If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Rundll32.exe scanning my computer.
Hello,
Yesterday I noticed how rundll32.exe was running on Windows 7 (64 bit ultimate edition) while firewall was down (I stopped firewall myself before). I caught it with resource monitor scanning files, all kinds of executables. This process started to run while the rest of the computer was inactive. I noticed high harddisk activity. I think I actually terminated the process, but then later it started running again if I recall correctly. Eventually there were multiple tcp connections to some ip's and ports, one port was 80. And it's IP was: 23.2.235.5 Running tracert shows: Tracing route to a23-2-235-5.deploy.static.akamaitechnologies.com [23.2.235.5] over a maximum of 30 hops: According to wikipedia: " Akamai Technologies, Inc. is a content delivery network or CDN and cloud services provider headquartered in Cambridge, Massachusetts, in the United States. Akamai's content delivery network is one of the world's largest distributed computing platforms, responsible for serving between 15 and 30 percent of all web traffic.[7] The company operates a network of servers around the world and rents capacity on these servers to customers who want their websites to work faster by distributing content from locations close to the user. Over the years their customers have included Apple, Facebook, Bing, Twitter, eBay and healthcare.gov. When a user navigates to the URL of an Akamai customer, their browser is redirected to one of Akamai’s copies of this website, almost entirely invisible to the vast majority of its users. " Anyway possible conclusions: 1. Something is scanning my computer, possibly spyware. 2. Source of spyware is currently unknown is it windows itself scanning my computer ? Or something else ? What I want to do is "log" all activity of rundll32.exe. What is launchinbg rundll32 ? What DLL is being run ? Ofcourse I already tried to use process explorer to examine the running instance of rundll32.exe. The strange/suspicious thing was process explorer complained that it could not access the rundll32.exe information, some kind of security error. This made me extra suspicious and thus I terminated rundll32.exe from running and taxing my harddisk. My advice to USA is to stop building in backdoors and seize your spying activity. There is a clear trend going on in Russia, China and European Union for more privacy. Your USA products are in danger of being BANNED. Bye, Skybuck. |
#2
|
|||
|
|||
Rundll32.exe scanning my computer.
Here is some further help at getting some information about rundll32.exe
instances: http://www.howtogeek.com/howto/windo...is-it-running/ 1. " Simply launch Process Explorer, and you’ll want to choose File \ Show Details for All Processes to make sure that you’re seeing everything. " 2. " Now when you hover over the rundll32.exe in the list, you’ll see a tooltip with the details of what it actually is: " 3. " Or you can right-click, choose Properties, and then take a look at the Image tab to see the full pathname that is being launched, and you can even see the Parent process, which in this case is the Windows shell (explorer.exe), indicating that it was likely launched from a shortcut or startup item. " Tip 3 seems best, I am not sure if this tip would have worked, next time I catch rundll32.exe running like this I will try out these tips. If for some reason it's not possibly or information is missing then perhaps I will video tape it for futher evidence of suspicious activity ! Bye, Skybuck. |
#3
|
|||
|
|||
Rundll32.exe scanning my computer.
Here is another trick to get more information about running rundll32.exe
process: https://www.raymond.cc/blog/identify...ows-task-list/ 1. " Identify Loaded DLL Files through Command Prompt Here is a manual way of identifying DLL files in rundll32.exe. Open a Command Prompt by pressing WinKey+R and type cmd. Then type or paste the command below into the prompt and hit Enter. tasklist /m /fi "IMAGENAME eq rundll32.exe" Do take note that by default, Windows XP Home edition does not have the tasklist.exe utility, only Professional. It is built into all versions of Windows Vista and 7. If you want the Tasklist tool for XP Home you can download it from this link: Download Tasklist.exe https://www.raymond.cc/blog/download/did/1221/ The dll modules are displayed on the right side of the tasklist result. You’ll probably see a lot of modules being displayed which are the internal Windows dll’s and it takes a little knowledge from an experienced user to identify any dangerous dll on the list. If you’re unsure, you can always do a search in Google on the dll file name. Read Mo https://www.raymond.cc/blog/identify...ows-task-list/ " Anyway when I run this right now: tasklist /m /fi "IMAGENAME eq rundll32.exe" it produces this: INFO: No tasks are running which match the specified criteria. rundll32.exe is currently not running so I will assume this is normal ?! Bye, Skybuck. |
#4
|
|||
|
|||
Rundll32.exe scanning my computer.
On Tue, 27 Oct 2015 12:42:06 +0100, "Skybuck Flying"
Gave us: snipped utter stupidity... You are a true idiot. |
#5
|
|||
|
|||
Rundll32.exe scanning my computer.
Skybuck Flying wrote:
What is launchinbg rundll32 ? What DLL is being run ? For Win7, in Task Manager you can add a column entry that shows the command line invocation. If the machine absolutely refuses to run Task Manager, then you know you are in trouble. http://www.howtogeek.com/howto/windo...is-it-running/ http://cdn5.howtogeek.com/wp-content...7/image178.png Otherwise, download and run MBAM on-demand scanner (do not tick "Trial", just use the free version which does not provide real time protection). (Orange Download button. You can download this on another computer, if the suspect computer will not allow the browser to download this. This program will download definitions, once it is installed. It is for on-demand scanning only, for the free version.) https://www.malwarebytes.org/ Paul |
#6
|
|||
|
|||
Rundll32.exe scanning my computer.
