Question

Task Manager has multipal process of "rundll32.exe"?

Asked by: dxbdxb2009

In 3 of my PCs rundll32.exe processes are running.
One PC is installed with Windows Server 2000 & two are XP Pro with SP 3.
Kaspersky AV is the also installed with updated signature files.
Now when i look into task manager into both of 3 pcs almost 15-20 multi pal are running named rundll32.exe & when i restart the pc & see the task manager it removed but after 15-20 mints i can see the same nos of this application in task manager.
I can close these 20-25 applications but it again appears after 15 mints.
What can be the cause?
I have seen in HijackThis log but these processes are running from c:\windows\system32 in XP and in Windows 2000 in is running from C:\winnt\system32.
Pls help me regarding the same.
best regards.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-21 at 10:59:22ID24588328
Tags

Windows Server 2000

,

Windows XP Pro.!

Topics

Email Clients

,

Windows 2000 Operating System

,

Anti-Virus

Participating Experts
6
Points
250
Comments
51

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. rundll32.exe
    Dear Experts, I have many problems with my computer. Before with Windows 95, 98 I just reloaded operating system and this fixed most troubles. Now, with Windows XP Home Edition evrything are more complicated. My machine is still working, but lucks everyday worse. My...
  2. rundll32.exe problem
    Hello, I have a problem when i shutdown my laptop, rundll32.exe is not closing, i have to close it manually.. Whats the use of this rundll.exe. How can achieve the problem. Also when i goto controlpanel/software for uninstallating any programs nothing displays there.. Is the...
  3. rundll32.exe
    I had this problem with rundll32.exe, where everytime i logged off or shut down the computer, it would say that runndll32.exe wasn't resoponding and that i should end the program to shut down. I tried many ways to correct this, including getting a new copy of the rundll32.ex...
  4. rundll32.exe
    Everytime i shut down computer I have to wait for rundll32.exe to end first. Then end rundll32.exe and computer shuts down.
  5. RUNDLL32.EXE
    After running HijackThis both rundll32.exe and RUNDLL32.EXE are active are they the same? If not which should be deleted?
  6. winhlp32.exe dll initialization failed with rundll32.exe n…
    i receive winhlp32.exe dll initialization failed when i shut down together with rundll32.exe not responsponding, i have to cancel both in order to shut down. i have tried system restore, however does not resolve the problem. can you help? thanks Rossbz.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: flob9Posted on 2009-07-21 at 11:05:34ID: 24907507

Download process explorer :
http://technet.microsoft.com/fr-fr/sysinternals/bb896653.aspx

Then find rundll32.exe in the list, double click, and check the command line. You will find what it is running.

 

by: flob9Posted on 2009-07-21 at 11:08:09ID: 24907544

(sorry for the fr link)

 

by: KraevenPosted on 2009-07-21 at 11:23:30ID: 24907705

check msconfig to see what starts (Start -Run - Msconfig)

 

by: dxbdxb2009Posted on 2009-07-21 at 11:37:20ID: 24907840

Flob9 -  No prob..i installed English one and run the same.

Kraeven- no msconfig in windows 2000 server.
in xp pro i run process explorer under command line.I think it is running form c:\windows\system32 with the process line svchost.exe....i think so i am not in front of that system and can be tomorrow so once i go i will paste the hijack log again & the process explorer snap shot.
thank you both of you.

 

by: flob9Posted on 2009-07-21 at 12:04:38ID: 24908083

double click on the rundll32 process, and check command line.

rundll32 is part of windows tools, and svchost too.

The revelant information in the command line is the arguments.

For example i have this running on my xp :

"C:\WINDOWS\system32\rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent

(this is normal since i have bluetooth installed)

 

 

by: dxbdxb2009Posted on 2009-07-21 at 22:15:35ID: 24911728

sorry for the delay since i reach office now...!
i double click on the process rundll32.exe, in see command line its showing "rundll32.exe qbnzngc.rdn,ugfjzg"  what i see the path is " C:\WINDOWS\System32\rundll32.exe" & current directory is "c:\windows\system32"
In each rundll32.exe there is a different command line like below: -
rundll32.exe qbnzngc.rdn,ugfjzg
rundll32.exe qbnzngc.rdn,xpwdh
rundll32.exe qbnzngc.rdn,pilkcg

My Kaspersky is up to date.
Pls let me know what to do.
An earlier reply will be appreciated.
thanks

 

by: KraevenPosted on 2009-07-21 at 23:21:25ID: 24911916

This seems like spyware, do a spyware scan with ad-aware, spybot or one of the many others...
Also do a complete virus scan, who knows what it might have missed...

