Mysterious Rundll32.exe, Administrator privileges

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am running WinXP Home SP2. I have 2 problems that I need help with.

PROBLEM 1

A Rundll32.exe starts and appears to:

1) create a random filename.dll in C:\Win\System32.
2) create guard.tmp in C:\Win\System32.
3) add filename.dll to HKLM\software\microsoft\currentversion\shell
extensions\approved
4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
extensions\approved

I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
None of these Apps resolved this problem.

I manually removed the reg entries and files, but the Rundll32.exe
recreates them.

I tried these steps in Normal & Safe modes, but the Rundll32.exe always
runs.

I want to know how the Rundll32.exe is getting started.
Is there a process for tracing calls to Rundll32.exe?

This leads me to:

PROBLEM 2

I want to run SysInternals Process Explorer. Each time I start it I get
a message "Process Explorer requires Debug Privileges". This happens
with several other utilities also.

I have 2 ID's, Administrator and Owner, and both are in the
Administrator group.

Why are Debug privileges not assigned to Administrator and Owner?
Is this a result of implementing XP SP2?
Is this a result of implementing .Net?
Is this a result of this Rundll32.exe?

Any help will be appreciated.
Thanks
5 answers Last reply
More about mysterious rundll32 administrator privileges
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    PROBLEM 1

    What's the suspicious Rundll32.exe process
    http://www.mvps.org/sramesh2k/rundll32.htm

    PROBLEM 2

    You need to add Process Explorer to Debug programs in Group Policy >>>

    Open Group Policy...

    Start | Run | Type: gpedit.msc | OK |

    Navigate to >>>

    Computer Configuration\Windows Settings\Security Settings\Local
    Policies\User Rights Assignment\
    Debug programs

    Description
    [[Determines which users can attach a debugger to any process. This
    privilege provides powerful access to sensitive and critical operating
    system components.

    This user right is defined in the Default Domain Controller Group Policy
    object (GPO) and in the local security policy of workstations and servers.

    By default, only administrators and LocalSystem accounts have the privileges
    to debug programs.]]

    --
    Hope this helps. Let us know.
    Wes

    In news:xykwd.34739$zx1.19252@newssvr13.news.prodigy.com,
    Pick <CPicker@Pacbell.Net> hunted and pecked:
    > I am running WinXP Home SP2. I have 2 problems that I need help with.
    >
    > PROBLEM 1
    >
    > A Rundll32.exe starts and appears to:
    >
    > 1) create a random filename.dll in C:\Win\System32.
    > 2) create guard.tmp in C:\Win\System32.
    > 3) add filename.dll to HKLM\software\microsoft\currentversion\shell
    > extensions\approved
    > 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
    > extensions\approved
    >
    > I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
    > None of these Apps resolved this problem.
    >
    > I manually removed the reg entries and files, but the Rundll32.exe
    > recreates them.
    >
    > I tried these steps in Normal & Safe modes, but the Rundll32.exe
    > always runs.
    >
    > I want to know how the Rundll32.exe is getting started.
    > Is there a process for tracing calls to Rundll32.exe?
    >
    > This leads me to:
    >
    > PROBLEM 2
    >
    > I want to run SysInternals Process Explorer. Each time I start it I
    > get a message "Process Explorer requires Debug Privileges". This
    > happens with several other utilities also.
    >
    > I have 2 ID's, Administrator and Owner, and both are in the
    > Administrator group.
    >
    > Why are Debug privileges not assigned to Administrator and Owner?
    > Is this a result of implementing XP SP2?
    > Is this a result of implementing .Net?
    > Is this a result of this Rundll32.exe?
    >
    > Any help will be appreciated.
    > Thanks
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for your reply, Wes.

