Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange startup process, slowly eating more memory.


  • Please log in to reply
3 replies to this topic

#1 Hewlett-Packard

Hewlett-Packard

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 28 October 2012 - 08:05 AM

Hello,

I'm getting a strange process appear on startup (that wasn't there before). It will start at about 200 K working memory and work it's way up to 40,000 K+

Image Name: rundll32.exe
PID: 5712
Command Line:
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding


Is this dangerous? I've not been experiencing any troubles with my computer (HP Laptop) other than some random freezes (which I plan to post about later).

Things I've tried:

  • Checking startup items using CCleaner/HJT (none matched).
  • Run full, quick, and flash scans using Malwarebytes with latest virus definition (scan results came up clean).
  • Run TDSSKILLER (came up with no issues but some unsigned files which were skipped).
  • Checked registry for the {995C996E-D918-4a8c-A302-45719A6F4EA7} key.

The a registry search shows the following keys/entries:
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{995C996E-D918-4a8c-A302-45719A6F4EA7}


I'm very paranoid when it comes to processes running, especially those that I did not authorize, and seem to serve no purpose other than to eat memory.

Thanks in advanced.

BC AdBot (Login to Remove)

 


#2 Sightless

Sightless

  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Up in the Clouds
  • Local time:01:57 AM

Posted 28 October 2012 - 10:35 AM

Hi, rundll32.exe is a valid Windows process when running from the System32 folder.

#3 Hewlett-Packard

Hewlett-Packard
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 28 October 2012 - 11:14 AM

Hi, rundll32.exe is a valid Windows process when running from the System32 folder.


I realize that, but what is it doing? What is with the strange parameters it's running with?

I mean, notepad.exe is also a valid Windows process out of System32, but that does't mean it should run on startup with strange parameters, no?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:57 AM

Posted 28 October 2012 - 08:34 PM

This is OK,there is a good explanation HERE
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users