 

by: flob9Posted on 2009-07-22 at 05:16:24ID: 24913803

Yes I agree this looks like random generated file name, probably virus / malware.

Try online virus scan (trendmicro).

Also, locate the file "qbnzngc.rdn" and check it with this : http://www.virustotal.com/

 

by: warturtlePosted on 2009-07-22 at 06:01:48ID: 24914219

A Kaspersky Rescue Disk might be useful in this situation:

ftp://ftp.downloads1.kaspersky-labs.com/devbuilds/RescueDisk/

Download the ISO and burn it as an image on a CD and boot your PC from it to run the scanner. After the scanner is finished, boot your PC in normal mode and see if the problem still remains.

Hope it helps.

 

by: KraevenPosted on 2009-07-22 at 06:49:25ID: 24914802

Or do it online without installing with this one for instance : http://www.emsisoft.com/en/software/ax/

 

by: dxbdxb2009Posted on 2009-07-24 at 02:59:53ID: 24933400

flob9 -
warturtle -
Kraeven -
Thanks for your support.
what all i found in my PCs, i went to the schedule tasks under programs------> accessories----> system tools. there are so many around 56 schedule jobs are running and when i end these jobs i found all rundll32.exe processes are closed in task manager.
but after 10-15 mints the schedule task is automatically full & running again  even i have deleted all task in schedule tasks & in can again find rundll32.exe processes in task manager.
I am not able to do any editing in these schedule jobs coz all are grade out & there is no option i can edit it.
All job's name are stared with A1, A2 like the same.
Now can you pls let me know how can i disable all schedule task?
Awaiting for your earlier reply.
Thanks!
DXB

 

by: KraevenPosted on 2009-07-24 at 03:19:14ID: 24933482

FYI You can check %systemroot%\SchedLgU.Txt to see what tasks have ran

If you want to remove all tasks, just delete everything in C:\windows\tasks

The security database for scheduled task may have gone corrupt. Try the
following steps

1) Stop Task scheduler service. Go to command prompt and do a
cd\
cd windows

2) Run the command
c:\windows>attrib -s tasks

3) Go tot the tasks folder type
cd tasks

C:\WINDOWS\Tasks>attrib -h sa.dat

C:\WINDOWS\Tasks>dir
you can (backup if you want) and delete all tasks and sa.dat file.
del *.*

4) do a cd.. to go to c:\windows folder

5) reset the system attribute on tasks folder by typing the following in the
command prompt window
c:\windows>attrib +s tasks

6) restart the scheduler service

You could check that the task sheduler works
by creating a new task


Hope this helps...

 

by: noralainPosted on 2009-07-26 at 20:51:09ID: 24948765

go to control panel > Scheduled Tasks > delete any Scheduled Task start with "AT"
you will find alot of them with number
after delete all

restart, and that's all

this is worm type virus

regards

 

by: flob9Posted on 2009-07-27 at 02:45:46ID: 24949900

As i said, you should locate the file, analyze it with virustotal.com to find out what virus it is, then find a tool to clean up.

 

by: johnb6767Posted on 2009-07-27 at 19:56:57ID: 24957592

This would be great for the XP systems, not sure about the Server 2K box though... Never had a need to try it....

Can also use Combofix. (stolen from rpggamergirl's postings...)  :)

Here's the instructions, if it doesn't run at first, then redownload and rename before saving to your desktop.
Please download ComboFix by sUBs:
<FONT color=#5685af>http://download.bleepingcomputer.com/sUBs/ComboFix.exe</FONT>

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
<FONT color=#5685af>http://www.bleepingcomputer.com/combofix/how-to-use-combofix</FONT>

Personally, I wouldnt install the recvovery console.