    PROBLEM 1

    I'm verifying the list of modules in the tasklist output. guard.tmp stands
    out, but I'm not sure how to clean it up. Here it is:

    Image Name PID Modules
    ========================= ====== =============================================
    rundll32.exe 492 ntdll.dll, kernel32.dll, msvcrt.dll,
    GDI32.dll, USER32.dll, IMAGEHLP.dll,
    ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
    RPCRT4.dll, WINMM.dll, ole32.dll,
    OLEAUT32.dll, MSACM32.dll, VERSION.dll,
    SHELL32.dll, SHLWAPI.dll, USERENV.dll,
    UxTheme.dll, comctl32.dll, comctl32.dll,
    guard.tmp, comdlg32.dll, CRYPT32.dll,
    MSASN1.dll, oledlg.dll, PSAPI.DLL,
    urlmon.dll, WININET.dll, WINSPOOL.DRV,
    WS2_32.dll, WS2HELP.dll, asOEHook.dll,
    MSVCR71.dll, Secur32.dll, RASAPI32.DLL,
    rasman.dll, NETAPI32.dll, TAPI32.dll,
    rtutils.dll, msv1_0.dll, iphlpapi.dll,
    sensapi.dll, rsaenh.dll, mswsock.dll,
    hnetcfg.dll, wshtcpip.dll, DNSAPI.dll,
    winrnr.dll, WLDAP32.dll, rasadhlp.dll

    PROBLEM 2

    I appreciate your GP insight & instructions, but this is WinXP Home. No
    Group POlicy...
    Any other idea's?

    Pick

    "Wesley Vogel" wrote:

    > PROBLEM 1
    >
    > What's the suspicious Rundll32.exe process
    > http://www.mvps.org/sramesh2k/rundll32.htm
    >
    > PROBLEM 2
    >
    > You need to add Process Explorer to Debug programs in Group Policy >>>
    >
    > Open Group Policy...
    >
    > Start | Run | Type: gpedit.msc | OK |
    >
    > Navigate to >>>
    >
    > Computer Configuration\Windows Settings\Security Settings\Local
    > Policies\User Rights Assignment\
    > Debug programs
    >
    > Description
    > [[Determines which users can attach a debugger to any process. This
    > privilege provides powerful access to sensitive and critical operating
    > system components.
    >
    > This user right is defined in the Default Domain Controller Group Policy
    > object (GPO) and in the local security policy of workstations and servers.
    >
    > By default, only administrators and LocalSystem accounts have the privileges
    > to debug programs.]]
    >
    > --
    > Hope this helps. Let us know.
    > Wes
    >
    > In news:xykwd.34739$zx1.19252@newssvr13.news.prodigy.com,
    > Pick <CPicker@Pacbell.Net> hunted and pecked:
    > > I am running WinXP Home SP2. I have 2 problems that I need help with.
    > >
    > > PROBLEM 1
    > >
    > > A Rundll32.exe starts and appears to:
    > >
    > > 1) create a random filename.dll in C:\Win\System32.
    > > 2) create guard.tmp in C:\Win\System32.
    > > 3) add filename.dll to HKLM\software\microsoft\currentversion\shell
    > > extensions\approved
    > > 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
    > > extensions\approved
    > >
    > > I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
    > > None of these Apps resolved this problem.
    > >
    > > I manually removed the reg entries and files, but the Rundll32.exe
    > > recreates them.
    > >
    > > I tried these steps in Normal & Safe modes, but the Rundll32.exe
    > > always runs.
    > >
    > > I want to know how the Rundll32.exe is getting started.
    > > Is there a process for tracing calls to Rundll32.exe?
    > >
    > > This leads me to:
    > >
    > > PROBLEM 2
    > >
    > > I want to run SysInternals Process Explorer. Each time I start it I
    > > get a message "Process Explorer requires Debug Privileges". This
    > > happens with several other utilities also.
    > >
    > > I have 2 ID's, Administrator and Owner, and both are in the
    > > Administrator group.
    > >
    > > Why are Debug privileges not assigned to Administrator and Owner?
    > > Is this a result of implementing XP SP2?
    > > Is this a result of implementing .Net?
    > > Is this a result of this Rundll32.exe?
    > >
    > > Any help will be appreciated.
    > > Thanks
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Pick,

    PROBLEM 1
    I wonder why comctl32.dll is listed three times? Nothing else looks
    suspicious.
    Except guard.tmp. comctl32.dll = Common Controls Library

    PROBLEM 2
    XP Home and no Group Policy. Beats the heck out of me what to do without
    GP.

