rundll.exe a worm in XP?

rikytik · #1 2nd Oct 05, 08:16 PM

My firewall (ZAP) identified runndll.exe as a virus. Doing a Google search I learned that rundll.exe is not part of Win XP, as it was with win 98 and Me.

This dll was running on my isntallation and I killed it. So far nothing noticed. I also note that rundll32 is running on another pc, but not on my laptop--all running WinXP.

Anybody run into this? Any ideas? MS's web site explains the use of this dll, but doesn't talk about misuse by spyware, at least that I noted in a quick look.

The following is from one of the Google sites I found.

Process File:

rundll.exe

Process Name:

Microsoft RunDLL

Description:

rundll.exe is a Windows System process belonging to the Windows 95, 98 and ME range of Microsoft Windows products. This is an important system process and should not be terminated.

NOTE: rundll.exe can also be the LOXOSCAM and Backdoor.SchoolBus.B trojans depending on Operating System and file path; this is always a virus on Windows XP and 2000 operating systems however. Both are a backdoor Trojan that allow hackers to gain access to the computer. These program is a registered security risk and should be removed immediately. If found on your system make sure that you have downloaded the latest update for your antivirus application. Please consult the file path to distinguish between this and the system process.

Dudelive · #2 3rd Oct 05, 02:23 AM

Just be sure that you are looking at the rundll and not rundll32.

http://support.microsoft.com/kb/q164787/

This will help explain it.

Thanks
Dudelive

rikytik · #3 3rd Oct 05, 09:17 AM

Yep, Dudelive, I saw that. What I am scratching my head about is that ZAP asked permission to stop or allow rundll.exe from running and identified it as passibly a dangerous virus. I blocked it and then did a file search on the pc in question. the program was not found.

Then on another machine, I went thorugh the same, porcedure, uninstalling NAV, then installing ZAP. No call for rundll, but I noted that rundll32 was one of the processes running on this second machine.

The first machine has an older installation and has seen a lot of software installed/uninstalled over the past year or more, although it gets a registry cleaner, spyware checker, etc., run on it many times a month.

NOD32 hasn't identified any of this stuff (newly installed as a trial) So, I'm still wondering what program is trying to start rundll and why.

war59312 · #4 3rd Oct 05, 11:45 PM

For winxp rundll32.dll is safe. For instance you might see it opening device manager.

Anything else is not safe.

So if anything else delete it. Back it up just in case I suppose.

rikytik · #5 6th Oct 05, 12:40 AM

btw, I dumped ZAP and NOD and am trying BitDefender 9 and the whole issue seems to have disappeared into the woodwork. Really strange how ZAP kept asking to run rundll.exe as a program monitoring mouse and keyboard activity. Still not sure why this was happening, nor why other firewalls didn't pick up the same activity.

Could be pc operators are from Mars and PC's are from Venus.

Dudelive · #6 6th Oct 05, 03:26 AM

I am running ZAP and kaspersky....and there is not a rundll of any kind asking or running on mine through ZAP.

Thanks
Dudelive

rikytik · #7 8th Oct 05, 12:53 AM

I am still scratching my head. This rundll thing only ocurred on my somewhat mature pc that has been on line a lot with all kinds of bad sites, had many trial programs installed and uninstalled. So there could be a residue of many sins on the hd.

I recently tried out a program called White Canyon Secure Clean. Even tho I erase cookies wsith the traditional means, it showed up temp internet files that contained credit card numbers, id's, passwords and stuff that shocked me. Got me into looking at the *.dat files which you can clean, but not the one in the Windows directory (forget the exact name of it right now) But it'll make you paranoic if you keep digging.

My Bitdefender 9 machine is still rolling along fine and I've put Norton 2005 back in this machine.