rundll32.exe again

Discussion in 'ProcessGuard' started by Suspish, Jul 15, 2004.

Thread Status:
Not open for further replies.
  1. Suspish

    Suspish Registered Member

    Joined:
    Jul 14, 2004
    Posts:
    4
    Hi
    I've been having trouble with rundll32.exe and see that PG is in the log trying to write,terminate,set info, suspend access on heaps of programs including PG, iexplore, exporer, winlogon for example. I am disallowed from adding it to the list in PG.
    Searching the archive I don't see a clear answer as to how to treat this .exe
    TIA for some ideas.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Suspish, Are you running the trial or the full licenced version as this can make a difference to our reply?
    I do not have rundll.32 in my protection list and get no logging whatsoever in the Process Guard log. This applies to one PC runing XP & one Widows2003 + a laptop running XP home.

    Pilli
     
  3. Suspish

    Suspish Registered Member

    Joined:
    Jul 14, 2004
    Posts:
    4
    Sorry, left out a bit of info didn't I :doubt:
    Fully licensed PG
    WinXP Pro Sp1a on one PC
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hmm, I am concerned about this as it could be a keylogger mascerading as a legitimate windows file, please follow this link for more info' http://vil.nai.com/vil/content/Print99125.htm

    Please report back if you find anything - Pilli
     
  5. Suspish

    Suspish Registered Member

    Joined:
    Jul 14, 2004
    Posts:
    4
    Thanks Pilli, I'll just nibble away at this...
    A search shows rundll32.exe in C:\Windows\system32 (31KB) and,
    an entry of zero KB in C:\Program Files\Common Files\Mapi\1033\NT. I'm sure I saw somewhere that a zero sized file being present was of some significance.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, Zero byte files are mainly generated by a bug in windows.

    What OS are you using?

    Using right click file properties, my rundl32 is 31KB version 5.1.2600.0 and is located in the windows\system32\ folder
    My OS is XP Pro Sp1
     
  7. Suspish

    Suspish Registered Member

    Joined:
    Jul 14, 2004
    Posts:
    4
    Yeah, same same...

    XP Pro SP1a
    Rundll32.exe 31KB version 5.1.2600.0 in the windows\system32\ folder

    I use Kaspersky AV & Anti Hacker, TDS3, Wormguard and have also run HouseCall.

    As I said the PG log shows Rundll32.exe trying to gain access to a lot of important stuff including the AV, Firewall and PG.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK I have attached my protection list file, it may give you an idea as a comparison with your own.
     

    Attached Files:

Thread Status:
Not open for further replies.