    --
    Hope this helps. Let us know.
    Wes

    In news:FA6DE2F2-D8D2-4CF4-9E00-EB3CE835E820@microsoft.com,
    Pick17 <Pick17@discussions.microsoft.com> hunted and pecked:
    > Thanks for your reply, Wes.
    >
    > PROBLEM 1
    >
    > I'm verifying the list of modules in the tasklist output. guard.tmp
    > stands out, but I'm not sure how to clean it up. Here it is:
    >
    > Image Name PID Modules
    > ========================= ======
    > ============================================= rundll32.exe
    > 492 ntdll.dll, kernel32.dll,
    > msvcrt.dll, GDI32.dll, USER32.dll,
    > IMAGEHLP.dll, ShimEng.dll,
    > AcGenral.DLL, ADVAPI32.dll,
    > RPCRT4.dll, WINMM.dll, ole32.dll,
    > OLEAUT32.dll, MSACM32.dll,
    > VERSION.dll, SHELL32.dll,
    > SHLWAPI.dll, USERENV.dll,
    > UxTheme.dll, comctl32.dll,
    > comctl32.dll, guard.tmp,
    > comdlg32.dll, CRYPT32.dll,
    > MSASN1.dll, oledlg.dll, PSAPI.DLL,
    > urlmon.dll, WININET.dll,
    > WINSPOOL.DRV, WS2_32.dll,
    > WS2HELP.dll, asOEHook.dll,
    > MSVCR71.dll, Secur32.dll,
    > RASAPI32.DLL, rasman.dll, NETAPI32.dll, TAPI32.dll, rtutils.dll,
    > msv1_0.dll, iphlpapi.dll, sensapi.dll, rsaenh.dll, mswsock.dll,
    > hnetcfg.dll, wshtcpip.dll, DNSAPI.dll, winrnr.dll, WLDAP32.dll,
    > rasadhlp.dll
    >
    > PROBLEM 2
    >
    > I appreciate your GP insight & instructions, but this is WinXP Home.
    > No
    > Group POlicy...
    > Any other idea's?
    >
    > Pick
    >
    > "Wesley Vogel" wrote:
    >
    >> PROBLEM 1
    >>
    >> What's the suspicious Rundll32.exe process
    >> http://www.mvps.org/sramesh2k/rundll32.htm
    >>
    >> PROBLEM 2
    >>
    >> You need to add Process Explorer to Debug programs in Group Policy
    >> >>>
    >>
    >> Open Group Policy...
    >>
    >> Start | Run | Type: gpedit.msc | OK |
    >>
    >> Navigate to >>>
    >>
    >> Computer Configuration\Windows Settings\Security Settings\Local
    >> Policies\User Rights Assignment\
    >> Debug programs
    >>
    >> Description
    >> [[Determines which users can attach a debugger to any process. This
    >> privilege provides powerful access to sensitive and critical
    >> operating system components.
    >>
    >> This user right is defined in the Default Domain Controller Group
    >> Policy object (GPO) and in the local security policy of workstations
    >> and servers.
    >>
    >> By default, only administrators and LocalSystem accounts have the
    >> privileges to debug programs.]]
    >>
    >> --
    >> Hope this helps. Let us know.
    >> Wes
    >>
    >> In news:xykwd.34739$zx1.19252@newssvr13.news.prodigy.com,
    >> Pick <CPicker@Pacbell.Net> hunted and pecked:
    >>> I am running WinXP Home SP2. I have 2 problems that I need help
    >>> with.
    >>>
    >>> PROBLEM 1
    >>>
    >>> A Rundll32.exe starts and appears to:
    >>>
    >>> 1) create a random filename.dll in C:\Win\System32.
    >>> 2) create guard.tmp in C:\Win\System32.
    >>> 3) add filename.dll to HKLM\software\microsoft\currentversion\shell
    >>> extensions\approved
    >>> 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
    >>> extensions\approved
    >>>
    >>> I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
    >>> None of these Apps resolved this problem.
    >>>
    >>> I manually removed the reg entries and files, but the Rundll32.exe
    >>> recreates them.
    >>>
    >>> I tried these steps in Normal & Safe modes, but the Rundll32.exe
    >>> always runs.
    >>>
    >>> I want to know how the Rundll32.exe is getting started.
    >>> Is there a process for tracing calls to Rundll32.exe?
    >>>
    >>> This leads me to:
    >>>
    >>> PROBLEM 2
    >>>
    >>> I want to run SysInternals Process Explorer. Each time I start it I
    >>> get a message "Process Explorer requires Debug Privileges". This
    >>> happens with several other utilities also.
    >>>
    >>> I have 2 ID's, Administrator and Owner, and both are in the
    >>> Administrator group.
    >>>
    >>> Why are Debug privileges not assigned to Administrator and Owner?
    >>> Is this a result of implementing XP SP2?
    >>> Is this a result of implementing .Net?
    >>> Is this a result of this Rundll32.exe?
    >>>
    >>> Any help will be appreciated.
    >>> Thanks
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    This has turned out to be a pest installed by VX2.
    See Lavasoft forum @
    http://www.lavasoftsupport.com/index.php?showtopic=54909

    Pick said
    > I am running WinXP Home SP2. I have 2 problems that I need help with.
    >
    > PROBLEM 1
    >
    > A Rundll32.exe starts and appears to:
    >
    > 1) create a random filename.dll in C:\Win\System32.
    > 2) create guard.tmp in C:\Win\System32.
    > 3) add filename.dll to HKLM\software\microsoft\currentversion\shell
    > extensions\approved
    > 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
    > extensions\approved
    >
    > I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
    > None of these Apps resolved this problem.
    >
    > I manually removed the reg entries and files, but the Rundll32.exe
    > recreates them.
    >
    > I tried these steps in Normal & Safe modes, but the Rundll32.exe always
    > runs.
    >
    > I want to know how the Rundll32.exe is getting started.
    > Is there a process for tracing calls to Rundll32.exe?
    >
    > This leads me to:
    >
    > PROBLEM 2
    >
    > I want to run SysInternals Process Explorer. Each time I start it I get
    > a message "Process Explorer requires Debug Privileges". This happens
    > with several other utilities also.
    >
    > I have 2 ID's, Administrator and Owner, and both are in the
    > Administrator group.
    >
    > Why are Debug privileges not assigned to Administrator and Owner?
    > Is this a result of implementing XP SP2?
    > Is this a result of implementing .Net?
    > Is this a result of this Rundll32.exe?
    >
    > Any help will be appreciated.
    > Thanks
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    This is a very tough job if not done right. Follow these instructions.
    These are available only for general education. This means proceed at
    your own risk. I am not responsible for any damage you may cause.

    VX2 does the following to your system:
    1) can create the file c:\windows\system32\guard.tmp
    2) also creates random .dll files in c:\windows\system32
    -fortunately they are the same file size and will have
    todays date so they're easy to spot
    3) upon shutdown, rebooting will generate new random .dll files
    -it uses only 1 random .dll file at a time, it will create an
    extra one that will become the new .dll file to be used by
    RunDll32.exe on the next boot. When you reboot, another .dll file
    is created for when you reboot again. See how sneaky it is.
    4) Look in processes and you will see RunDll32.exe running
    -hit ctrl + alt + delete and click processes to look for it
    -You can end the RunDll32.exe process but it will come back, over
    and over
    5) attaches itself to the winlogon process used by windows
    -therefore can run in safe mode as well, doh!
    6) Pops up spyware windows occasionally from the RunDll32.exe process

    Software you will need. Do a search online for these:
    1) VX2Finder.exe
    2) Hijackthis
    3) Process Viewer (http://downloads.subratam.org/pv.zip)
    4) Killbox.exe
    5) Ad-Aware SE
    6) Spybot
    7) CWShredder

    Here is the trick to removing this nasty spyware.
    1) run the runme.bat file in the Process Viewer folder
    -should be located on the Tech Bench Tools cd in sftw fixes\spyware.

    -use option 5, a log file should be created in notepad. Next use
    option
    3. You should have two logfiles opened.
    -look through these log files for any entries that do not have the
    words
    "xp" out to the far right. exclude
    COMRes.dll,OLEAUT32.dll,CLBCATQ.dl,
    or any others that tell you exactly who the publisher is.
    2) Now that you have the proper files pinpointed, run killbox.exe
    -should be located on the Tech Bench Tools cd in sftw fixes\spyware.

    Copy/paste the location of the file into the text input box. Select

    the option to delete on reboot. Hit yes when prompted if ok to
    delete,
    but hit no when asked to reboot. Repeat this for all other
    suspected files.
    3) navigate to c:\windows and delete the file named wininit.ini if it
    exists.
    -This is commonly used by spyware to rename itself upon windows
    restarting. Windows also uses it for its own purposes as well.
    Don't
    worry, when windows needs it, it will recreate the file.
    4) Run Hijack This and delete any suspected entries
    5) Now reboot your computer and boot back in regular mode again
    6) If you did it correctly, you should not get any errors upon booting
    in
    windows. Also, RunDll32.exe should not be running in
    processes(double check this).
    7) Next, navigate to c:\windows\system32 and in the view menu choose
    detailed
    view. Choose to arrange icons by date modified. Look for todays or
    yesterdays
    date. Look for any random .dll files around these dates that should
    all be
    around the same file size. There could even be some that are before
    yesterdays date if the machine has been infected long enough. To be
    safe
    stick with todays date and yesterday. DO NOT DELETE WPA.DBL, this is

    the windows product activation database (WPA) file. It has a
    tendency to
    have a current date modified. Only delete the proper .dll files.
    8) Clear all temp folders. There is a clear_temp_files.bat file on the
    Tech Bench Tools cd in sftw fixes\spyware
    9) Run the VX2Finder.exe app and run a scan. Click on the "Open
    regedit" button.
    Click on each key and on the right look at the DllName entry, look
    for a random
    .dll name. Google a dll if you are unsure. Delete the key on the left
    if any
    suspecting keys are found. Back to the VX2Finder app, click each of
    the 3 buttons
    on the right labeled "Restore Policy", "User Agent$", "Guardian
    reg" but choose
    not to restart computer
    10) Run a winsock fix to reset the hosts file, your machine should
    restart at this point
    11) Now run Ad-Aware SE, Spybot, Hijack This, CWShredder, and BHODemon
    12) Double check in msconfig for any bad entries and run asviewer.exe
    (located on
    Tech Bench Tools cd in misc\Startup Viewer). Delete any suspicious
    entries
    13) reboot computer final time, all should be done
    You should be clean of VX2 now. This has got to be the hardest spyware
    ever to remove because it
    attaches itself to the winlogon process and in the Notify key in the
    registry.


    Pick wrote:
    > *This has turned out to be a pest installed by VX2.
    > See Lavasoft forum @
    > http://www.lavasoftsupport.com/index.php?showtopic=54909
    >
    > Pick said
    > > I am running WinXP Home SP2. I have 2 problems that I need help
    > with.
    > >
    > > PROBLEM 1
    > >
    > > A Rundll32.exe starts and appears to:
    > >
    > > 1) create a random filename.dll in C:\Win\System32.
    > > 2) create guard.tmp in C:\Win\System32.
    > > 3) add filename.dll to
    > HKLM\software\microsoft\currentversion\shell
    > > extensions\approved
    > > 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
    > > extensions\approved
    > >
    > > I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
    > > None of these Apps resolved this problem.
    > >
    > > I manually removed the reg entries and files, but the Rundll32.exe
    > > recreates them.
    > >
    > > I tried these steps in Normal & Safe modes, but the Rundll32.exe
    > always
    > > runs.
    > >
    > > I want to know how the Rundll32.exe is getting started.
    > > Is there a process for tracing calls to Rundll32.exe?
    > >
    > > This leads me to:
    > >
    > > PROBLEM 2
    > >
    > > I want to run SysInternals Process Explorer. Each time I start it I
    > get
    > > a message "Process Explorer requires Debug Privileges". This
    > happens
    > > with several other utilities also.
    > >
    > > I have 2 ID's, Administrator and Owner, and both are in the
    > > Administrator group.
    > >
    > > Why are Debug privileges not assigned to Administrator and Owner?
    > > Is this a result of implementing XP SP2?
    > > Is this a result of implementing .Net?
    > > Is this a result of this Rundll32.exe?
    > >
    > > Any help will be appreciated.
    > > Thanks *


    --
    shafty
    ------------------------------------------------------------------------
    Posted via http://www.mcse.ms
    ------------------------------------------------------------------------
    View this thread: http://www.mcse.ms/message1290529.html
Ask a new question

Read More

Rundll32 Microsoft Windows XP