My other computer has that on it’s behavior shield. I don’t use it but someone else does, and the last thing analyzed/suspicious was that. Is it a virus or something? The person also said it didn’t alert or anything, but I’m not sure if he’s right. Would it alert? If so, why is it suspicious? What could it mean?
It’s running the latest avast! and it’s Windows XP. I think it’s SP3, not sure though.
I’m currently running a full system scan and then I’m gonna run a MBAM Full system scan. Just like to know some info on C:\WINDOWS\system32\rundll32.exe
This program is part of Windows, and is used to run program code in DLL files as if they were within the actual program. However, many viruses also use this name or similar ones. This file is also commonly used by spyware to launch its own malicious code
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself. If you think you have a problem, you should always run a scan to be sure, but we can verify exactly what is going on… so keep reading.
And you can always upload and test the file at virustotal.
avast! detected it an a suspicious behavior. I don’t know why it was executed, and I want to make sure his computer is safe. So far nothing on the full system scan, and upon further investigation the last time it happened was August 10th. If it is indeed malware, I can’t really use OTL or aswMBR since it isn’t my computer and the computer is so slow a full system scan takes almost an hour. Would the full system scan detect it? Otherwise I guess I’ll have to use OTL and aswMBR and send in the logs.
EDIT: Is it spelled with a capital “S” in the “system” part? If so it does indeed seem malicious.
Although you don’t say exactly where you are seeing this, a good guess would be in the Behavior Shield stats screen (see image) ?
There are many things which could be deemed suspicious activity (and I don't know them all as an avast user), but what is more important is the fact that whatever it was wasn't suspect enough to warrant an alert.
If you know what the rundll32.exe does (registers dll files) now the registration of a dll file in a strange location might be considered suspicious, but that doesn't mean that the rundll32.exe is suspicious.
^^^^
Me I tend to keep my nose out of logs, etc. unless I get alerts/errors displayed to the screen, otherwise you will worry yourself into an early grave.
Also, DavidR, does that mean that it might not be suspicious at all and just might be something that COULD be suspicious?
I have noticed it was linked to using Media Player.
Wait, you have what I said all wrong. It DID warrant an alert. I think he just lies to me sometimes to avoid me sticking my nose into his computer, but it is shown as the last behavior scanned and last behavior suspicious. I think he lied to me saying nothing popped up.
As I said above then “Being considered suspicious and being bad or infected are two different things.”
I only ever worry about alerts or errors to the screen. If the rundll32.exe were actually infected then the file system shield would alert on it. You need to check the behavior shield, expert settings to see what it is actually checking for, the kind of suspicious behavior/activity. It is possible that an activity could be considered suspicious, but then the circumstances of that activity would have to prove it malicious rather than legit.
It’s monitoring for low-level rootkits, malware-like behavior, or unauthorized processes.
Also, having to upload a file to virustotal is a bad thing. avast! should have detected and deleted the process from happening if it does indeed turn out to be malware.
Could it be involved with AVG? Just noticed that AVG is installed on the computer. It doesn’t seem to have been active, but it does seem to still update itself.
Also, having to upload a file to virustotal is a bad thing. avast! should have detected and deleted the process from happening if it does indeed turn out to be malware.
No security program have 100% detection..... If they did virus would not be a problem
I’ll see if I can upload it to VT. I kind of feel safe now, as it was detected a week ago, but no File System Shield alert or anything. It might just be something that avast! is keeping it’s eye on.
No use. Can’t upload it to VT. I’m done with it for now.
There is no point in saying “No use. Can’t upload it to VT.” as we can’t offer any suggestion. If we know why it can’t be uploaded (errors given, how you were trying to upload it, etc.), then perhaps we can find a means to get round it.
This has nothing to do with A V G that you also have installed, but that has to be uninstalled in the normal way and possibly with another tool.
Uninstall possible remnants of previously installed AVs see, http://singularlabs.com/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.
You have to understand the concept of suspicious activity - I see a many lurking in the shadows so I phone the police - it turns out that he was in the local neighbourhood watch monitoring the area - not suspicious any more. So avast does the same checks out suspicious activity and it may or may not find it legit on investigation.
