore point and removing the indicated entry. If it doesn't fix the problem you can fall back to the restore point. If it fixes it, but it turns out something else fails due to the removal of it, then your situation, and your questions, should be why that is occuring. If you DO know what it is I would STILL consider removing it (with a fallback point) to determine whether, or not, it is the cause of the problem. Good luck.
Well, after following almost all of your recommendations my systems is worse not better. The main change has been that I have updated my PC with every patch and update from Microsoft. Now the 100% CPU usage occurs when I start the PC and also at more frequent intervals.
I will try following "jrs 50" suggestion, and will post again.
After installing all Windows updates the system got worse. However, after repairing Office and eliminating my intranet's web address from Internet Explorer's list of intranet's sites the situation improved a bit. Now the problem appears after 4-6 hours.
I have unchecked perhaps half of proceeses listed in MSCONFIG startup tab, and so far that has not worked. I will continue trying.
This is not the first time this happens. Some months ago the same thing happened and I opted for reinstalling the whole OS and programs. It worked fine until a couple weeks ago, and the only thing I can remember having done was to install IBM's Rapid Restore Ultra program.
If all your suggestions don't work I will have to resort to reinstall everything again. My main fear however is that since I don't know what is causing this the problem can reappear if I unknowingly repeat whatever is causing it.
Aby other recommendation?
From first impression. NO, it is not normal for winword.exe or any other application to ocuppy loads of memory after being closed. Unless there is something else I am not considering.
Now, I can't really remember if its normal for outlook to take 60 MB of RAM. Perhaps outlook could take that amount. But WORD? hmmmm
On the other hand I am really not worried about how much memory a program / process is taking up, but how much processor it's taking up.
I want to ask you if you could downloads Sysinternals Process Manager located here:
http://www.sysinternals.co
Open up the process manager, and please state what process is taking up all Processor power.
In this case the process explorer will state what process Rundll32 called up and how much processor power there using up. It will also state what user is calling up that process.
If posible, could you please take a screenshot of the Sysinternal Process Explorer and post it here.
We can then analyze what program is causing the trouble. and which programs are acting weird and why. In your case, as you stated, winword or outlook.
I think a nice screenshot would help us all out.
Becuase we are kinda lost as twords what exactly is going on at this moment. Becuase your initial problem was rundll32 running at high processor, but now it is winword??
A cool screenshot would help us out alot as to decipher whats going on.
Cheers.
Thanks for that last comment. I wil try to follow your suggestions. However, please notice when the problem occurs it is rundll32 the culprit (it takes 99 percent of the CPU). I just asked about Winword.exe because it captured my attention the amount of memory it uses and because when sorting according to CPU usage it is near the top, but it is not using any significant amount of CPU.
Ok, I'll be waiting for the screenshot and will be happy to recomend any prior actions :-)
If you can't take a screenshot, at leat specify the exact name of the process taking up so much processor. Not Rundll32 but the process uncer Rundll32 .. occuping that amount of processor.
Good luck.
By the way, you can upload the screenshot to a site such as ImageShack for Temp Image hosting:
http://imageshack.us/
The problem is solved. After following almost all of your suggestions and removing one by one every process I did not come to a solution. Then I decided to upgrade the BIOS and drivers for my IBM laptop and incredibly the problem is gone.
I thought you all would like to know about this in case someone else consults about the same issue.
I also want to thank you all for the time dedicated to this problem, and will accept (although it didn't solve the problem) the suggestion that I found more approximate to solving the issue.
Have a great week.
Jorge
Business Accounts
Answer for Membership
by: lapukmanPosted on 2005-02-18 at 07:38:48ID: 13346644
Have you checked your system for potential virus infection? Try to scan your system in Safe Mode. Also, try to download and run this:
http://www.microsoft.com/a
Patching your system with the latest Windows Updates will alleviate your problem. Don't disregard updates/patches would definitely help you fix issues.
Lapukman