Re: Mysterious Rundll32.exe, Administrator privileges

From: Pick (CPicker_at_Pacbell.Net)
Date: 12/19/04 

Date: Sun, 19 Dec 2004 08:03:57 GMT

This has turned out to be a pest installed by VX2.
See Lavasoft forum @
http://www.lavasoftsupport.com/index.php?showtopic=54909

Pick said
> I am running WinXP Home SP2. I have 2 problems that I need help with.
>
> PROBLEM 1
>
> A Rundll32.exe starts and appears to:
>
> 1) create a random filename.dll in C:\Win\System32.
> 2) create guard.tmp in C:\Win\System32.
> 3) add filename.dll to HKLM\software\microsoft\currentversion\shell
> extensions\approved
> 4) add guard.tmp to HKLM\software\microsoft\currentversion\shell
> extensions\approved
>
> I ran Norton AV 2005, Spybot S&D, Giant Spyware, and HijackThis!.
> None of these Apps resolved this problem.
>
> I manually removed the reg entries and files, but the Rundll32.exe
> recreates them.
>
> I tried these steps in Normal & Safe modes, but the Rundll32.exe always
> runs.
>
> I want to know how the Rundll32.exe is getting started.
> Is there a process for tracing calls to Rundll32.exe?
>
> This leads me to:
>
> PROBLEM 2
>
> I want to run SysInternals Process Explorer. Each time I start it I get
> a message "Process Explorer requires Debug Privileges". This happens
> with several other utilities also.
>
> I have 2 ID's, Administrator and Owner, and both are in the
> Administrator group.
>
> Why are Debug privileges not assigned to Administrator and Owner?
> Is this a result of implementing XP SP2?
> Is this a result of implementing .Net?
> Is this a result of this Rundll32.exe?
>
> Any help will be appreciated.
> Thanks

Relevant Pages

  • Re: Your super-smarts much needed!
    ... > owner set up different accounts, including an Administrator account. ... > must log in as Administrator with a password in order to install the program. ... a legitimate license (which would have included the OS installation CD), ...
    (microsoft.public.win2000.general)
  • Re: Lenny CUPS server and etch CUPS client
    ... I restarted from the cupsd.conf which came with the current cups package and ... Require user @OWNER @SYSTEM ... # All administration operations require an administrator to authenticate... ... # All printer operations require a printer operator to authenticate... ...
    (Debian-User)
  • Re: GetNamedSecurityInfo - Read Owner pt II
    ... The Security Descriptor pointer ... > is much simplier than the raw PInvoke Win32 APIs. ... I am a system administrator, ... >> unsuccessful reading the owner of a file using Win APIs such as ...
    (microsoft.public.dotnet.languages.vb)
  • GetNamedSecurityInfo - Read Owner pt II
    ... the original post: ... I am a system administrator, ... unsuccessful reading the owner of a file using Win APIs such as ... including dll errors.) ...
    (microsoft.public.dotnet.framework.interop)
  • Re: GetNamedSecurityInfo - Read Owner pt II
    ... The Security Descriptor pointer ... > is much simplier than the raw PInvoke Win32 APIs. ... I am a system administrator, ... >> unsuccessful reading the owner of a file using Win APIs such as ...
    (microsoft.public.dotnet.framework.interop)