Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple rundll32.exe on Windows 2003 server 1

Status
Not open for further replies.
serverman11

serverman11

IS-IT--Management
Mar 25, 2009
2
CZ
On Windows 2003 server (legal) in Process Explorer I have found multiple RUNDLL32 processes running in the same time. During the day their number increases.
I tested server by Spybot, ad-aware 2008, A-squared antimalware. Antivir NOD32 is running all the time. I used the latest server updates.
I worry that there is something wrong. I attach Process Explorer log. Rows rundll32 asualaj.... seem suspicious to me.
Can you help me, please?
Thanks in advance. Prasiva


Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)


Process PID CPU Private Bytes Description Command Line Company Name
System Idle Process 0 94.70 0 K
Interrupts n/a 0 K Hardware Interrupts
DPCs n/a 0 K Deferred Procedure Calls
System 4 0 K
smss.exe 256 124 K Windows NT Session Manager \SystemRoot\System32\smss.exe Microsoft Corporation
csrss.exe 304 1 600 K Client Server Runtime Process C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512

Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2

ProfileControl=Off MaxRequestThreads=16 Microsoft Corporation
winlogon.exe 328 9 564 K Windows NT Logon Application winlogon.exe Microsoft Corporation
services.exe 376 0.76 5 044 K Services and Controller app C:\WINDOWS\system32\services.exe Microsoft Corporation
svchost.exe 564 1 148 K Generic Host Process for Win32 Services C:\WINDOWS\system32\svchost.exe -k DcomLaunch Microsoft Corporation
wmiprvse.exe 3932 12 496 K WMI C:\WINDOWS\system32\wbem\wmiprvse.exe Microsoft Corporation
wmiprvse.exe 2620 12 004 K WMI C:\WINDOWS\system32\wbem\wmiprvse.exe Microsoft Corporation
unsecapp.exe 6948 2 488 K WMI C:\WINDOWS\system32\wbem\unsecapp.exe -Embedding Microsoft Corporation
svchost.exe 724 1 740 K Generic Host Process for Win32 Services C:\WINDOWS\system32\svchost.exe -k rpcss Microsoft Corporation
svchost.exe 788 5 964 K Generic Host Process for Win32 Services C:\WINDOWS\system32\svchost.exe -k NetworkService Microsoft

Corporation
svchost.exe 824 2 152 K Generic Host Process for Win32 Services C:\WINDOWS\system32\svchost.exe -k LocalService Microsoft Corporation
svchost.exe 840 27 628 K Generic Host Process for Win32 Services C:\WINDOWS\System32\svchost.exe -k netsvcs Microsoft