 

by: warturtlePosted on 2009-07-28 at 14:17:33ID: 24965309

It could be a Conficker infection as well, I have seen questions on EE where a Conficker variant has started a lot of processes on a computer. It would be a good idea to check for this:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you find Conficker in your computer, then please use this tool to remove it:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Hope it helps

 

by: dxbdxb2009Posted on 2009-08-01 at 01:43:11ID: 24994572

Kraeven -
Sorry for replying you late.
I did the same as discribed by you but the process again started & I am able to see the automatic task started in task scheduler. I am not able to change the schedule time and anything in this task everything is grayed out. (Find the attached snap shot).
I have noted one, this problem i am facing in 25% of my company pc after i uninstalled TrendMicro Office Scan & installed Kaspersky Total Space Security for XP workstation.
As i mentioned KS is updated and detecting virus & disinfecting too.  
Once I stop the Task Scheduler service in services.msc i can not see any new process being created in Task Scheduler, but as i started this service the process rundll32.exe can be shown in nos.
Any other process I can opt to get red of this same.
Awaiting for your earlier reply.
Thanks!
DXB

 

by: dxbdxb2009Posted on 2009-08-01 at 04:27:13ID: 24994884

Kraeven -
warturtle -
noralain -
johnb6767 -
flob9 -
Any comments from you experts!
Pls reply ASAP.
Awaiting for your earlier reply.
Thanks!

 

by: warturtlePosted on 2009-08-01 at 06:05:16ID: 24995122

Hello,

What does KS say the name of the virus is? Secondly, could you send us a HijackThis log of your system? It can be downloaded from:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

 

by: dxbdxb2009Posted on 2009-08-01 at 11:21:23ID: 24996162

warturtle -
what all i found in all of my domain PC is that all of the pcs has the same problem they are running rundll32.exe by SYSTEM in each PC even each pc is installed with KS with updates.
tomorrow i will send you the hijack of one of the pc....but you really need to find a solution for me.
pls have a serious look into this matter.
thax.

 

by: dxbdxb2009Posted on 2009-08-01 at 20:02:45ID: 24997585

warturtle - virus name is indicated by KS is the same name in the task is being run like:-
see the image i posted you can see in Run it is being run the name of app is "Run : rundll32.exe zxlfak.da.fxieeov" & Created by Run as : NT AUTHORITY\SYSTEM.
As I remember i did not see any suspected things in Hijack log eventhough i will post it after 2 hrs.
see and let me know asap.
thanks for your kind support.

 

by: warturtlePosted on 2009-08-02 at 01:02:05ID: 24998050

Could you please run ComboFix as advised by johnb earlier? Make sure that you read the instructions carefully as any active antivirus application can stop ComboFix from working correctly.

Have you checked for Conficker infection as well from the link that I supplied to you?  

 

by: dxbdxb2009Posted on 2009-08-02 at 01:22:16ID: 24998100

warturtle -

From where i can download ComboFix & what all need to be consider before running it, and do i need to uninstall KS in all PCs? Pls advise?

I am sending you the Hijackthis log here.

FInd the Hijackthis log of infected PC :-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:10 AM, on 8/2/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
D:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ae;<local>
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background (User 'taldar')
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'taldar')
O4 - HKUS\S-1-5-21-299502267-1303643608-1417001333-1874\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe (User 'taldar')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://podgateway:808/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://podgateway:808/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://podgateway:808/officescan/console/ClientInstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://podgateway:808/officescan/console/ClientInstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomainname.ae
O17 - HKLM\Software\..\Telephony: DomainName = mydomainname.ae
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F147E20-8CF1-4DC7-9213-67366CBA30CB}: NameServer = 192.168.100.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomainname.ae
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomainname.ae
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Box Document Registration Scheduler (iW DM iR DR Scheduler) - Unknown owner - D:\Program Files\Canon\iW DM\Program\iRScheduler.exe
O23 - Service: Kaspersky Network Agent (klnagent) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe

--
End of file - 7669 bytes

 

by: dxbdxb2009Posted on 2009-08-02 at 06:01:56ID: 24998696

Even many times this my KS detect & delete it the name of the virus KS shows is
"Virus Net-Worm.Win32.Kido.ih"     running in  C:\windows\system32\fhbrxpkp.dll
the last name fhbrxpkp.dll not remained same it is frequently changed and detected by the same virus name.
can you pls let me know which spyware / antivirus can clean my 50 pcs.
it is not easy to do manually, since we are running KS total space into our domain.
and it is not able to clean it.
pls help me out.
awaiting for your earlier reply.
Thanks!

