Fyi, the landesk AV definition is updated.. we are using lastest AV scan engine 188.8.131.52 w/ landesk management suite sp2.
We have 2 networks here, internet network is working fine, application network who is using sp2 is encountering rundll32.exe problem.
Any help is highly acceptable! God bless!
Good Afternoon Eigamryn,
Hope this doesn't start a full scale panic your end, but it sounds very much like the recent Kido/Conficker virus behaviour. So it might be worth looking at the information in the link below and determining if this is what is causing you to see so many RUNDLL32.EXE processes.
See this article for a lot of information on the detection, remediation and LANDesk pro-activity in respect of defeating this virus.
I hope this helps,
If it is being called from your system32 folder it may be nothing. Rundll32.exe called from there and being branded by Microsoft, etc... is normal. I would download Process Explorer, Right Click on rundll32.exe in the main window and select properties, select the verify button. There is also a wealth of information in the tabs.
If you are really concerned use another scanner - Antivir, AVG, etc... to scan the machine.
Good idea by Zman to check the validity using the tool. Also worth checking scheduled tasks on the devices showing so many of those RUNDLL32 processes because another common indication of conficker is to create lots of AT## scheduled tasks which use RUNDLL33.EXE to launch randomly named executables.
hi to all! So i will try to use alternative softwares to dig this issue.
Why that landesk cannot detect this conflicker?Anyway i will try to dig this down and after i solve this issue i will post the solution.
God bless us all!
If it is conficker? and that isn't something you have confirmed yet LANDesk does detect and clean it but requires the following conditions to have been met to be sure:
1) System restore is disabled on affected devices
2) Affected devices have MS08-067 patch applied (Available in LANDesk updates and Patch Manager Updates)
3) 8.7 SP6 is applied to core/clients along with AV engine update and additional patches, or, 8.8 SP2a is applied to core/clients with AV engine update and additional patches as per article below.
5) Definition updates are being successfully applied to client devices
6) Peform full system AV scan.
LANDesk were detecting and remeditaing this vulnerability as of October 2008 when Microsoft released it, but in keeping with most notorious viruses there have been several new variations which LANDesk AV and all other AV vendors have had to keep re-engineering engine/definitions to maintain defence. As long as all the conditions above are met you should be safe against it.
Hi!i used Process Manager w/ zman suggested, here is the screen shot, i try to verify, it said that it is microsoft windows publisher
QUESTION: If it is microsoft windows publisher, why it is so many!about 25 running rundll32.exe?
To Mr. Blair,
Hi! I already installed landesk patch MS08-067, but the same problem, is there any new solution for conflicker? thanks!
Installing the patch protects against infection, re-infection it doesn't clean the virus if it already exists on the system. In order to clean the virus up you have a number of options to try:
1) Make sure you have applied SP2a to core/client + the latest LANDesk AV engine + additional patches (in the post link I added before) and run a full system scan. Have you already tried this?
2) If you have LANDesk security suite? In addition to the definition to deploy the MS08-067 patch LANDesk has also released a security threat definition (ST000208) which assists to detect systems which are already affected with the virus and to clean them as part of a LANDesk security scan.
3) Download the latest Microsoft Malicious Software Removal tool to the affected devices and run it. I believe this is meant to clean up conficker as well.
Again I hope this helps,
hi!we are using landesk management suite 88 w/ SP3 in the core and clients, but still the same problem, i will try to download conficker removal tool, hope this will help, i will post the result after i test. Thanks for the help!
Hi!i used proccess manager and trace these rundll32.exe, it is located in "C:\windows\tasks" folder, i saw "at1,at2,at3,at4,at5,at6,at7..................and so on.
i tried to end the task and delete all at#, it is well done, but after few ours at# come back again, i wondering now where is the location of these all At#? any ideas landesk experts? God bless!
For now no snap shot of AT#, but i will post the snap shot shortly!, but the good thing is i can now delete the task!so everytime i have complains, i remote control and delete all AT#..Thanks!