Corporation
rundll32.exe 5648 1 420 K Run a DLL as an App rundll32.exe asualaj.p,jrjfkw Microsoft Corporation
rundll32.exe 4892 1 412 K Run a DLL as an App rundll32.exe asualaj.p,ocrhsueo Microsoft Corporation
rundll32.exe 2360 1 412 K Run a DLL as an App rundll32.exe asualaj.p,kdeyd Microsoft Corporation
rundll32.exe 5740 1 412 K Run a DLL as an App rundll32.exe asualaj.p,zxfuj Microsoft Corporation
rundll32.exe 1416 1 412 K Run a DLL as an App rundll32.exe asualaj.p,ygtbyud Microsoft Corporation
rundll32.exe 2476 1 412 K Run a DLL as an App rundll32.exe asualaj.p,szubv Microsoft Corporation
rundll32.exe 5300 1 412 K Run a DLL as an App rundll32.exe asualaj.p,rijksfw Microsoft Corporation
rundll32.exe 4800 1 412 K Run a DLL as an App rundll32.exe asualaj.p,fwasqjzc Microsoft Corporation
rundll32.exe 5344 1 412 K Run a DLL as an App rundll32.exe asualaj.p,alhoi Microsoft Corporation
rundll32.exe 1984 1 412 K Run a DLL as an App rundll32.exe asualaj.p,dhcmdx Microsoft Corporation
rundll32.exe 5692 1 412 K Run a DLL as an App rundll32.exe asualaj.p,fuvxy Microsoft Corporation
rundll32.exe 3424 1 412 K Run a DLL as an App rundll32.exe asualaj.p,mjuucca Microsoft Corporation
rundll32.exe 2548 1 412 K Run a DLL as an App rundll32.exe asualaj.p,qjcukwz Microsoft Corporation
rundll32.exe 1000 1 412 K Run a DLL as an App rundll32.exe asualaj.p,qvgemm Microsoft Corporation
rundll32.exe 5516 1 412 K Run a DLL as an App rundll32.exe asualaj.p,exthbr Microsoft Corporation
rundll32.exe 5356 1 412 K Run a DLL as an App rundll32.exe asualaj.p,tqmbg Microsoft Corporation
rundll32.exe 1388 1 412 K Run a DLL as an App rundll32.exe asualaj.p,vganr Microsoft Corporation
rundll32.exe 1848 1 412 K Run a DLL as an App rundll32.exe asualaj.p,gtnpuav Microsoft Corporation
rundll32.exe 4752 1 412 K Run a DLL as an App rundll32.exe asualaj.p,wyphrlkb Microsoft Corporation
rundll32.exe 5616 1 412 K Run a DLL as an App rundll32.exe asualaj.p,vubuufw Microsoft Corporation
rundll32.exe 5468 1 412 K Run a DLL as an App rundll32.exe asualaj.p,kvistd Microsoft Corporation
rundll32.exe 5224 1 412 K Run a DLL as an App rundll32.exe asualaj.p,aqynwy Microsoft Corporation
rundll32.exe 5572 1 412 K Run a DLL as an App rundll32.exe asualaj.p,yzgzvtsa Microsoft Corporation
rundll32.exe 5556 1 412 K Run a DLL as an App rundll32.exe asualaj.p,sxehriyi Microsoft Corporation
rundll32.exe 5032 1 412 K Run a DLL as an App rundll32.exe asualaj.p,gmxpezl Microsoft Corporation
rundll32.exe 5908 1 412 K Run a DLL as an App rundll32.exe asualaj.p,gjmqxw Microsoft Corporation
rundll32.exe 5216 1 412 K Run a DLL as an App rundll32.exe asualaj.p,mbvolu Microsoft Corporation
rundll32.exe 5236 1 412 K Run a DLL as an App rundll32.exe asualaj.p,zdkdfv Microsoft Corporation
rundll32.exe 2652 1 412 K Run a DLL as an App rundll32.exe asualaj.p,khvcj Microsoft Corporation
rundll32.exe 5484 1 412 K Run a DLL as an App rundll32.exe asualaj.p,soivre Microsoft Corporation
rundll32.exe 5164 1 412 K Run a DLL as an App rundll32.exe asualaj.p,rvvhfs Microsoft Corporation
rundll32.exe 4900 1 412 K Run a DLL as an App rundll32.exe asualaj.p,igixrgz Microsoft Corporation
rundll32.exe 2840 1 412 K Run a DLL as an App rundll32.exe asualaj.p,klkyvsyl Microsoft Corporation
rundll32.exe 3208 1 412 K Run a DLL as an App rundll32.exe asualaj.p,jnmgrwm Microsoft Corporation
rundll32.exe 2656 1 412 K Run a DLL as an App rundll32.exe asualaj.p,qhdgt Microsoft Corporation
rundll32.exe 3588 1 412 K Run a DLL as an App rundll32.exe asualaj.p,bdxxnzsd Microsoft Corporation
rundll32.exe 5052 1 412 K Run a DLL as an App rundll32.exe asualaj.p,jfwrqp Microsoft Corporation
rundll32.exe 4888 1 412 K Run a DLL as an App rundll32.exe asualaj.p,llqokux Microsoft Corporation
rundll32.exe 636 1 412 K Run a DLL as an App rundll32.exe asualaj.p,hrnydndt Microsoft Corporation
rundll32.exe 1124 1 412 K Run a DLL as an App rundll32.exe asualaj.p,lkxawij Microsoft Corporation
rundll32.exe 4984 1 412 K Run a DLL as an App rundll32.exe asualaj.p,glgsjj Microsoft Corporation
rundll32.exe 5668 1 412 K Run a DLL as an App rundll32.exe asualaj.p,exfnbvp Microsoft Corporation
rundll32.exe 3308 1 412 K Run a DLL as an App rundll32.exe asualaj.p,vyyut Microsoft Corporation
rundll32.exe 2560 1 412 K Run a DLL as an App rundll32.exe asualaj.p,htcyji Microsoft Corporation
rundll32.exe 5132 1 412 K Run a DLL as an App rundll32.exe asualaj.p,sdnndlyo Microsoft Corporation
rundll32.exe 5168 1 412 K Run a DLL as an App rundll32.exe asualaj.p,vhzkcmm Microsoft Corporation
netdde.exe 1344 684 K Network DDE - DDE Communication C:\WINDOWS\system32\netdde.exe Microsoft Corporation
msdtc.exe 1408 2 312 K MS DTCconsole program C:\WINDOWS\system32\msdtc.exe Microsoft Corporation
a2service.exe 1476 10 168 K a-squared Service "C:\Program Files\a-squared Free\a2service.exe" Emsi Software GmbH
aspiusrv.exe 1536 1 460 K d:\aspisrv\aspiusrv.exe
certsrv.exe 1556 8 372 K Microsoft® Certificate Service C:\WINDOWS\system32\certsrv.exe Microsoft Corporation
dfssvc.exe 1592 3 204 K Windows NT Distributed File System Service C:\WINDOWS\system32\Dfssvc.exe Microsoft Corporation
dns.exe 1636 38 340 K Domain Name System (DNS) Server C:\WINDOWS\System32\dns.exe Microsoft Corporation
era.exe 1688 19 796 K ESET Remote Administrator Server "C:\Program Files\ESET\ESET Remote Administrator\Server\era.exe"

ESET
svchost.exe 1720 604 K Generic Host Process for Win32 Services C:\WINDOWS\System32\svchost.exe -k WinErr Microsoft Corporation
fbguard.exe 1772 1 116 K Firebird SQL Server "C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe" -s The Firebird Project
msecatt.exe 1800 129 292 K Attendant Service "C:\Program Files\GFI\MailEssentials\msecatt.exe" -service GFI Software

Ltd.
contentsecurity.as.attendant.exe 1896 49 652 K SvcAttendant "C:\Program

Files\GFI\MailEssentials\MiddleLayer\contentsecurity.as.attendant.exe" -service GFI Software Ltd
mestrxsvc.exe 284 10 000 K MESTRXSVC "C:\Program Files\GFI\MailEssentials\mestrxsvc.exe" GFI
IBMSPSVC.EXE 1184 340 K C:\WINDOWS\system32\ibmspsvc.exe
IBMSPREM.EXE 1216 724 K "C:\WINDOWS\system32\ibmsprem.exe"
IBMSPREM.EXE 1248 692 K C:\WINDOWS\system32\ibmsprem.exe -PM
inetinfo.exe 1212 0.76 330 236 K Internet Information Services C:\WINDOWS\system32\inetsrv\inetinfo.exe Microsoft Corporation
ismserv.exe 1764 7 552 K Windows NT Intersite Messaging Service C:\WINDOWS\System32\ismserv.exe Microsoft Corporation
tcpsvcs.exe 1968 1.52 10 440 K TCP/IP Services Application C:\WINDOWS\system32\tcpsvcs.exe Microsoft Corporation
NHOSTSVC.EXE 2096 896 K NetOp Helper Service for Windows NT "C:\Program Files\Danware Data\NetOp Remote

Control\HOST\NHOSTSVC.EXE" Danware Data A/S
Nhstw32.exe 3184 10 728 K NetOp 32 Host Application. "C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHSTW32.EXE"

Danware Data A/S
NLDRW32.EXE 4712 684 K NetOp Remote Control loader utility nldrw32.exe Danware Data A/S
nod32krn.exe 2156 33 492 K NOD32 Kernel Service "C:\Program Files\Eset\nod32krn.exe" Eset
ntfrs.exe 2200 11 800 K File Replication Service C:\WINDOWS\system32\ntfrs.exe Microsoft Corporation
svchost.exe 2484 816 K Generic Host Process for Win32 Services C:\WINDOWS\system32\svchost.exe -k regsvc Microsoft Corporation
snmp.exe 2580 4 632 K SNMP Service C:\WINDOWS\System32\snmp.exe Microsoft Corporation
wins.exe 2796 7 976 K WINS SERVER C:\WINDOWS\System32\wins.exe Microsoft Corporation
exmgmt.exe 2876 8 316 K Microsoft Exchange WMI Provider "C:\Program Files\Exchsrvr\bin\exmgmt.exe" Microsoft Corporation
mad.exe 3080 21 456 K Microsoft Exchange Server - System Attendant "C:\Program Files\Exchsrvr\bin\mad.exe" Microsoft Corporation
mssearch.exe 3816 11 852 K Microsoft PKM Search Service "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"

Microsoft Corporation
svchost.exe 3956 7 996 K Generic Host Process for Win32 Services C:\WINDOWS\System32\svchost.exe -k iissvcs Microsoft Corporation
w3wp.exe 4496 47 204 K IIS Worker Process c:\windows\system32\inetsrv\w3wp.exe -a

\\.\pipe\iisipm17f809d0-ee69-43b1-ab7f-c74fad3cea2c -ap "ExchangeApplicationPool" Microsoft Corporation
pop2exch.exe 4088 11 528 K GFI POP2Exchange Service "C:\Program Files\GFI\MailEssentials\pop2exch.exe" GFI Software

Ltd.
store.exe 1336 606 848 K Microsoft MDB Store "C:\Program Files\Exchsrvr\bin\store.exe" Microsoft Corporation
emsmta.exe 3528 20 900 K Microsoft Exchange MTA "C:\Program Files\Exchsrvr\bin\emsmta.exe" Microsoft Corporation
svchost.exe 6072 3 204 K Generic Host Process for Win32 Services C:\WINDOWS\System32\svchost.exe -k termsvcs Microsoft Corporation
fbserver.exe 6140 1 968 K Firebird SQL Server "C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe" -s The Firebird Project
svchost.exe 3092 4 044 K Generic Host Process for Win32 Services C:\WINDOWS\System32\svchost.exe -k tapisrv Microsoft Corporation
spoolsv.exe 5016 17 148 K Spooler SubSystem App C:\WINDOWS\system32\spoolsv.exe Microsoft Corporation
CNAB4RPK.EXE 3668 1 032 K Canon Advanced Printing Technology RPC Server Process C:\WINDOWS\system32\CNAB4RPK.EXE CANON INC.
AAWService.exe 8108 48 080 K Ad-Aware Service Application "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" Lavasoft
lsass.exe 388 0.76 36 932 K LSA Shell C:\WINDOWS\system32\lsass.exe Microsoft Corporation
logon.scr 1280 484 K Logon Screen Saver logon.scr /s Microsoft Corporation
csrss.exe 3852 1 376 K Client Server Runtime Process C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512

Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2

ProfileControl=Off MaxRequestThreads=16 Microsoft Corporation
winlogon.exe 1508 5 052 K Windows NT Logon Application winlogon.exe Microsoft Corporation
rdpclip.exe 4532 1 352 K RDP Clip Monitor rdpclip Microsoft Corporation
explorer.exe 6604 10 044 K Windows Explorer C:\WINDOWS\Explorer.EXE Microsoft Corporation
nod32kui.exe 7040 2 472 K NOD32 Control Center GUI "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE Eset
jusched.exe 6168 2 624 K Java(TM) Platform SE binary "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" Sun Microsystems, Inc.
jucheck.exe 6736 3 788 K Java(TM) Update Checker "C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe" -auto -scheduled Sun Microsystems,

Inc.
OrderReminder.exe 5840 740 K HP Cartridge Order Reminder "C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe"

Hewlett-Packard
CNMNSUT.EXE 7628 1 808 K Canon IJ Network Scan Utility "C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" CANON INC.
AAWTray.exe 7584 928 K Ad-Aware Tray Application "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" Lavasoft
ctfmon.exe 5904 544 K CTF Loader "C:\WINDOWS\system32\ctfmon.exe" Microsoft Corporation
procexp.exe 6632 1.52 23 384 K Sysinternals Process Explorer "D:\0install\PorcessExplorerNT\procexp.exe" Sysinternals -

TOTALCMD.EXE 6960 4 284 K Total Commander 32 bit international version, file manager replacement for Windows "C:\totalcmd\TOTALCMD.EXE"

C. Ghisler & Co.
firefox.exe 3468 75 032 K Firefox "C:\Program Files\Mozilla Firefox\firefox.exe" Mozilla Corporation
 
Sort by date Sort by votes
run Adaware and spybot against your machine.

________________________________________
Achieving a perception of high intelligence level can only be limited by your manipulation skills of the Google algorithm!
 
Upvote 0 Downvote
Everything is OK, now. There was an file named "asualaj" infected by conficker. This process has created many jobs in schedule tasks. The runs of these jobs have caused the suspicious behaviour of the system.
Prasiva
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
473
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
615
suncit
suncit
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
392
MaioMaio
MaioMaio
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
394
antonio_dsanchez
antonio_dsanchez
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
506
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top