at every boot rundll32.exe wants...

Discussion in 'ProcessGuard' started by paperinik3, Feb 3, 2006.

Thread Status:
Not open for further replies.
  1. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    At every boot rundll32.exe wants the privilege to install hooks.
    Should I give in ?
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    What does the command line say? Is it from a trusted app?
     
  3. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    thank you tonyjl, in the protection tab it says only: "c:\winnt\system32".
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    That just says where rundll32 is located.

    I mean,when you get the alerts,(the actual pop-up) click on 'more info',it should give more details about what is using rundll32 to install hooks:-app path and name,cmd line etc. Next time you get the alert,jot down the info given and then post back.
     
  5. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    This is very curious...So: I have rebooted, got the alert "at 10.08.04 rundll.exe was blocked from creating a global GetMessage hook", went to the logs and - surprise! there was no trace of this block. All the other blocks were logged (I have, for instance, put a block on mobsync.exe) but not only did I not find the rundll32.exe block but THERE IS NO ENTRY at all between 10.08.01 and 10.08.09 !
    What does this mean ?
    Hopeful regards
     
  6. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I would run HijackThis and take a look at the O4 entries to see if that gave any clues as to what wanted to run rundll32.exe. An example is given in the log here: http://forums.techguy.org/security/435855-hjt-log.html (check out the 1st and 3rd O4 entries).

    You can probably get the same info from using msconfig and the startup tab but the msconfig window makes viewing the details difficult.
     
    Last edited: Feb 4, 2006
  7. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Hijackthis tells me that the only application which wants to run rundll32.exe at startup is Start Pwr Monitor which is " IBM'S PROPRIETARY "battery maximizer" and power monitoring software for laptops" - so , my machine being an IBM Thinkpad, I suppose it's allright to let it run.
    Thank you very much for your help SpikeyB.

    BUT - WHY IS THIS EVENT NEVER LOGGED o_O
     
Thread Status:
Not open for further replies.