rundll32 & At106.job


I can see lots of rundll32.exe processes(may be more then 15 processes) running in task manager then normal  and also can see ATxxx.job creating in windows scheduled job automatically. I want to know what might be the issue. Please help. Hijack this is also attached with this.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
your best bet for this isn't hijack-this, but a sysinternal tool called "process Explorer"

if you mouse over a rundll32 process, it will tell you which windows services are in that particular thread marshal. You can also use their "process monitor" to monitor activity by each thread, then backtrace that (by process id) in Process Explorer to see which service or dll is responsible.

seems to me like you have task configured on your HP Proliant, that exceute at certain times

rundll is a low-level binary executable, but perhaps you should "netstat -an" to see any possible remote activity, other than that of your proxy server

You have a lot of '(file missing)' message in the HijackThis log. I am going to suggest that you run an online scan with Kaspersky Antivirus - its free and will tell you if there is any infections on your server.

Its based at:

It doesn't remove viruses but will create a report with its findings, please send that report to us for further analysis.

Is your Windows 2003 Server up-to-date? If not, then I suggest that you run Windows Update first of all to update the server.

Hope it helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

@ warturtle:
Those 'missing files' are all okay, they're not really missing, it's 64 bit OS.


You might also try scanning with OTS.exe(it doesn't remove anything during its first run, it will only remove what's on the script) The first run will only produced a log.

Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.

Now click the "Run Scan" button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the report in your reply. The last line is < End of Report >, so please make sure that is the last line in the attached report.
Obviously, windows uses rundll to function properly,

your concern is for trojans and other malware

instead of Downloading bunch of apps, verify that no outgoing connections are open via netstat -an

if you want, post the results of the command with netstat -an > resutls.txt and post those

If not, do the kaspersky virus scan online, as suggested by warturtle,

Hello Showkatdar,

Any update on the situation?

please award points or close question

ShowkatdarAuthor Commented:

No update on thiz. Still working on the same. It is actually Conficker worm. But where from it iz coming, that we are trying to find out. We are trying to fix it, but if anybody knows anything about this, please help me to solve thiz issue.
Thanks and Regards
Are you certain that its Conficker? Do the below test to find out for sure:

If it really is Conficker, you can download the removal tool from here:

Also read this thread to see the solution from another expert called xmachine, that might help:

Hope this helps.
Have you run the OTS? can you post the log.

Those AT" jobs should show up in the scan and will be removed on its second run using a script.
ShowkatdarAuthor Commented:
No Solution!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.