PDA

View Full Version : rundll32.exe

spy1
November 29th, 2003, 10:51 AM
Should I add that one to the list in PG? it seems to want a piece of everything at start-up.

If I do add it, should I give it a "Write" "Allow"? Pete

Example:

[09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]


(Had to shorten it). Pete
Andreas1
November 29th, 2003, 11:07 AM
Hi Pete,
can you find out which dll it is loading/running there? Maybe with DCS's cmdline tool (http://www.diamondcs.com.au/index.php?page=console-cmdline) - if it stays acitve long enough.
The problem is that rundll and rundll32, just like svchost, do function as a host for all sorts of program modules (here it's dlls, not services), and whether or not you should allow it, depends on what dll is being launched this way...

Andreas
spy1
November 29th, 2003, 11:24 AM
Can't get that one to stay open long enough to do anything with it when I click on it from the folder - when I try to run it using Run/cmd I get this:
Andreas1
November 29th, 2003, 11:57 AM
ehm. That looks weird. Is cmdline.exe residing in that Pete Y. folder? If not, open a command prompt (cmd.exe) and navigate to where it is first. Or extract it to a directory in your path.
Andreas
Gavin - DiamondCS
November 30th, 2003, 02:50 AM
Send me that rundll.exe please and your ASViewer results (all SHOW options on)

Use my after hours testing email (free to give this to anyone) submitviruses@yahoo.com.au
Jooske
November 30th, 2003, 07:20 AM
Pete, did you check if there is a 0 kb file with that name there? (or other ones, anywhere?)
spy1
November 30th, 2003, 11:50 AM
Gavin - Both items requested sent separately.

Jooske - No zero byte files by that name found after running a full "Search". Pete