 

by: warturtlePosted on 2009-08-02 at 08:12:35ID: 24999060

Aha, thanks for sending the information to me. Kido is another name for Conficker. Yes, you do have Conficker on your PCs. Here's the official information from Kaspersky that you need to follow to remove it from the PCs. Please try the methods and let me know, if the problem is treatable or not.

http://www.kaspersky.com/support/wks6mp3/error?qid=208279973

You need to patch your computers with the Windows Update to not allow the code execution by Kido/Conficker.

 

by: KraevenPosted on 2009-08-02 at 23:29:24ID: 25002222

Sorry, I didn't back to you sooner, vacation ;-)
It indeed looks like a conficker infection...

I've uploaded Sophos remover tools, a standalone and network version :
Rename .txt to .exe and run or download them from the site.

You need to register a free account before you can download them from the site, so I've included them in my post :-)

http://www.sophos.com/support/knowledgebase/article/54457.html

 

by: dxbdxb2009Posted on 2009-08-03 at 11:09:44ID: 25006864

warturtle - Okay this is the same prob you search for me & thanks for that but you know when i run this tool the jobs are deleted from schulde tasks, but after 30 mints in schulde tasks the task AT1.jobs are automatically created any with in one hour more then 50 nos of  rundll32.exe can been seen.
& due to this i think my KS shows virus detected named as ""Virus Net-Worm.Win32.Kido.ih"" and some time it delete it & some time doesnot?
I tried it after installing windows patches as said by KS & you.
pls look for permanent solution which can be installed or updated with KS?
Thanks for your support?
******************************************************
Kraeven - Thanks for your post.
what is the different b/w both of the exe and any other effect on my network  if i run the network removal tool on my live network(like my network will become slow after i run it)?
If i run network version all my pc will be disinfected at at time? since as per warturtle suggestion i run the KS tool to remove the conficker but after 30 mints the pc again infected due to other pc, since i can not run it in all pcs  together...............any suggestion for removing at a time without loosing network performance?
Awaiting for your earlier reply.
thanks!

 

by: rpggamergirlPosted on 2009-08-03 at 23:17:35ID: 25010991

Combofix should be able to handle those AT*jobs with its script function.
Use this Combofix link
Please download ComboFix by sUBs:


You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


 

by: KraevenPosted on 2009-08-03 at 23:35:09ID: 25011062

http://www.sophos.com/support/knowledgebase/article/51416.html

All you need to know can be found on the link above...
Don't forget after removing it, install MS Windows vulnerability MS08-067 on the disinfected pc.

What to do:

If your anti-virus solution does not have an on-access scanner that can detect and block Conficker from executing, your computers could be infected, and reinfected, if they remain connected to the network. Either:

remove your computers from the network by disconnecting them physically

or use a firewall to block file sharing on the network. For instructions on how to do this, please see Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker.

Once you have done this, follow step 2 or 3, depending on whether you use Active Directory on your network.

If you have a firewall product that is blocking access to your shared network folders, and you use Active Directory on your network, download the Sophos Conficker Cleanup Tool, configure it and then deploy it to your computers as a startup script using Active Directory Group Policy. Follow the instructions in these sections:

a. Download the Sophos Conficker Cleanup Tool
b. Edit the SCCT.vbs file to configure it for your network settings
c. Deploy the files to your computers using Active Directory Group Policy

If you have disconnected your computers from the network, or you do not use Active Directory on your network, download the Sophos Conficker Cleanup Tool and configure it, then burn it to CD or DVD. You will then have to go to each of your infected computers, load the CD/DVD and run the Sophos Conficker Cleanup Tool. NOTE, Conficker can infect removable drives, so do not use a USB pen drive for running the tool manually.
Follow the instructions in these sections:

a. Download the Sophos Conficker Cleanup Tool
b. Edit the SCCT.vbs file to configure it to use from a CD
c. Create a CD or DVD to be used on each infected computer

Hope this helps?

 

by: rpggamergirlPosted on 2009-08-04 at 17:05:52ID: 25019340

dxbdxb2009,

How is it going?
Which tool did you end up using?
I would've preferred using Combofix first and then AVZ IF after CF function the virus still persists.
If you went ahead for AVZ(via the Developers) then also attach here the compressed file "virusinfo_syscheck.zip" so we can see what's going on. Either attach the zip here or upload at EE.Stuff.com.


@ warturtle,
Please tell us, what's your reason for not posting the AVZ instruction here for the Asker?

