Multiple rundll32.exe appearing under processes

[Zeeman28a]

Sponsored Links

Win2K3 Server Std w/SP2 + critical updates from Microsoft as of Feb 15/2009
Server is a member of the local domain and is used only as a file/print server.

About a week now, I've noticed that there are alot of rundll32.exe appearing under the processes tab in task manager. As much as 100 of them. I don't know where they are coming from and was wondering if anyone would know.

I've scanned and rescanned for viruses, worms, trojans and malware but nothing shows up. We have 9 other servers, mixed Win2K3 std and ent and none of them have this issue as well as the 30 pc's.

Having all those rundll32.exe does not seem to affect the performance of the server itself. Still have access to files and printers. and from the server itself, I can browse the internet, connect to other servers and so forth.

Under processes, rundll32.exe displays 00 under CPU and 1688k under Memory Usage.

I ran "tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt" and this is what I get for all of them. Only the PID # is different for each one.

Image Name PID Modules
========= ==== ====================================================================================
rundll32.exe 5060 ntdll.dll, kernel32.dll, msvcrt.dll, GDI32.dll, USER32.dll, ADVAPI32.dll, RPCRT4.dll, Secur32.dll, imagehlp.dll, IMM32.DLL

Any help is appreciated.

Thanks.
Stan.

WE also have this same problem on Small Business Server 2003. It has only
started happening in the last few days.

we have the same problem.
A lot of rundll32.exe in two of servers among four.
in the meantime did you resolve this problem?
Thanks

Have no idea what the original question was.
Judging from the subject line "as a guestion".

There will always be "rundll32.exe" processes.
There are supposed to be "rundll32.exe" processes.
The number of them on the list will constantly fluctuate.

There is no "issue".

Have you tried to run any AV or anti-spyware utilities?

Try more than one kind.

[Zeeman28a]

There are more than 150 of them. THAT is my issue. All of my other servers have of them, but I have one W2K3 server that has over 150 of them.

And can someone please tell me that if I post on the TechArena forums, where else does my post show up as I seem to not be getting replies from the forums but from somewhere else.

Thanks Smooth. I'll give this a try.

What I still don't understand is how this server (and it's the only 1 out of 10 servers plus 30 odd XP/Vista workstations) got infected with the conficker worm in the first place. I've had the patches installed for months plus my anti-virus is up to date.

I'll run this tool and post the results in about 24 hrs. Usually, once I kill all the 100 or so rundll32.exe processes (or reboot the server), it takes about that long for all of them to reappear.

It worked. Thanks for posting that find Smooth. 24 hours later and no rundll32.exe processes.

The problem with posting on the TechArena thread is no one see's the OP in the newsgroups.

The issue we are having is there are about 150 rundll32.exe showing up under processes. Not 2 or 3. 150 is alot.

Someone had posted this as a fix a couple of weeks ago, but it seems that post has disappeared. I wanted to wait a bit to see if the rundll32.exe processes returned and they haven't. This worked for me.

http://support.kaspersky.com/faq?cha...&qid=208279973

[rvgr12]

I too am having this problem with my Windows Server 2003 box.

Image Name PID Modules
========================= ======== ============
rundll32.exe 2648 ntdll.dll, kernel32.dll, msvcrt.dll, GDI32.dll, ADVAPI32.dll, RPCRT4.dll, USER32.dll, imagehlp.dll

In my case the multiple instances of rundll32.exe (as many as 80) is are affecting my connectivity.

I've have done antivirus and antispyware checks and got no results. It should be noted though that this problem only started happening after an infection with the Downadup.B worm. Since then I have removed the worm and patched the server with the appropriate microsoft update (MS08-067) to plug the vulnerability that this worm exploits.

Rundll32.exe attributes are as follows

Location: C:\WINDOWS\System32
Size: 34.0 KB (34,816 bytes)

Does anyone have any updates regarding these multiple instances?

To add to what I had below. I used Process Explorer (part of the SysInternals Suite) to check the command line parameters for a few of them. This is what I found,

Command Line: rundll32.exe gnfue.k,XXXXXXX

XXXXXX being a different parameter for each instance of the file. specific examples are: rundll32.exe gnfue.k,aymab, rundll32.exe gnfue.k,daozb, rundll32.exe gnfue.k,fedciyv to name a few.

