Windows XP Professional sp3 with all updates running Symantec Endpoint Protection on a corporate network. One of the many services running under netsvcs (svchost.exe -k netsvcs) is launching rundll32.exe on licmc.dfo with a random set of characters (looks like 6-8 letters, such as 'kucooz' or 'aamliaik') about every five minutes. Process Explorer shows dozens of these after the machine has been up for a while. The tasks don't seem to be doing anything, but they do suck up 27,636 K for each task. Killing the task doesn't seem to affect the system at all, except to free up the memory. With Process Explorer I can trace back from the rundll32 instance to the svchost instance, but I can't seem to go from there to see which of the many netsrvcs are doing the actual launch. Any ideas on how I can find it, and potentially get it fixed? It's worth noting that there doesn't seem to be any file on the system named licmc.dfo, so I'm guessing the task just hangs when it can't find whatever it's trying to launch... And an internet search on licmc.dfo doesn't seem to have any matches.1 person needs an answerI do too

Just checked another computer, it also has multiple instances of rundll.exe with similar characteristics, but the command line for them is "rundll32.exe hjvgpo.a,randomletters". Looks like it's probably mal-ware a bit to new for my systems.

I thought I was getting somewhere... :-) The second computer has log files from last December showing an infection of W32.Downadup.B, and had 89 entries in the Task Scheduler that was attempting to launch the bad guy. It looked like it was just not completely cleaned up after the initial infection. I deleted the Task Scheduler events and haven't seen a new launch yet. It's interesting to note that a Search Companion search of the entries C drive, including hidden and system files, for anything that had the text string in it didn't find the Task Scheduler events. :-( But ... the first machine doesn't have the Task Scheduler events, so it's something else that's trying to launch the bad software. Does anyone have ideas on what else could be affected by that trojan?