 

by: rpggamergirlPosted on 2009-08-05 at 07:45:12ID: 25024012

No that's okay, we don't need to know any private info or the guide and I don't want to step on the AVZ developer's toes,
But in the future if we suggest the use of AVZ tool then we help the Askers here at EE and we analyze the automative "virusinfo_syscheck" report and we'll provide the script.

 

by: dxbdxb2009Posted on 2009-08-06 at 05:13:03ID: 25032313

Dear Warturtle,

Pls find the attached AVZ log folder & combofix log file.( pls change the extension of the AVZ log to html)

I really appriciate if you can forward the same to KS & can advise me what i need to do next.

Awaiting for your earlier reply,

Thanks!

DXB

 

by: warturtlePosted on 2009-08-06 at 06:48:35ID: 25033258

Could you please do the scan with Kaspersky Rescue Disk as advised earlier (my first suggestion) and let us know? There are a couple of suspicious services loading the in background (visible from both AVZ and ComboFix logs). The Rescue Disk might help in this case.

 

by: rpggamergirlPosted on 2009-08-06 at 07:16:29ID: 25033593

I asked if we could look at the AVZ's virusinfo_syscheck.zip, but I guess you don't want us to look, oh well that's okay.


With the Combofix log,
You need to use CF function to remove one bad file and those bad services and netsvcs.


Run Combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\wztgjbgn.dll

Driver::
bivago
eyfiyah
faixhi
mwolgijk
zdpaz

NetSvc::
zdpaz
faixhi
bivago
eyfiyah
orsrfui
mwolgijk

RegLock::
[HKEY_USERS\S-1-5-21-854245398-861567501-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

 

by: dxbdxb2009Posted on 2009-08-07 at 09:49:09ID: 25044710

rpggamergirl - I am sorry for not reply you on time. Its not that i dont want to solution from you.
I am really thankful to you, that you took you precious time for me.
My infected PC in which c:\windows\system32\wztgjbgn.dll was found, KS has deleted that one, but there are so many .dll which are created by the task scheduler jobs & these jobs's status are running shown in C:\windows\tasks.
Kindly let me know how can i remove this problem from my network & all PCs.
and I have so many pcs infected by the same problem, due to this my exchange server users are being locked out automatically.
I appreciate if you can let explain me how i can deal with this problem like "c:\windows\system32\wztgjbgn.dll"
Kindly suggest me for the best solution.
Awaiting for your earlier reply.
Thanks!
DXB

 

by: rpggamergirlPosted on 2009-08-07 at 17:35:11ID: 25047759

No problem.
Are those multiple jobs in the Tasks folder in a different system? They are not showing in the Combofix log that you posted here.

Can you please run the Combofix' CFScript and post the result of that one.
Did Kaspersky developers helped you with the AVZ?
You can attach the "virusinfo_syscheck.zip" here and I'll have a look at it and see if it's showing bad entries.
The virusinfo_syscheck.zip is what I want to look at not the lk_syscure.html.

It is very important to isolate each infected systems from the network to avoid re-infection. I know that's a hard task with numerous pcs. And I don't know  of easy solution to disinfect multiple pcs in one go. Maybe other experts can offer suggestions.

Can you attach the result of the combofix script pelase.

 

by: dxbdxb2009Posted on 2009-08-07 at 20:58:13ID: 25048269

rpggamergirl - How can i get this "virusinfo_syscheck.zip" file from?

Thanks!

 

by: rpggamergirlPosted on 2009-08-07 at 21:24:43ID: 25048323

Sorry, I assumed warturtle gave you the instructions how to run the AVZ tool and how to find the log?

Navigate to the AVZ4 folder and locate the folder "LOG", inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip

Attach the Compressed file "virusinfo_syscheck.zip" back here and also I need you to attach the result of the Combofix script' run thanks.

 

by: dxbdxb2009Posted on 2009-08-08 at 03:57:13ID: 25049235

rpggamergirl - sorry, i did not find anywhere the file name you specified "virusinfo_syscheck.zip" .
What all I found i am sending you attached here with.
Pls write how to create "virusinfo_syscheck.zip" using AVZ4.
This is what all can see in LOG folder of AVZ4 along with i am sending you the combofix log too.
Pls take some time to go through & let me know whall all left to do for me.
Awaiting for your earlier reply.
Thanks!
DXB

 

by: rpggamergirlPosted on 2009-08-08 at 04:43:03ID: 25049387

It has to be there... I just run AVZ4 tool in my pc to make sure the folder is there and it is.