On 2015-10-27, Skybuck Flying wrote:
Hello, Yesterday I noticed how rundll32.exe was running on Windows 7 (64 bit ultimate edition) while firewall was down (I stopped firewall myself before). Why? I caught it with resource monitor scanning files, all kinds of executables. This process started to run while the rest of the computer was inactive. I noticed high harddisk activity. You have caught a virus/trojan. I think that the standard comment is that without protection, a Windows machine will last about 5 min without catching a virus. I think I actually terminated the process, but then later it started running again if I recall correctly. Of couse. Eventually there were multiple tcp connections to some ip's and ports, one port was 80. Yes, you have been owned. Your computer will now be used to send spam/physhing email to others and be used to attack and infect other machines. All of your email contacts will bet emails from you telling them about some wonderful mcguffin you have found and advising them to buy it/link to it/.... And it's IP was: 23.2.235.5 Probably an owned machine just as yours is now. Running tracert shows: Tracing route to a23-2-235-5.deploy.static.akamaitechnologies.com [23.2.235.5] over a maximum of 30 hops: There is no reason to believe that is the bad guy. It is probably some other Windows user who decided it was a good idea to go onto the net without a firewall of virus scanner. According to wikipedia: " Akamai Technologies, Inc. is a content delivery network or CDN and cloud services provider headquartered in Cambridge, Massachusetts, in the United States. Akamai's content delivery network is one of the world's largest distributed computing platforms, responsible for serving between 15 and 30 percent of all web traffic.[7] The company operates a network of servers around the world and rents capacity on these servers to customers who want their websites to work faster by distributing content from locations close to the user. Over the years their customers have included Apple, Facebook, Bing, Twitter, eBay and healthcare.gov. When a user navigates to the URL of an Akamai customer, their browser is redirected to one of Akamai?s copies of this website, almost entirely invisible to the vast majority of its users. " Anyway possible conclusions: 1. Something is scanning my computer, possibly spyware. Yes. 2. Source of spyware is currently unknown is it windows itself scanning my computer ? Or something else ? Well, it is both a progam on your system, and outsiders. What I want to do is "log" all activity of rundll32.exe. What you want to do is to erase your whole disk, reinstall, and immediately put up a firewall and a good virus scanner. What is launchinbg rundll32 ? What DLL is being run ? Ofcourse I already tried to use process explorer to examine the running instance of rundll32.exe. The strange/suspicious thing was process explorer complained that it could not access the rundll32.exe information, some kind of security error. This made me extra suspicious and thus I terminated rundll32.exe from running and taxing my harddisk. My advice to USA is to stop building in backdoors and seize your spying activity. You are attacking the wrong source. This is almost certainly NOT the USA, but one of the roughly 10,000,000 people out there from around te world who want to use your machine to anonymize their nepharious activity. There is a clear trend going on in Russia, China and European Union for more privacy. So? Your USA products are in danger of being BANNED. And yet you keep using Windows. |
#7
|
|||
|
|||
Rundll32.exe scanning my computer.
On Tue, 27 Oct 2015 10:58:12 -0400, Paul wrote:
Skybuck Flying wrote: What is launchinbg rundll32 ? What DLL is being run ? For Win7, in Task Manager you can add a column entry that shows the command line invocation. If the machine absolutely refuses to run Task Manager, then you know you are in trouble. snip That's usefull, thanks for the tip. Cheers |
#8
|
|||
|
|||
Rundll32.exe scanning my computer.
On Tue, 27 Oct 2015 20:15:30 -0400, Martin Riddle
Gave us: On Tue, 27 Oct 2015 10:58:12 -0400, Paul wrote: Skybuck Flying wrote: What is launchinbg rundll32 ? What DLL is being run ? For Win7, in Task Manager you can add a column entry that shows the command line invocation. If the machine absolutely refuses to run Task Manager, then you know you are in trouble. snip That's usefull, thanks for the tip. You spelled use-fool wrong. |
#9
|
|||
|
|||
Rundll32.exe scanning my computer.
It's not a virus, if it were a virus it would be running every day.
I don't see it running at all. It's something more special. So your entire posting can be snipped away snipped Bye, Skybuck. |
#10
|
|||
|
|||
Rundll32.exe scanning my computer.
Meanwhile I have noticed another oddity.
Perhaps it's nothing or perhaps it's something. The tool RAMMap will sometimes show "tunngle" still as a process, while task manager, show all processes does not show it, neither does process explorer. Perhaps RAMMap sometimes will also show some other app. It seems to be only one 4KB page. Perhaps it's a residue, or a left over or some bug in windows or a bug in RAMMap. However it could also be something suspicious. Some app suspects: 1. Firefox 2. Tunngle 3. Star Trek Online 4. World of Warships. And the ofcourse: Windows itself. and lastly could also be something from long ago that only runs very rarely. Bye, Skybuck. |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Lexmark X4550 and wireless scanning, or, wireless scanning NOT | joekool1 | General | 0 | September 15th 07 10:38 PM |
Scanning Computer for Viruses - How Often? | Von Fourche | Dell Computers | 9 | February 4th 06 02:26 PM |
Scanning CD's and DVD's? | Nivek | Scanners | 2 | January 24th 04 08:02 PM |
rundll32 problems | merv | Homebuilt PC's | 3 | December 28th 03 01:04 AM |
C:\WINDOWS\System32\rundll32.exe C:\PROGRA~1\ATI Multimedia\RemCtrl\x10net.dll,EntryPoint | Mike | Ati Videocards | 2 | September 15th 03 09:56 PM |