3 replies to this topic

[Daventrian]

I need the help of someone smarter than I am on this. I am having an issue with my computer, and cannot figure out what is causing it. I'm not sure if it is malware related or not as I have run MalwareBytes, SpyBot, and AVG (all with the latest updates) and all come up clean. I have also run the system file checker (this is an XP Pro box btw).

Here is the problem:

Something is loading multiple instances of rundll32.exe. I hear the chord.wav file play, and when I look at the running processes a new instance of rundll32.exe will be running. I have tried closing all of my programs, and it still happens. I can kill all of the rundll32 process at night, and by the next morning there might be 15 or 20 instances running again. I have run HJT and I do not see anything that jumps out as fishy. I used SpyBot to track through the parents, and here is the process tree System->smss.exe->winlogin.exe->services.exe->svchost.exe->rundll32.exe. I also do not see anything fishy in the modules that are loaded by the rundll32 processes.

I just cannot track down where these are getting loaded from. Any help on this would be greatly appreciated!

[Daventrian]

Also, everything else seems to be running just fine and SpyBot does not show these processes with any network connections open nor do I see any strange network connections running the netstat -a command.

[Daventrian]

No input on this? Just stopped another 26 instances that were started over the weekend.

[Daventrian]

I figured it out. AVG caught a file infected with Conficker awhile back. While the computer scans clean, the dropper program must have been allowed to run as there were several scheduled jobs set to use rundll32.exe to execute code from the infected file. When the infected file was not there, rundll32 just hung.