Registry startup entry suspicious?

BlackScarlet

Posts: 105   +0
I'm looking through my startup programs and I see a peculiar looking one. It says rundll32.exe but it sure isn't in system32...

I can't find any info on any of the other bits of text on the string, can anyone tell me what they think of this piece?

regeditn.png
 
rundll32.exe should definitely be in c:\windows\system32, and also in c:\windows\system32\dllcache where it usually runs from because it is continually called in windows to start various dll's. The link shown is in fact running rundll32.exe which is being instructed to start mciCommsspl.dll as a service with two parameters winmobileSevices and eventwebxx.

mciCommsspl would be something installed by an application, possibly a blackberry handset communicator with security. However, neither mciCommsspI nor spL nor spi come up on a web search and must therefore be considered highly suspect until proven otherwise.

You probably know that it is difficult to distinguish lower-case L and upper-case i in windows arial font, and malware often makes use of that fact to hide under a name that is superficially the same as a genuine MS dll.

Perhaps you should explain exactly what is happening to cause you to query that address.
 
you'll need to login as admin, backup registry, and know to get to safe mode
1)work without the file for a day or two:
if you go to the directory and RENAME the file to preending with x so abc.dll is xabc.dll, then reboot, if all is good for a day, you can delete the dll. if there is an issue, you can reboot in safe mode and rename it back removing the x.

2) clean the traces/uses of
run ccleaner and it remove any entries that are related to the dll
note deselect all the entries, READ all the entries first, and manually select the entries to delete. if not sure don't select for removal

if you get an error in deleting dll, make sure you are logged in as admin / administrator. also run a anti- virus and anti spyware check, because there maybe an application locking access to it.
 
Back