# rundll error upon startup



## gray d (Mar 16, 2003)

I keep getting this error mesg whenever I startup. 



AMD Athlon
ME



Appreciate all the help that I can get to solve this.

thanks!


----------



## gray d (Mar 16, 2003)

I ran cwshredder and that took care of the rundll message but now I get an onnoying popup that shows nothing but a start button. Alt, Ctrl, Del shows that it is Shellexpi.

Does this make any sense??

--- About my original post for rundll error, I ran a search and was able to use a suggestion to dl and run cwshredder from another post.


----------



## gray d (Mar 16, 2003)

I also ran hijackthis and got this as a result.....

Logfile of HijackThis v1.97.7
Scan saved at 2:23:18 AM, on 1/25/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SHELLEXPI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\XK64Q8H2\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\SYSTEM\shellexpi.exe en
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/05852e274a5cd120cd23/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/racing/tundramadness/microsoft/wtinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/Swdir_Alt_Pub.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37680.4668402778
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB


----------



## kaspersky (Sep 10, 2003)

first please send the C:\WINDOWS\SYSTEM\shellexpi.exe to me
my email: [email protected]

i think it is a virus or trojan

use hjt to fix the follow item and go to safe mode delete the "C:\WINDOWS\SYSTEM\shellexpi.exe" file
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\SYSTEM\shellexpi.exe en

and restart your pc~~
to see if the problem still exist

and post a new hjt log~~

good luck


----------



## kaspersky (Sep 10, 2003)




----------



## kaspersky (Sep 10, 2003)

hi~gray d

i got the C:\WINDOWS\SYSTEM\shellexpi.exe from you,
used kaspersky online scanner check it~~here is the report~

Current object: shellexpi.exe

shellexpi.exe Packed: ASPack
shellexpi.exe Infected: Backdoor.Sheldor.c 

Statistics:

--------------------------------------------------------------------------------
Known viruses: 80948 Updated: 28.01.2004 
File size (Kb): 304 Scan time: 
Speed (Kb/sec): 0 Virus bodies: 1 
Archives: 0 Packed: 1 
Folders: 0 Files: 2 
Suspicious: 0 Warnings: 0

just delete it~~~


----------



## gray d (Mar 16, 2003)

Thanks for your advice, I deleted the exe. and am no longer having the problems that I had earlier.

Thanks again!:up:


----------

