# rundll32.exe Malware?



## mel4him (Mar 25, 2007)

My Task Manger lists two rundll32.exe. Is this a sign of malware and if so, how do I fix it.


----------



## Joefireline (Apr 2, 2006)

Hello and welcome to TSF,
Well, rundll32.exe is a legitiment process, but with 2, I'm not so sure...
Run through these steps: http://www.techsupportforum.com/sec...pdated-important-read-before-posting-log.html
And post a HJT log here: http://www.techsupportforum.com/security-center/hijackthis-log-help/


----------



## Glaswegian (Sep 16, 2005)

Hi and welcome to TSF.

Have a search on your computer and check the location of rundll32.exe. It should be in the c:\Windows\system32 folder. Anywhere else and it's likely malware. It is used to load various library files (.dll) requested by Windows. How much memory is each instance using and what other apps did you have open at the time?


----------



## mel4him (Mar 25, 2007)

This is what I get when I run a search for rundll32.exe:

RUNDLL32.EXE-44D2B0C6.pf C:\WINDOWS\prefetch
RUNDLL32.EXE-4DED6A50.pf C:\WINDOWS\prefetch
RUNDLL32.EXE-4EE39BB6.pf C:\WINDOWS\prefetch
RUNDLL32.EXE-5469015F.pf C:\WINDOWS\prefetch
RUNDLL32.EXE-62B8DA1A.pf C:\WINDOWS\prefetch
RUNDLL32.EXE-73C8210F.pf C:\WINDOWS\prefetch
RUNDLL32 C:\I386
rundll32 C:\WINDOWS\$NtServicePackUninstall$
rundll32 C:\WINDOWS\SYSTEM32
rundll32 C:\WINDOWS\ServicePackFiles\i386

And the only program that I have running is my AOL Browser at least that is the only one I opened.

The first rundll32.exe is using 2,728k and the other is using 1,808k


----------



## Glaswegian (Sep 16, 2005)

Locations are OK - backup copies of system files are held in i386 and memory usage is OK.

Have you run any AV scans recently? Are you having any problems such as pop ups or browser redirects or anything unusual?


----------



## mel4him (Mar 25, 2007)

Sorry it took me so long. I was having internet connection issues. Anyhow. I after rebooting my computer I checked the Task Manager and the rundll32.exe was there twice before I opened my AOL Brower. In regard to things that have been happening on my system, well first, I seem to be losing my internet connection alot more lately. I had to power cycle my modem just last Sunday in order to reset my IP address because I was losing my connection every 5 minutes. Same thing happened today. So I power cycled my modem again and it seems to be working fine now. Second, I keep getting the not responding message when I open a few of my Microsoft programs. Yesterday it was Microsoft Word and Picture It 7.0. As for Antivirus programs. I just ran SuperAntiSpyware and I have also run in the past week or so, when this all began, Ad-Adware SE, Spywareblaster, Spybot Search and Destroy, CW Shredder. The only thing I came up with was tracking cookies except for Spybot S&D. It gave me a Window Security Issue or something like that. I would have to run it again to find out. I removed it but it came back.


----------



## Glaswegian (Sep 16, 2005)

Is Windows patched up to date?


----------



## mel4him (Mar 25, 2007)

yes, and I keep losing my internet connection. I just ran Spybot S&D and it was clean so thats good. I have to leave for a bit. I am going to have to continue a bit later if that is okay. Let me know if there is anything else I can do so that I can give you any more info you may need to help me. And thanks for your help. I look forward to working with you in regards to this problem.


----------



## Glaswegian (Sep 16, 2005)

OK - I think we need to have a proper look at your system. Please follow these instructions carefully.

Download *Deckard's System Scanner (DSS)* to your *Desktop* . Note: You must be logged onto an account with administrator privileges.
*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - minimised > *extra.txt* and maximised > *main.txt*.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* in a new thread 
in the *HJT Forum* *(do not attach it or post it here). *
Please *attach* *extra.txt* to your post.


To attach a file to a new post, simply

Click the[*Manage Attachments*] button under *Additional Options > Attach Files* on the post composition page, and
*copy and paste* the following into the "*Upload File from your Computer*" box: *C:\Deckard\System Scanner\extra.txt*​
 Click *Upload.*


Also provide a link to this thread for reference.

Please note that the HJT forum is constantly busy, so I would ask that you be patient while waiting for a reply.


----------



## Meatgull (Dec 4, 2008)

I have the same search results as him but no unusual internet issues. I have a question though. Is it ok if my rundll32.exe is being run by a user (me) and not the system?


----------



## Glaswegian (Sep 16, 2005)

Hi and welcome.

Yes, that's normal. 

You can view more details on the .dll files being loaded by using Process Explorer

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx


----------



## Meatgull (Dec 4, 2008)

Thanks I was a little worried. It just showed up on day and i thought it was malware


----------

