rundll32.exe

Discussion in 'ProcessGuard' started by spy1, Nov 29, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Should I add that one to the list in PG? it seems to want a piece of everything at start-up.

    If I do add it, should I give it a "Write" "Allow"? Pete

    Example:

    [09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
    [09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]


    (Had to shorten it). Pete
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Pete,
    can you find out which dll it is loading/running there? Maybe with DCS's cmdline tool - if it stays acitve long enough.
    The problem is that rundll and rundll32, just like svchost, do function as a host for all sorts of program modules (here it's dlls, not services), and whether or not you should allow it, depends on what dll is being launched this way...

    Andreas
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Can't get that one to stay open long enough to do anything with it when I click on it from the folder - when I try to run it using Run/cmd I get this:
     

    Attached Files:

  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    ehm. That looks weird. Is cmdline.exe residing in that Pete Y. folder? If not, open a command prompt (cmd.exe) and navigate to where it is first. Or extract it to a directory in your path.
    Andreas
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Send me that rundll.exe please and your ASViewer results (all SHOW options on)

    Use my after hours testing email (free to give this to anyone) submitviruses@yahoo.com.au
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pete, did you check if there is a 0 kb file with that name there? (or other ones, anywhere?)
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Gavin - Both items requested sent separately.

    Jooske - No zero byte files by that name found after running a full "Search". Pete
     
Thread Status:
Not open for further replies.