Rundll32.exe causes computer to hang at shut-down

[saitech]

I have been working with a computer that consistently hangs on shutdown, but
only if the computer has been on all day. It gives an error "rundll32.exe is
not responding". I found a command line tool to show me what process is
being used (WMIC /OUTPUT:C:\ProcessList.txt PROCESS get
Caption,Commandline,Processid). Unfortunately, once the rundll32.exe error
appears, the computer is already in shutdown mode and I cannot access a
command line. How can I find out what is causing the hang?

 

[nass]

I have been working with a computer that consistently hangs on shutdown, but
only if the computer has been on all day. It gives an error "rundll32.exe is
not responding". I found a command line tool to show me what process is
being used (WMIC /OUTPUT:C:\ProcessList.txt PROCESS get
Caption,Commandline,Processid). Unfortunately, once the rundll32.exe error
appears, the computer is already in shutdown mode and I cannot access a
command line. How can I find out what is causing the hang?

Hi,
This can be a legitimate Process which located here:
C:\Windows\System32 and also it can be a Trojan Backdoor!
Make sure your system clean by scanning with up2date security software.
What's the suspicious Rundll32.exe process?
http://windowsxp.mvps.org/rundll32.htm
HTH,
nass

 

[saitech]

That's the problem. I don't know what process it's hanging on, because as I
said before, once the error pops up, the computer is already in the process
of shutting down and I cannot get to task manager, a command line, or
anything else. I've searched the computer for rundll32.exe. It appears ONLY
in the c:\windows\system32 folder, the c:\i386 folder, and the
c:\windows\$NTServicePackUnistall$ folders. I've tried everything I can
think of short of reformatting and reinstalling. It only seems to happen
when the computer has been on for awhile and ONLY when the shutdown command
is issued (via Start, Run, Shut Down).

 

[nass]

Hi,
Can you see any error messages in the vent viewer?
What method of troubleshooting you followed/performed for us to look further
and avoid repeating what you did try?

 

[saitech]

Nothing is written to the event viewer. The user thinks the problem started
after her computer was updated about a month ago. Only windows updates and
Adobe were updated. Adobe was updated to 9.1. I did a system restore back
to the 1st of Feb but she still gets the error. I've looked at msconfig to
see what is running at startup. I've looked in the "run" key in the registry
to see if anything seems out of place. Everything appears normal. I
uninstalled and reinstalled her anti-virus software. I ran a registry cleaner
on her computer. So far, nothing has changed.

When I first started looking into this, I ended up having to just push the
power button to shut down. I restarted three times, and could never recreate
the problem. I thought it must be something that builds up during the day,
however I have monitored her computer for a full day, checking every 30
minutes for any rundll's in the task list. Nothing. This only happens at
shutdown after running for a full day or so. She does shut down every night.
Sometimes she will have only three rundll32's in task manager when she shuts
down. I've seen as many as seven.

Last week I made her an admin on the machine so that I could get to a
command prompt from her profile to run this command - c:\WMIC
/OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid. Here
are the results, keeping in mind that I could NOT get to a command promt
until I CLEARED the first rundll32.exe error, so I don't know what process
was the one actually hanging the machine. When I tried to open command
prompt or Task Manager, I would get a message stating that the machine was
shutting down. However, I was able to cancel that first message, then go to
c:\. Here is the result:

Caption CommandLine



ProcessId
System Idle Process



0
System



4
smss.exe \SystemRoot\System32\smss.exe



472
csrss.exe C:\WINDOWS\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16
520
winlogon.exe winlogon.exe



544
services.exe C:\WINDOWS\system32\services.exe



588
lsass.exe C:\WINDOWS\system32\lsass.exe



600
svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch



772
svchost.exe C:\WINDOWS\system32\svchost -k rpcss



840
MsMpEng.exe "C:\Program Files\Windows Defender\MsMpEng.exe"



908
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs



948
SavService.exe "C:\Program Files\Sophos\Sophos
Anti-Virus\SavService.exe"



1008
svchost.exe C:\WINDOWS\system32\svchost.exe -k NetworkService



1288
svchost.exe C:\WINDOWS\system32\svchost.exe -k LocalService



1332
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe



1468
mainserv.exe "C:\Program Files\APC\APC PowerChute Personal
Edition\mainserv.exe"