Ran AVZ4 again please and follow this instructions carefully.

Download avz4.zip from here http://z-oleg.com/avz4.zip
Unzip it to your desktop to a folder named avz4

1. Double click on AVZ.exe to run it.
2. Run an update by clicking the Auto Update button on the Right of the Log window:  
3. Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

After the update,
4. from the "File" menu, choose "Standard Scripts"
5. Put a check next to item 2: Advanced System Analysis
6. Click "Execute selected scripts"
7. At the next prompt, click the Yes button

8. Let the scan run and click "OK" when the completion prompt pops up
9. Now Close out of the Standard Scripts window, and exit AVZ
10. Navigate to the avz4 folder and locate the folder LOG

Inside the LOG folder you will find 3 items:
virusinfo_syscheck.htm,
virusinfo_syscheck.xml
virusinfo_syscheck.zip
Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

 

by: rpggamergirlPosted on 2009-08-08 at 04:59:29ID: 25049427

DXB,

Sorry but both of the Combofix logs that you attached in your above post is not from the running of CFScript but from a normal run.

When running Combofix using the script (you don't run it by doubleclicking combofix.exe)
You need to  drag the CFScript.txt into ComboFix.exe
Drag the CFScript.txt and drop it over or drop it into the Combofix.exe

 

by: rpggamergirlPosted on 2009-08-08 at 05:09:20ID: 25049458

Okay, maybe this is the reason we have trouble running the script.
Since your Combofix.exe is also inside another folder, you need to save the CFSCript.txt in the same location as your Combofix.exe.

Please ask if my instruction is not very clear.

See here below? your Combofix.exe is inside the Combofix folder
c:\documents and settings\Administrator\Desktop\ComboFix\ComboFix.exe

So when you save the CFScript you need to save it in the same location as your combofix.exe(which is inside the combofix folder on your desktop)

 

by: dxbdxb2009Posted on 2009-08-09 at 22:50:04ID: 25057401

rpggamergirl - Thanks for being with me.
I am posting here combofix log & "virusinfo_syscheck.zip.
Pls note i am not able to attach "virusinfo_syscheck.zip file here thus i unzipped it and attached the contains in first two files. Kindly rename these as
1. avz-sysinfohtm.txt to avz-sysinfo.htm
2. avz-sysinfoxml.txt to avz-sysinfo.xml
And do the analysis.
I am waiting for your earlier reply since my almost PCs are infected with this kind of problem.
I will be grateful to you if you can help me out to resolve the issue asap.
Many thanks!
DXB

 

by: dxbdxb2009Posted on 2009-08-10 at 11:16:01ID: 25062454

rpggamergirl -

Any updatesssssssssssssssssssssssssssssssssssssssssssssssssssssss!
Awaiting for your earlier reply.
Thanks!
DXB

 

by: rpggamergirlPosted on 2009-08-10 at 18:17:57ID: 25065529

I am so sorry, I meant  to check back here, my apology.

Those bad services are still there they just respawned and I don't see their physical files in the AVZ report.

Can you please run these tools instead? thanks.
1.  Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror
Secondary Mirror
 
Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror:
Secondary Mirror:

Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:
* Drivers
* Files
* Processes
* SSDT
* Stealth Objects
* Hidden Services
* Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
 

2.  Download GMER from here:
Unzip it to the desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
 

 

by: dxbdxb2009Posted on 2009-08-15 at 00:50:53ID: 25104508

rpggamergirl - sorry, i am a bit busy with other work will reply you with required log with in 2 days.
Thanks!

 

by: rpggamergirlPosted on 2009-08-17 at 06:34:00ID: 25114197

Okay, no problem.... when you come back.. we'll be here, :)

 

by: dxbdxb2009Posted on 2009-09-18 at 22:26:53ID: 31606040

Finally I used Combofix,,,,,,can not be clean with KS tools or KS AV.
Thanks for your support.

 

by: rpggamergirlPosted on 2009-09-18 at 23:02:57ID: 25371674

Glad to know that it's resolved.

Thanks for the points, but actually it was johnb6767 that first suggested Combofix, you might want to split the points or award him all the points.
Let me know if you want this thread re-open.

 

by: johnb6767Posted on 2009-09-20 at 13:12:27ID: 25378759

@rpg

No biggie, didnt really do much outside of a suiggestion.....  :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...