+ Post New Thread
Results 1 to 4 of 4
Windows Thread, Multiple rundll32 process running in Technical; Hello Not sure if anyone can help with this, I'm quite stumped by this and googling around hasn't yielded a ...
  1. #1

    Join Date
    Apr 2008
    Location
    Cambs/Norfolk
    Posts
    11
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Multiple rundll32 process running

    Hello

    Not sure if anyone can help with this, I'm quite stumped by this and googling around hasn't yielded a solution!

    We got struck by conficker, managed to get most of it cleaned up, servers are all patched and protected and the majority of the desktops are clean.

    Since then, quite a few pcs have been running up to 50+ instances of the rundll32 process slowing the machines down.

    Rebooting machines seems to wipe the slate clean, the pc boots up without all the processes in task manager, but they slowly reappear bogging the machine down again.

    I've ran the sophos virus scanner and symatecs standalone conficker scanner, both returned clean, windows defender, spybot, adaware, clean!

    We have found whats causing them to run, 1000+ scheduled tasks, starting with 'At', then a number after the 'At'.

    Anyone ever seen anything like this? Any help would be appreciated with glowing praise and cookies! You will also save me from tearing my hair out and smashing my fist through every pc in the school!

    Thanks!

    Seb

  2. #2
    BJG
    BJG is offline
    BJG's Avatar
    Join Date
    May 2008
    Location
    Norwich
    Posts
    465
    Thank Post
    89
    Thanked 35 Times in 25 Posts
    Rep Power
    22
    Sounds like you might not have eradicated Conficker. You might try the Microsoft removal instructions on one of the affected PCs as an experiment (seems to involve killing scheduled tasks.)

    Virus alert about the Win32/Conficker.B worm

  3. #3
    sandeep2504's Avatar
    Join Date
    Jan 2009
    Location
    Surrey
    Posts
    245
    Thank Post
    47
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    that is definately conficker and the rundll32 processes will be the AT scheduled tasks runnning.

    I would suggest you do the following:

    Download the sysinternal suite and in there you will find a tool called process explorer which you should use to check the processes (advanced version of task manager which can identify the source of the process).

    Disable task schedule service

    Download the microsoft malicous software removal tool and the norman malware cleaner

    Make sure your copy of windows is up to date with security patches

    Make sure your anitvirus is up to date

    Boot into safe mode and run the norman malware cleaner then the microsoft malicous software removal tool then run a complete anti virus scan.

  4. #4
    sandeep2504's Avatar
    Join Date
    Jan 2009
    Location
    Surrey
    Posts
    245
    Thank Post
    47
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    Also i would create script to delete the scheduled tasks that conficker uses (AT1 etc) and run it on all your machines.

SHARE:
+ Post New Thread

Similar Threads

  1. Imaging and AD process
    By rocknrollstar in forum O/S Deployment
    Replies: 11
    Last Post: 28th May 2009, 10:52 AM
  2. [News] Slaves to The Process
    By mattx in forum Jokes/Interweb Things
    Replies: 20
    Last Post: 4th July 2008, 04:08 PM
  3. What process....
    By Joanne in forum Windows
    Replies: 2
    Last Post: 31st March 2008, 05:01 PM
  4. AutoIT process communication
    By NetworkGeezer in forum Scripts
    Replies: 2
    Last Post: 9th May 2007, 08:00 PM
  5. Running multiple web sites
    By Doudar in forum Web Development
    Replies: 9
    Last Post: 2nd April 2006, 09:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •