Rundll32.exe running always?

[TimeParadoX]

When I look at my processes running Rundll32.exe is running, It stays on no matter what.

On boot, idle, playing games, just random on FireFox, Anything really.

I've scanned for Viruses and I haven't found anything, I've run HJT but have not found any suspicious signatures and ComboFix does not delete anything.

Could someone help me with this?

 

[kimsland]

rundll32.exe is a valid system file which executes a dll some spyware/malware disguise themselves as rundll32.exe so your first option is to always do a full scan for virus/spyware.

To find out what rundll32.exe is actually running, do the following:

----------------------------------------
for windows xp pro
Start -> Run-> cmd /c tasklist /m /fi "IMAGENAME eq rundll32.exe" >Desktop\rundll32.txt <ok>
Now, open the file rundll32.txt (on your Desktop) and identify the "odd" modules.
(filter out the system files and dependencies used by rundll32.exe)
----------------------------------------
for windows xp home
Download tasklist.exe http://www.computerhope.com/download/winxp/tasklist.exe
Copy the file to c:\windows\system32
Start -> Run-> cmd /c tasklist /m /fi "IMAGENAME eq rundll32.exe" >Desktop\rundll32.txt <ok>
Now, open the file rundll32.txt (on your Desktop) and identify the "odd" modules.
(filter out the system files and dependencies used by rundll32.exe)
----------------------------------------
Once you go through the list, you should be able to see what rundll32.exe is actually running .
(which is likely just your video card tray icon)

 

[TimeParadoX]

This is what it is running:


Image Name PID Modules
========================= ====== =============================================
rundll32.exe 2196 ntdll.dll, kernel32.dll, msvcrt.dll,
GDI32.dll, USER32.dll, IMAGEHLP.dll,
ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
RPCRT4.dll, Secur32.dll, WINMM.dll,
ole32.dll, OLEAUT32.dll, MSACM32.dll,
VERSION.dll, SHELL32.dll, SHLWAPI.dll,
USERENV.dll, UxTheme.dll, IMM32.DLL,
comctl32.dll, comctl32.dll, NvMcTray.dll,
nvapi.dll, SETUPAPI.dll, msctfime.ime,
MSCTF.dll, FRAPS.DLL

 

[Acclamator]

Rundll32.exe is Windows Core Component.

 

[kimsland]

TimeParadoX there are a lot of files in there !
Including the tray icon, that I suggested earlier

Do you have a video settings, tray icon (near the clock) ?

If so right click on it, go through each tab and find where it says disable tray icon.

Does that remove the Rundll32 from Task Manager ?

By the way, I edited the Command above, now Rundll32.txt will save to your Desktop

You may want to do it again after removing the tray icon
(the txt will be empty if Rundll32.exe is not running)

 

[DelJo63]

hum; I have a clean system and NOT ONE Rundll32 shows up under normal circumstances.

I have seen it launch a dll, run something (which I invoked) and then terminate normally however.

 

[kimsland]

I have updated the lines in red above, because the %userprofile% variable is not required. (thanks to jobeard teaching me)

TimeParadoX, is the Rundll32 gone now ? (after system tray icon closed)

 

[TimeParadoX]

Ok thanks Jobeard / Kimsland, I fixed the problem.

I had the nVidia stuff running so I turned it off in MSConfig and now rundll32.exe isn't running!

 

[kimsland]

The disabled entries are present in these locations:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupreg
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupfolder

Please navigate to those entries and remove them.

Or you can download Msconfig Cleanup

It's advisable to Backup the registry before editing it.

Ideally, instead of using Msconfig and Registry to remove common startups, it's always better to use the program's settings, usually selecting:
Disable Startup checkbox