RunSvr32.exe

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi All,

What is runsvr32.exe.

It appears to be in my startup and loads a command prompt window which then
dissapears.  It never used to be there.

I had norton anti virus 2003 on my computer which detected and removed a
virus and it seems to have beent here since then.  is it remains of the
virus?  I do not know what the virus was. It just came up as unknown trojan.

Regards

Jamie



Re: RunSvr32.exe

On Sun, 07 May 2006 09:34:03 GMT, "Jamie Allison"

Quoted text here. Click to load it

That's a file name of a normal Windows program that runs DLLs and
Services.  

Quoted text here. Click to load it

You might have something like this spyware, or remnants:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=SPYW_ORBIT.A&VSect=T

Note how runsvr32.exe _is used by_ the Trojan and not the Trojan
itself.

Some scanners you might try include Spybot, Ewido, AdAware, and
Trend's Sysclean. The av utility KAVDOSNT.exe (see my web site)
is also likely to detect and help remove the malware.

Art
http://home.epix.net/~artnpeg

  

Re: RunSvr32.exe

"Art" wrote:

Quoted text here. Click to load it

Not on my system (Win2k). rundll32.exe or svchost.exe is used for that.

Quoted text here. Click to load it
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=SPYW_ORBIT.A&VSect=T
Quoted text here. Click to load it

Either it's an XP executable, or they meant rundll32.exe.



Re: RunSvr32.exe


Quoted text here. Click to load it

Read the description in the link I gave. I assumed it is a XP file.  

Art
http://home.epix.net/~artnpeg


Re: RunSvr32.exe

Quoted text here. Click to load it

Not on my XPsp2 system...

-jen



Re: RunSvr32.exe

"Art" wrote:

Quoted text here. Click to load it

You know should know me better than that; I already did. I believe
they (Trend Micro) are mistaken.

Quoted text here. Click to load it

I doubt it. Searches show it either appearing in a few HJT logs, or as
a misspelling for the legitimate regsvr32.exe.



Re: RunSvr32.exe

Ant wrote:
Quoted text here. Click to load it

All regsvr32.exe does is register and unregiter COM components or DLL(s).

There is no such program as runsvr32.exe on the NT based O/S that's
running DLL or services. Svchost.exe job is to run services and an exe
can host common DLL's used by other applications running on the machine
or it can use DLL's dedicated to its execuition.

Dllhost.exe can host DLL's and like svchost.exe, if dllhost.exe is not
running out of system32, then it's a trojan.

http://www.neuber.com/taskmanager/process/dllhost.exe.html

Duane :)

Re: RunSvr32.exe

"Duane Arnold" wrote:

Quoted text here. Click to load it

And BHOs, which are DLLs in the form of ActiveX controls (.ocx).

Quoted text here. Click to load it

You said that already, and I reckon you're right.

This is what Trend say:

"When installing BHOs, it uses the RUNSVR32.EXE file, which is located
 in the Windows system folder and a component of Windows that executes
 services or DLL functions".

I think they made a typo, along with a few other people where it's
more obvious they meant to say regsvr32.exe. Trend may have meant to
say rundll32 here, but they are confusing installing BHOs with running
DLLs or services. It's possible the malware author, in naming his
creation runsvr32, is taking advantage of this apparent endorsement by
Trend and others.



Re: RunSvr32.exe

Ant wrote:
Quoted text here. Click to load it

A BHO's Browse Helper Object that's a good one. I had to Google that one
up.  What are they going to come with the next. ;-)

ActiveX is a COM component, which can be used by a Browser/Web form/Web
based solution or Windows/Win form/desktop solution.

http://www.microsoft.com/com/default.mspx

And you're right that regsvr32.exe must register an OCX/COM component to
the O/S so that it can be used, just like a COM DLL.

Quoted text here. Click to load it

Yeah, regsrv32.exe doesn't run anything it registers or unregisters a
COM/DLL or COM/(.ocx) with the O/S.

Quoted text here. Click to load it

You're probably right.

Duane :)


Re: RunSvr32.exe

On Sun, 07 May 2006 22:31:22 GMT, Duane Arnold

Quoted text here. Click to load it

It's nothing new buckwheat, you're just advertising how sadly lacking
you are. Best leave the advice to someone who knows what they are
talking about.


Jim.


Re: RunSvr32.exe

James Egan wrote:
Quoted text here. Click to load it

Oh, it's the *clown* the main *clown* himself
Chasing-Cunt-Master-Tool-Tips-Egan is on the scene!

You're about as dumb and a racist piece of trash as they come you stupid
clown.

