Exchange 2007 approx 100 copies of rundll32.exe

esptechnical
esptechnical used Ask the Experts™
on
Hi all,

I have an Exchange 2007 server that is running a large number of copies of rundll32. (See screen shot). There are about 100 of them with a strange command line.

I have scanned with Symantec Endpoint and malwarebytes and both report clean. The server is all up to date. It was noticed yesterday, so we restarted and monitored and they were not there after the restart, now this morning there are loads of them again!

Any ideas? Server is running ok.

Rundll32
Thanks,

Scott
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Look at process monitor to see what is hiding behind them files, ensure all is ok;

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Author

Commented:
I noticed that they were running on the hour, every hour. So checked the task scheduler and there were a whole bunch of scheduled tasks.

That all makes it sound like Win32/Conficker.A.. I'm running the clean tool, but as yet it hasn't found anything.
It sure does sound like conficker. To check if it truly is conficker,you can check the following:
Go into services on the computer - automatic updates is disabled and so is the Background Intelligent Transfer Service (B.I.T.S.)
 
What tool are you using? Have you tried this one: http://www.bdtools.net/download/bd_rem_tool.zip. before you stick in an USB-stick in the server, disable the autorun feature,otherwise the stick is comprimised as well.

Oh, and this document explains a bit more on the tool above.http://www.bdtools.net/how-to-remove-downadup.php

If possible, remove all existing user profiles, as one of those might be the source.  

Just a warning : The same virus caused a network traffic overflow on one of my clients network, eventually generating so much traffic,that servers couldn't handle logon request nor could WSUS keep up patching. It started off on just one machine, but had a bizarre domino effect.  So if possible, isolate the machine until you are sure that it is either something else or the conficker is truly gone.
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial