6 Replies Latest reply on Dec 7, 2011 10:19 PM by Hayton

    20 Windows Host Processes(RunDll32) spawned and counting

      - Dell Inspiron 1720  dual core intel

      - Vista OS current with all the latest updates OS and MCafee

      - Virus scans w/o error

       

      - System horribly bogged down.

      - UAC Windows Host Process(RunDll32) requests control to do something.

      - Since no obvious action provoked that permission request, the user closed the window, only to see it raised again.

      - Eventually I had the sense to look at the task manager ( see attached snapshot. )

      - I couldn't believe that mcAfee could not see the problem.

      - updated Mcafee and rescanned.

      - problem continued

       

      - given the fundamental nature of  the Windows Host Process, I decided to just buy a new disk and rebuild the system with Win 7.

      - problem solved

       

      - the old disk is still on the system, but is no longer the system disk, though I can boot from it if anyone cares to explore this problem.

       

       

      Anyone recognize this?

       

      - Once I've completed unloaded the old disk to my satisfaction, I will reformat it. But that will take a while, and the system appears to ok if not

      booted from that disk.

        • 1. Re: 20 Windows Host Processes(RunDll32) spawned and counting
          Peacekeeper

          You did not have multiple google chrome tabs open?

           

          In case it is infected and that many is definately suspect try the programs from here

          McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

           

          The getsusp program will analyse what files it does not recognise and forward them to Mcafee. Ensure your email address is in the preferences so Mcafee can contact you.

           

          The stingers both normal and fake alert might assist but do run Malwarebytes and super antispyware.

          • 2. Re: 20 Windows Host Processes(RunDll32) spawned and counting

            re: google chrome....    Google chrome is not installed on that machine. ( I  am not reporting from that machine )

            Thanks for the link to the other tools, will try them.

             

            Will these tools  still scan the problem drive even though it is not the working system drive?

            I can imagine a virus being dormant in an inactive system drive.

            I guess the thing to do is see what I find first with the drive inactive, and if nothing shows up, then

            boot from the problem drive and run the tools.

            -m

            • 3. Re: 20 Windows Host Processes(RunDll32) spawned and counting
              Peacekeeper

              Getsusp should query it if it is present and the others as well. Malwarebytes is only for trojans and malware and not for viruses but all worth a go.

              • 4. Re: 20 Windows Host Processes(RunDll32) spawned and counting
                Hayton

                You may have solved it (or worked around it) by now, but it would have been useful to know what all those instances of rundll32 were doing and where they came from. If it happens again, get hold of SysInternals' Process Explorer, which is vastly more informative than Task Manager. Hover the mouse over one of the rundll32 lines and you will see the relevant information in a popup - see below for an example.

                Process Explorer info.JPG

                • 5. Re: 20 Windows Host Processes(RunDll32) spawned and counting

                  Thanks for both suggestions. I have been back to the machine once. I have successully rebuilt the system and preserved the odd disk for furthere exploration.

                  Beofre I got your suggestions, I started delting rundll processes. What you see in my first screen shot was what I started with, and I managed to reduce to three before I stopped. Who knows what I killed off. 

                   

                  BUT,

                  after getting your message.  I  downloaded Process Explorer to look at the remaining three. As the system was booting up I got a boat load of messages of missing dlls. I got a screen shot of those messages. I presume all of those were somehow related to the processes I terminated.

                   

                  ErrorsReportedOnRebootAfterDllsStopped.JPG

                   

                  And then I took a screen shot of the state shown by Process Explorer. UNfortunately, I was so happy to see so much more detail with PE that I neglected the detail of the hovering the pointer until now.

                  Regardless, I attach the screen shot without the hover (I know, that's the key bit). Note that there are only 3 rundll processes running because of my runndll process killing spree. 

                   

                  ProcessExplorerAfterDLLsStopped.JPG

                  need to go back and do the hover part. I apologize for the delay, I don't have ready access to the machine except in crisis.

                   

                  I will also try the getsusp idea as well.

                  • 6. Re: 20 Windows Host Processes(RunDll32) spawned and counting
                    Hayton

                    Use Process Explorer (hover over, check the details) to make sure they're genuine processes. Kill off anything that doesn't look right. I must say I've not seen quite as many as that before, but the error boxes seem to be saying they were all genuine (except perhaps the first one?)