I have used and created COM, COM+ and ActiveX controls in programming MS
solutions using VB, VB.NET, and C#.NET solutions and we don't call them
BHO's - LOL - not pointing at you Ant but rather this crazed lunatic
called Egan that's obsessed with me. :)

This so called *man* which I am beginning to doubt that he's a man but
more like a fag is pathetic. ;-)

You're a pure Tool Tips *clown* as usual Tool-Tips-Egan. ;-)

Duane :)


Re: RunSvr32.exe

On Mon, 08 May 2006 01:20:01 GMT, Duane Arnold

Quoted text here. Click to load it

In your usenet dreams maybe, just tap it into google and see the
result. lol. In the real world, any newbie who subscribes to this ng
for more than a couple of months would know what a browser helper
object is. It's fundamental if you're a security advisor (or wannabee
like yourself).


Jim.


Re: RunSvr32.exe

James Egan wrote:
Quoted text here. Click to load it

Oh yeah, Tool-Tips-Egan a Browser Helper Object that's real good - LOL.
An ActiveX a Component Object Model that not only deals with Browser but
Windows Desktop application GUI's too is a Browser Helper Object. It's
too funny.

Only an ignorant fool like yourself would start calling an ActiveX
control  a Browser Helper Object. LOL

We'll have a good laugh about that one when I start at my new job
building ASP.NET solutions this coming Monday.

BTW, here is my MS MCP number that covers VB 6 and .NET solutions
2164582, since you're so concerned *boy* -- go look it up. ;-)

I have been writing, testing, and implementing  MS COM, COM+ and ActiveX
programing solutions in building corporate business solutions, since 1999.

Someone needs to lock your crazed ass back up and up under the asylum
this time with a case of Proack and throw away the key.

When did you escape from the asylum?

You're not even shaper than a rusted out old blade -- you racist bastard.

Duane :)



Re: RunSvr32.exe

On Mon, 08 May 2006 15:11:00 GMT, Duane Arnold

Quoted text here. Click to load it

Let's see you quote the text where I said that, buckwheat. Oh you
can't! Maybe you're just another worm wriggler and not a very good one
at that.

Quoted text here. Click to load it

Let's send them the url details so they can find out for themselves
they didn't just employ a charlatan but a foul mouthed charlatan to
boot.


Jim.


Re: RunSvr32.exe

James Egan wrote:
Quoted text here. Click to load it

I was posting to Ant minding my own business when you with your Lone
Ranger sorry ass rode up and needed to put in your worthless $.02 from
your broom.

Quoted text here. Click to load it

Well, they are going to pay this charlatan some long dollar$ for my
expertise and there is not a damn thing you can do about it. ;-)

You should go jack off somewhere under the asylum and take a couple of
Proack(s) and be happy. It's just a *Tool Tip* for you
The-Racist-Bastard-Tool-Tips-Egan. ;-)

Duane :)

Re: RunSvr32.exe

Am I the only one on here who comes for information and is BORED STIFF by
this senseless vendetta you two have against each other.  Why don't you go
away, both of you and leave the ng to deal with virus problems.


Duane, Arnold, > wrote:

Quoted text here. Click to load it




Re: RunSvr32.exe

aalaan@tpg.com.au wrote:
Quoted text here. Click to load it

I suggest you take it up with that *clown* who has lost it. I am minding
my own business. I got no vendetta with this *clown*. I am just
returning gun fire.

It's the Little-Sheriff-and-Lonely-Ranger-Fag-Nazi-Tool-Tips-Egan that's
riding around on his lonely broom needing attention looking for any
opportunity to *jack off*.

I am not following this *clown* around posting to him and could care
less about what he's posting. He means *nothing* to me and he never has
the four years or so I have been coming to this NG.

He's just the sorry NG lapdog running around that has broken several
leaches as he foams about the mouth. ;-)

I am not going anywhere and I will continue to dog the little Nazi NG
lapdog out.

Maybe, you can give him slobbering bones laced with Proack and sedatives
and he'll go slobber on them as a distraction and bed himself down. ;-)

Duane :)

Re: RunSvr32.exe

On Wed, 10 May 2006 06:05:07 +1000, aalaan@tpg.com.au wrote:

Quoted text here. Click to load it

Sad to say you'll never get rid of him in a month of Sundays.
Buckwheat and the K-Man are two of a kind. It's a matter of making
those who don't know him aware that he's a self confessed charlatan so
they don't take what he says seriously.


Jim.


Re: RunSvr32.exe

James Egan wrote:
Quoted text here. Click to load it

And you're K-Hen's bastard child that has not had you're coming out
party. You're just on a smaller scale in the this NG that's all *boy*.

Actually, you're worthless when it comes to the *Rag* game.

Now you remember *boy*, you put yourself here I didn't put you here.

You come back now ya hear! ;-)

Duane :)


Re: RunSvr32.exe

On Tue, 09 May 2006 21:48:19 GMT, Duane Arnold

Quoted text here. Click to load it

I'm not playing this "Rag game" as you call it, buckwheat. Everything
I said is true.


Jim.


Site Timeline