An Inscrutable Girl

How To Remove Virus Affecting rundll32.exe: Part 1

Posted on: July 13, 2008

Edit: 5th Dec ’08: I have dropped in a line to McAfee‘s Webimmune service and submitted the symptoms and the manifestations of the virus. Expecting a reply soon.

A request: Please read the whole post carefully and the second post too..Be assured i removed this virus in my PC and you can too..I have edited this post to write this because some readers have responded that they were unable to remove the virus. I have written my experience here with the rundll32.exe virus and the steps i took to remove it. I will try to help you in case this doesnt work. Good Luck!

FOR SOFTWARE ALSO READ: How To Remove Virus Affecting rundll32.exe: Part 2


First, The Story: I am working on my project work at ISRO,Ahmedabad. I was allotted a PC which was relatively new and the company guys who maintained the PC had installed Windows Server 2003 OS with NO anti virus software..Can you believe that?? Some trainees worked on the PC for two months before me but none of them bothered to install anti-virus software.The very next day i brought my McAfee Setup from my home PC.McAfee ROCKS! I tried to install it but i got a FEAD error..couldnt figure it out then. I tried to install Adobe Reader 8 and got the same error. Then finally i got AVAST Server Edition from a friend. But every anti-virus software is as good as its updates.

So finally i was stranded in a world full of viruses! Some days back when i booted the PC in the morning, it showed all the following signs of virus:

I tried to click the existing shortcuts and got an APPLICATION ERROR: Coudnt find C:\Windows\system32\rundll32.exe

Try creating new shortcut: same error..

My Computer> Properties> Same error

Add-Remove Programs>Same error

Help and Support>Same error ..that meant i couldnt restore it too

I was really scared.It meant i couldnt install any new anti virus or anything else..nor could remove.

The only solution in distant horizon appeared to be the one horrible word – FORMAT..I hate this.

I was just wondering since how come the virus showed up suddenly.I had not inserted any pen drive that day.Then i remembered. Its my habit to HIBERNATE. I rarely  SHUT DOWN my PC.The previous day in a hurry, i had not allowed it to hibernate properly and so it restarted next day instead of resuming windows.


Check this file C:\Windows\system32\rundll32.exe

It is an application so it should have the usual app symbol. But now the virus had turned its icon into a  page.  See the image


1. There exists a copy of all the dlls in the following location: find a copy o f rundll32.exe here


I found one and its size was approx 68 kb .As seen in image, the size of  infected files is 32.5 kb.

I copied it and pasted to replace the infected files and within seconds my copied file’s icon got changed too.

SO I  figured out that some file was continuously running in the background to modify these files.

2. So i searched( thankfully search was not disabled) for files modified, created and accessed the day before.

Paying particular attention to the files  modified, created and accessed in windows folder.

I found certain files and folders satisfying the criteria. I was not sure what they did. When i right clicked them, the properties showed UNKNOWN APPLICATION. So i was pretty confident that these much be the virus related files.

I cut and pasted the following folders: (so that if something malfunctions and it doesnt turn out to be the virus..DONT REMOVE THEM>>INSTEAD CUT AND PASTE IN LOCATION OTHER THAN WINDOWS..better still in another drive altogether)

C:\Windows\system32\ NTMS DATA                 ( FOLDER)

C:\Windows\system32\DRIVERS\ETC                ( FOLDER)

C:\Windows\system32\FNTCACHE.DAT            (FILE)

3. Then i created a shortcut in system32 folder itself and gave the path to the unaffected DLL file..( creation of shortcut was disabled only on desktop)

I m not sure which of these worked. But after carrying out all these steps ..

I m not saying that the files i suspected are viruses.THey may be some files but they had been modified and so i moved them to another location.

It worked for me though..GREAT RELIEF

Like everyone i first searched up the matter but dint find any useful information except something like HIJACK which was pretty advanced stuff and i dint want to find myself trying to revive the PC instead of doing my project coding.So i tried some real BASIC STEPS .I hope this is helpful for you.

And yes do drop me a comment on whether this works or not.

EDIT: In response to confused’s comment:

Please see the following screenshot which clearly shows how rundll32.exe file should look like. An exe file should have an application icon not a page icon.



About these ads

74 Responses to "How To Remove Virus Affecting rundll32.exe: Part 1"

[...] I have been featured on the home page in the HOW TO department for my post HOW TO REMOVE VIRUS AFFECTING RUNDLL32.EXE .. [...]

Nice post.
To stop unwanted programs from running in the background on your pc just go to Start > Run > then type “msconfig”, click ok, click the “Startup” tab. You can now uncheck whatever programs you dont want to startup with windows. Usually there’s alotta crap there which you dont want slowing your pc down.

i read this, opened it up and what do you know, 3 viruses running at startup, 1 Under the name of nvidia for windows 7, but im running vista, 1 under rmcm which is a rundll32 dupe, and 1 under some random name which is in temp folder.
thanks for the help.

yup Ronny thanks..its one of my friends favourites..he would run msconfig than run 200mts..;-)

thnx for consulting for how to removing rundll.exe. file, i had solve this problem. plz send me computer related software advice!! thnx again very much. pls reply to me my e-mail id

