rundll32 virus or not?

ericestrella · Aug 2, 2014

So I just want to make sure that rundll32 is not a virus. I searched my hardrive for all traces of this and this is what came up-

a text document for nvidia
an application for malwarebytes
4 MUI files, once located in Windows/SysWOW64/en-US, one located in Windows/System32/en-US, one located in Windows/winsxs/x86_microsoft-windows-rundll32.resources etc, and one located in Windows/winsxs/amd64_microsoft-windows-rundll32.resources etc
And finally, 4 applications, one in Windows/System32, one in Windows/SysWOW64, one in Windows/winsxs/x86_microsoft-windows-rundll32_etc, and one in Windows/winsxs/amd64_microsoft-windows-rundll32_etc.

The "etc" are just a mishmash of numbers and letters. But my question is, is my computer okay? Does this all look normal?

ericestrella · Aug 2, 2014

To help even more, in the Windows Task Manager, the rundll32 process that runs in the Processes tab always is from Windows/System32.

Pinhedd · Aug 2, 2014

ericestrella :

rundll32.exe is an application that is used to run specific named routines located within .dll files.

Windows uses the Portable Executable (PE) file format for storing executable programs. There are a variety of file extensions for this including .exe, .dll, .sys, .ocx and more. Technically speaking .exe files and .dll files are structurally identical, the difference is in their purpose.
A .exe file is presumed to have a main entry point that allows the file to be used to start a new process. A .exe file may or may not have a symbol table which allows it to be used in conjunction with other programs.
A .dll file is presumed to not have a main entry point and as such a .dll file cannot be run on its own. A .dll file almost always has a symbol table which allows the file to be used in conjunction with other programs.

In Windows many system routines are located within .dll files. These routines are usually accessed through other programs such as Windows Explorer. However, if one wishes to run a routine in a .dll file without having a specific program to invoke it, rundll32.exe can be used in its place.

rundll32.exe has a very simple interface "rundll32.exe <path to dll>,<routine name>"

Given that it's a fairly common and well known program, many computers will have one or more instances running in the background. This makes the name an attractive target for malware authors as the name is less likely to raise suspicion.

On a 64-bit version of Windows you should have 4 copies of rundll32.exe, one in System32 (the active 64-bit version), one in SysWOW64 (the active 32-bit version), and the two in the component store folder (winsxs) which are inactive backups of the two active copies.

From what I can tell, you're good to go. If you're curious about what that particular instance of rundll32.exe is doing, you can examine the command line in Task Manager to see what DLL and routine it has invoked.

ericestrella · Aug 2, 2014

Pinhedd :

ericestrella :

rundll32.exe is an application that is used to run specific named routines located within .dll files.

Windows uses the Portable Executable (PE) file format for storing executable programs. There are a variety of file extensions for this including .exe, .dll, .sys, .ocx and more. Technically speaking .exe files and .dll files are structurally identical, the difference is in their purpose.
A .exe file is presumed to have a main entry point that allows the file to be used to start a new process. A .exe file may or may not have a symbol table which allows it to be used in conjunction with other programs.
A .dll file is presumed to not have a main entry point and as such a .dll file cannot be run on its own. A .dll file almost always has a symbol table which allows the file to be used in conjunction with other programs.

In Windows many system routines are located within .dll files. These routines are usually accessed through other programs such as Windows Explorer. However, if one wishes to run a routine in a .dll file without having a specific program to invoke it, rundll32.exe can be used in its place.

rundll32.exe has a very simple interface "rundll32.exe <path to dll>,<routine name>"

Given that it's a fairly common and well known program, many computers will have one or more instances running in the background. This makes the name an attractive target for malware authors as the name is less likely to raise suspicion.

On a 64-bit version of Windows you should have 4 copies of rundll32.exe, one in System32 (the active 64-bit version), one in SysWOW64 (the active 32-bit version), and the two in the component store folder (winsxs) which are inactive backups of the two active copies.

From what I can tell, you're good to go. If you're curious about what that particular instance of rundll32.exe is doing, you can examine the command line in Task Manager to see what DLL and routine it has invoked.

Okay, thank you so much for the help. I started to panic there for a second because I'm not the most knowledgeable in terms of computers. Thanks again for everything!

Pinhedd · Aug 2, 2014

ericestrella :

Pinhedd :

ericestrella :

rundll32.exe is an application that is used to run specific named routines located within .dll files.

Windows uses the Portable Executable (PE) file format for storing executable programs. There are a variety of file extensions for this including .exe, .dll, .sys, .ocx and more. Technically speaking .exe files and .dll files are structurally identical, the difference is in their purpose.
A .exe file is presumed to have a main entry point that allows the file to be used to start a new process. A .exe file may or may not have a symbol table which allows it to be used in conjunction with other programs.
A .dll file is presumed to not have a main entry point and as such a .dll file cannot be run on its own. A .dll file almost always has a symbol table which allows the file to be used in conjunction with other programs.

In Windows many system routines are located within .dll files. These routines are usually accessed through other programs such as Windows Explorer. However, if one wishes to run a routine in a .dll file without having a specific program to invoke it, rundll32.exe can be used in its place.

rundll32.exe has a very simple interface "rundll32.exe <path to dll>,<routine name>"

Given that it's a fairly common and well known program, many computers will have one or more instances running in the background. This makes the name an attractive target for malware authors as the name is less likely to raise suspicion.

On a 64-bit version of Windows you should have 4 copies of rundll32.exe, one in System32 (the active 64-bit version), one in SysWOW64 (the active 32-bit version), and the two in the component store folder (winsxs) which are inactive backups of the two active copies.

From what I can tell, you're good to go. If you're curious about what that particular instance of rundll32.exe is doing, you can examine the command line in Task Manager to see what DLL and routine it has invoked.

Okay, thank you so much for the help. I started to panic there for a second because I'm not the most knowledgeable in terms of computers. Thanks again for everything!

You're most welcome!

Search

rundll32 virus or not?

ericestrella

Honorable

Pinhedd

ericestrella

Honorable

Pinhedd

Champion

ericestrella

Honorable

Pinhedd

Champion

TRENDING THREADS

Latest posts

Moderators online

Share this page