Solved

rundll32 & At106.job

Posted on 2009-07-07
12
720 Views
Last Modified: 2012-05-07
Dear,

I can see lots of rundll32.exe processes(may be more then 15 processes) running in task manager then normal  and also can see ATxxx.job creating in windows scheduled job automatically. I want to know what might be the issue. Please help. Hijack this is also attached with this.
hijackthis.log
0
Comment
Question by:Showkatdar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
12 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24792787
your best bet for this isn't hijack-this, but a sysinternal tool called "process Explorer"

if you mouse over a rundll32 process, it will tell you which windows services are in that particular thread marshal. You can also use their "process monitor" to monitor activity by each thread, then backtrace that (by process id) in Process Explorer to see which service or dll is responsible.
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24793026
Hi

seems to me like you have task configured on your HP Proliant, that exceute at certain times

rundll is a low-level binary executable, but perhaps you should "netstat -an" to see any possible remote activity, other than that of your proxy server

Jfer
0
 
LVL 16

Accepted Solution

by:
warturtle earned 250 total points
ID: 24793178
You have a lot of '(file missing)' message in the HijackThis log. I am going to suggest that you run an online scan with Kaspersky Antivirus - its free and will tell you if there is any infections on your server.

Its based at: http://www.kaspersky.co.uk/virusscanner

It doesn't remove viruses but will create a report with its findings, please send that report to us for further analysis.

Is your Windows 2003 Server up-to-date? If not, then I suggest that you run Windows Update first of all to update the server.

Hope it helps.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24794245
@ warturtle:
Those 'missing files' are all okay, they're not really missing, it's 64 bit OS.


Showkatdar,

You might also try scanning with OTS.exe(it doesn't remove anything during its first run, it will only remove what's on the script) The first run will only produced a log.


Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
http://oldtimer.geekstogo.com/OTS.exe

Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.

Now click the "Run Scan" button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the report in your reply. The last line is < End of Report >, so please make sure that is the last line in the attached report.
0
 
LVL 9

Assisted Solution

by:jfer0x01
jfer0x01 earned 250 total points
ID: 24794703
Obviously, windows uses rundll to function properly,

your concern is for trojans and other malware

instead of Downloading bunch of apps, verify that no outgoing connections are open via netstat -an

if you want, post the results of the command with netstat -an > resutls.txt and post those

If not, do the kaspersky virus scan online, as suggested by warturtle,

Jfer
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24861930
Hello Showkatdar,

Any update on the situation?
0
 
LVL 9

Expert Comment

by:jfer0x01
ID: 24891129
Hi,

please award points or close question

Jfer
0
 

Author Comment

by:Showkatdar
ID: 24896970
Dear

No update on thiz. Still working on the same. It is actually Conficker worm. But where from it iz coming, that we are trying to find out. We are trying to fix it, but if anybody knows anything about this, please help me to solve thiz issue.
Thanks and Regards
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24897469
Are you certain that its Conficker? Do the below test to find out for sure:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If it really is Conficker, you can download the removal tool from here:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Also read this thread to see the solution from another expert called xmachine, that might help:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Avast/Q_24167917.html

Hope this helps.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24899969
Have you run the OTS? can you post the log.

Those AT" jobs should show up in the scan and will be removed on its second run using a script.
0
 

Author Closing Comment

by:Showkatdar
ID: 31600501
No Solution!!
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question