rundll32.exe

Should I add that one to the list in PG? it seems to want a piece of everything at start-up.

If I do add it, should I give it a "Write" "Allow"? Pete

Example:

[09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:42] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]
[09:27:43] - [P] - g:\windows\system32\rundll32.exe [1452] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on g:\windows\explorer.exe [1432]


(Had to shorten it). Pete

 

Hi Pete,
can you find out which dll it is loading/running there? Maybe with DCS's cmdline tool - if it stays acitve long enough.
The problem is that rundll and rundll32, just like svchost, do function as a host for all sorts of program modules (here it's dlls, not services), and whether or not you should allow it, depends on what dll is being launched this way...

Andreas

 

Can't get that one to stay open long enough to do anything with it when I click on it from the folder - when I try to run it using Run/cmd I get this:

 

ehm. That looks weird. Is cmdline.exe residing in that Pete Y. folder? If not, open a command prompt (cmd.exe) and navigate to where it is first. Or extract it to a directory in your path.
Andreas

 

Send me that rundll.exe please and your ASViewer results (all SHOW options on)

Use my after hours testing email (free to give this to anyone) submitviruses@yahoo.com.au

 

Pete, did you check if there is a 0 kb file with that name there? (or other ones, anywhere?)

 

Gavin - Both items requested sent separately.

Jooske - No zero byte files by that name found after running a full "Search". Pete