Sadly I have no found a solution for this problem... I will update this thread if I do find one though

In my case (and I guess others), the amount of rundll.exes showing up is causing an issue with performance.

More notably the command line parameters are troubling and unexplainable in every avenue that I turn.

"Command Line: rundll32.exe gnfue.k,XXXXXXX

XXXXXX being a different parameter for each instance of the file. specific examples are: rundll32.exe gnfue.k,aymab, rundll32.exe gnfue.k,daozb, rundll32.exe gnfue.k,fedciyv to name a few."

Recently the gnfue.k part of the command line parameters has changed. I can post more samples here. Maybe it would help but I really do not want to spam. Let me know and I will

They look like infections to me.

If your AV tool didn't find anything in a scan then you need a new tool or
update the one you have. You should also do the scan in "safe mode".

I have had similar looking ones get so embedded in the user profile of the
user that got the machine infected that it kept reinstalling itself no
matter what I did. I had to completly wipe out the user profiles and let
the machine create fresh ones and then reconfigure whatever was need in the
profile. I was able to save the Mydocs and Favorites. I also disabled the
System Restore for a period of time then renabled it.

It is normal to see those.

There is nothing to "fix"

[ahrazu]

I have same situation on one of my servers. And as far as I see, those multiple rundll32.exe processes are started by Automatic Update Service. May be because Automatic Updates Service cannot connect to its website or WSUS server.

I have same problem, but i am not sure how you solve it. can you please share it? Thank you.

I think it is the problem with conficker virus, as the virus creates one job then one rundll32.exe process runs, i tried with virus cleaner provided by kaspersky, it cleans the jobs but after restart comes again. i asked for kaspersky corporate support hope they will find any way. i will let you know if there is improvement.

True.
I was anable to see the past context.

That does make a difference. It is just common for some people to get over
excited about seeing rundll32.exe and svchost.exe entries when it is normal
to see them (in normal amounts) so I thought that might be what this was.

Ok.
Very good.

Find out if they only return like that with one particular user profile. I
have had problems like that and solved it be backing up required parts of
the profile (Desktop, My Doc, Favorites, etc). Then delete the
profile,...run the AV to clean up,...log the user in to recreate the
profile,...copy the saved data back to the profile. Then reboot and see if
it comes back again.

[rivcbet]

about 99% sure that it is from the conficker virus

apparently you dont run windows update on your servers very often because there have been a few patches put out that stop conficker.

there are a few tip offs:
1. You wont be able to get to microsoft.com symantec.com and other security websites
2. If you go into services on the computer - automatic updates will be disabled along with the Background Intelligent Transfer Service (B.I.T.S.)
3. You will probably see rundll32.exe listed many many times in the task manager.
4. You might get random error messages on the pc about "Generic Host Process32" crashing and asking if you want to send and error message or not.
5. When you go to shut down the computer it will probably ask if you want to end a particular task and it will always be some randomly named exe file like "yehdjfbc.exe".

The best thing to do is to first apply the patch from microsoft that closes the backdoor that the virus uses to spread - > http://www.microsoft.com/technet/sec.../MS08-067.mspx

Then you should make sure that whatever anti-virus you use is up to date and run a full scan - if you aren't confident in the brand of virus scan that you have - there are some other free tools out there that you can run.

Here are a few - i would recommend trying a couple to make sure its gone
the only catch is that these tools will get rid of conficker temporarily - but if your computer doesnt have adequate virus protection it will most likely just catch it again through whatever other computers you have on your network. If you have a network - there are also free tools out that that you can setup to run at login or remotely and attempt to clean up as well. Regardless - conficker is a giant pain in the butt and it may require you cleaning each computer by hand just to make sure it is gone...

no need to be touchy about it - i was just trying to help because i've already been through this stuff..

i posted some more links in my post and they seem to have dissapeared now that i look..

i could repost them but they will probably just get removed again..

[marcelo_luz]

I had the same problem. I downloaded and executed the KK tool from http://support.kaspersky.com/faq?cha...&qid=208279973 and the problem was gone. The tool detected the KIDO virus. Hope it helps all.

ps1: my free Avira Antivirus was unable to detect and remove the virus.
ps2: I have Windows Vista Business SP2 installed.

[rvgr12]

thanks for your support guys.

bit defender is also good at rooting out conficker as well.