1616

Iap.exe "C:\Program Files\Dell\OpenManage\Client\Iap.exe"



1748
mdm.exe "C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE"



1764
locator.exe C:\WINDOWS\system32\locator.exe



1876
SAVAdminService.exe "C:\Program Files\Sophos\Sophos
Anti-Virus\SAVAdminService.exe"



1912
ManagementAgentNT.exe "C:\Program Files\Sophos\Remote Management
System\ManagementAgentNT.exe" -service -name Agent


1944

ALsvc.exe "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe"



136
RouterNT.exe "C:\Program Files\Sophos\Remote Management
System\RouterNT.exe" -service -name Router -ORBListenEndpoints
iiop://:8193/ssl_port=8194


160
searchindexer.exe C:\WINDOWS\system32\SearchIndexer.exe /Embedding



248
alg.exe C:\WINDOWS\System32\alg.exe



1648
explorer.exe C:\WINDOWS\Explorer.EXE



2336
ctfmon.exe "C:\WINDOWS\system32\ctfmon.exe"



2988
wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe



1624
rundll32.exe rundll32.exe
C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess 1 26 211



880
rundll32.exe rundll32.exe
C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess 8 26 211



1600
searchprotocolhost.exe "C:\WINDOWS\system32\SearchProtocolHost.exe"
Global\UsGthrFltPipeMssGthrPipe94_ Global\UsGthrCtrlFltPipeMssGthrPipe94 1
-2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT; MS Search 4.0 Robot) " "C:\Documents and Settings\All
Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc"
"DownLevelDaemon" 2348
searchfilterhost.exe "C:\WINDOWS\system32\SearchFilterHost.exe" 0 588 592
600 65536 596


3860
cmd.exe "C:\WINDOWS\system32\cmd.exe"



2360
notepad.exe "C:\WINDOWS\system32\NOTEPAD.EXE"
\\sms\cdimages\Darla\see what processes are running and their command-line
parameters.txt


868
wmic.exe WMIC /OUTPUT:C:\ProcessList.txt PROCESS get
Caption,Commandline,Processid


2812

wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe



2492

I looked up the "clearmytracksbyprocess" and see that is to erase cookies,
history, etc., so that seems ok. I did go in and set her "clear history" in
IE7 to 0. I can click OK or end process on these errors, though, and get
past them. It is that first one that completely hangs the computer. Is
there any kind of script or batch file I could put on the machine to log what
is happening at shutdown? Otherwise I'm at a loss as to how to find this.
We do use spam assassin, windows defender, and sophos antivirus. I have not
run a spyware program on there, but I can do that if you think it might help.

 

[nass]

Hi,
Did you tried to start with Clean Boot on this machine?

It could be that Rundll32.exe becomes corrupt ON the HDD and need to be
replaced, also try to make sure the RAM pass the test on this machine, to
eliminate the RAM from our scenario.

Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

ShellExView - Shell Extension Manager For Windows
http://www.nirsoft.net/utils/shexview.html

DiskMon
http://technet.microsoft.com/en-us/sysinternals/bb896646.aspx

FileMon
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
PsTools
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

If you need further help and your machine infected download the Hijackthis
and send the report to one of many forums for analysis and troubleshooting or
you can send it to me on my email provided at the bottom:
When all else fails, download HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)

Can you please send me a copy at (e-mail address removed),
remove the obvious to email me.

HTH,
nass

 

[saitech]

I ran Dell diagnostics on all the hardware as one of the first steps in
trying to diagnose this problem and all hardware passed. I did not try
starting with clean boot and had not thought that possibly the rundll32
itself might be bad. I'll try those and the other suggestions offered here.
Thank you so much for your continued response. I'll let you know how it goes.