rundll.exe Problem ?

Discussion in 'other anti-malware software' started by MICRO, Jul 26, 2008.

Thread Status:
Not open for further replies.
  1. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Can anyone hazard a guess please as to what Tiny Watcher means with the
    following, first time it's thrown this up and I can't tell what might be legit.
    or a problem - I have run Gmer but it doesn't show a problem, nor does
    Hijack this upto now ?

    "Windows\system32\rundll32.exe"

    "Another process is using the same name but a different executable file"
    <unretrievable path>
     
  2. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    unretrievable path, what the..?

    I don't know anything about tiny watcher, does this mean run32dll.exe was modified in a way by sth and is now recognised as a different executable?

    If that's the case, that's seems dangerous. Open task manager and check if run32dll.exe stays there eating CPU, cause it shouldn't stay in memory, the legit run32dll.exe only runs in certains occasions when needed.
     
  3. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    I would start running your scans. Do you remember downloading anything that may have triggered this?
     
  4. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    PiCo - Yes I uttered the same WTF when I first set eyes on it - In the taskmanager it says rundll32.exe using 16,968 k and CPU shows 00 - there's only one version running.
     
  5. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Yesterday I installed 'IE7Pro' but don't see any untoward reviews about it
    on the net, yet.

    The peculiar thing is that 'Tiny Watcher' normally asks if I want to
    'Confirm' or 'Remove' any item that might be on the list but this morning it actually said,
    " There is no 'Confirm' re. this - only 'Remove'.

    I didn't click Remove because I can't tell if it would be removing the legit.
    or the malware version, assuming that there is a malware version - hence the reason for asking here.
     
  6. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Just for reference, my rundll32.exe runs all the time. According to Process Explorer, it's target is "C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" which should have to do with my Nvidia software. I'm running XP home SP3.

    I'm no expert, but have a look in Process Explorer and see if you can find rundll32.exe's target and then do a search on line for the .dll/s.
     
  7. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Didn't even give you the option to confirm - strange o_O
     
  8. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Hello IP - Identical result to yours because I run Nv. too.

    I asked 'Cathy' to look for any versions of 'rundll32.exe' and it came up with
    one in \Windows\SoftwareDistribution\Download\ .......................

    Looks like a CLSID at the end there - Can you say if that folder is usually a part of XP - It looks to have 450 Meg. of what appears to be M$ stuff ?

    I just wonder if it was a FP by 'Tiny' but it's the 'unretrievable path'
    that gets me,
    (probably because I thought it was 'irretrievable' - but I am wrong).
     
  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi MICRO! Yes, I have that folder, but mine is only 2.76MB with the download file being only 14.1KB. I have 2 files in the download file and they both have randoms letters and numbers. This is an nLite install of XP though so that could be part of the reason mine in smaller. I also have no rundll32 in that folder. Is the rundll32.exe the same file size or have the same hash as the one in \system32?

    I'm also not familiar with "tiny". I just wanted to get you pointed in the right direction. Hopefully a Windows guru will pop in and explain why a rundll32 is in the \Windows\SoftwareDistribution\Download\ folder. Ok, I did a quick search for "\Windows\SoftwareDistribution\Download\" and it looks like it's where Windows stores it's updates. My XP is a new install so that could be why mine is smaller. I still have no idea why rundll32.exe is there.
     
  10. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Yes IP same size - Strange is that there, or at it's proper
    path, all other files have two 'cog' like round things, one green, one brownish, on the file face but
    the rundll32.exe file has a blank face, maybe it's due to it running a dll as an .exe App., who knows, 5.1.2600.2180, and 32.5 kb, 36.0 kb on the disk, both say M$ but apparently that doesn't even mean they are legit.


    'Tiny Watcher' is a tiny handy App. except when, like many others, it
    can't make out a FP - I shall just continue to monitor.
     
Thread Status:
Not open for further replies.