[...] work around solution forthe virus affecting system file rundll32.exe without any antivirus at hand: How To Remove Virus Affecting rundll32.exe: Part 1 and felt that there was the need for a permanent [...]

hey buddy!!! i am facing the same issue to which you have offered solution but the irony being that the file in the dll cache folder also shows page icon and is of same size i.e 32.5 kb…any solutions to this now… and one thing more.. i am using genuine… norton endpoint protection and i have also tried mcafee enterprise edition 8.5i….but these cannot catch this virus…

I have this same problem, the dllcache has a 32.5 kb one as well, the steps you listed didn’t seem to work…

I have this same problem. The dll cache folder also shows page icon and whenever I restore both from Windows CD it is immediatly overwritten by the infected file. Even if I expand rundll32.exe to some other folder it gets infected.
Also can’t install several programs, this isn’t detected by any anti-spyware, IE crashes often.
I first noticed this when I couldn’t use the “rundll32.exe sethibernate” shotcut that I use to hibernate.
The solution of “Spyware Terminator” described in part 2 doesn’t detect anything!!

Thanks ARPcPro for commenting…The issue you talk about of overwriting the infected file has already been addressed in the post.
I have included some new software recommendations in PART 2…you can try them out and tell me if its works..

hi i see this is an old thread… i came across it… i need help are you still available to give a hand?

Can you send me a fresh copy of rundll32.exe . I don’t have this. It also infected in my dllcache .


Hi. I tried out your steps but all the rundll32.exe files for XP I found is not 68 KB nd they all have the page icon. Everything iss infected even the ones in the dll cache. I tried looking on the net but I still did not get any proper result. My Pc comes pre-installed with XP so I don’t have the installer disk.
Not to impose; but could you kindly send me a copy of your rundll32.exe. Also, if you have some spare time may i ask if you could compress the file in a zip format so that hopefully after downloading; it doesn’t get infected again.

Thanks in advance and I’ll owe you a debt of gratitude.

Hi kir,

My files are also affected. rundll32.exe in the other folder also has been affected. As Ann said, can you please zip it and send to me?

Thanks much

HI plz help me my system has very slow becaus registry virus so how
can remove that any can help me thanks

rundll32.exe is an executable file not a dll so it does not have the app symbol. also the correct size of that file should be 32.5 kb

Second that. Are u sure this is correct?

I expanded the file from the windows xp install disk from an xp computer and also a vista one. Both results show the following.

rundll32.exe – XP(Dell Restore CD)
31kb (size on disk = 32.0kb)
Version 5.1.2600.0
Icon picture = PAGE icon(Not app icon!)

It follows that the 32.5kb file found on the computers is merely a different version.

rundll32.exe – Vista (Already installed on Hardrive)
43.5 (size on disk = 44.0kb)
Version 6.0.6000.16386
Icon picture = PAGE icon(Not app icon!)

Are you sure that the original file should be 68kb?? And that the icon is supposed to be app??

It is unlikely that the newly expanded file is immediate infected on both computers. If this is true, this means that both of the computers(vista and xp) are infected but instead, none of them shows sign of “multiple” rundll in the task manager and the control panel stuff works fine.

The control panel error only appears on another laptop, sadly with similar rundll32.exe

I hope that this is the case of misdiagnosis. Please revert!

thanks for commenting!

actually i have tried expanding the rundll32.exe from the original installation cd.
I believe immediate infection occurs.
Because i have seen original uninfected rundll32.exe file and it is an application icon. Now whichever PC or laptop you look, you will see a page icon. It is so widespread i wonder why nobody is alarmed. MY solution sadly doesnt work for all. It has woorked for some. It didnt work for others.
In my case i came to know about the problem in 5 minutes and solved it in about 2 hours.
You do any later and you fresh copy in dllcache would be infected too..In some cases i have seen that the virus hides the ‘dllcache’ folder itself..!

Thx for replying!

I doubt that the virus is that robust.. like i said, I expanded the same file in windows vista and in came to the exact size as that done on XP. To do that, the “vista virus” has to differentiate XP/Vista cd(replace the expanded file appropriately) and also alter the created/modified data attributes.

This might be true because the infected laptop has many system files that were “edited/created” on the same date i.e 8/4/2002 . One of which is the control panel .ico files. I think such a widespread compromise can only be fixed fully by reformatting, which I did but this time installing linux.

I just hope this is not the case for the other computers.

Just to confirm, can u upload the properties for the file opened on windows explorer? Anyway, I don’t think fixing this is as easy as replacing the rundll32.exe file. Other files are perhaps impossible to find since the time attributes seem to be messed up.

The weird thing is that these computers do not exhibit the symptoms mentioned.

I have the similar problem, in taskmanager there are 100′s of rundll32.exe process running, it consumes lots of memory & makes the system slow. donno whether it is a virus or system process.

There will be a folder ‘Prefetch’ in system32
C:\Windows\system32\Prefetch (Folder)
Inside that folder there will be some files in the name of ‘RUNDLL32.EXE’ delete all the files in that name. I hope this works, it worked for me.

i LOOKED AT THE FILES LISTED ABOVE AND not only looked at the date modifie, but I right clicked on the bar and looked the date created. The only one that was newly created ( as in 06/11/09) was the C:\Windows\system32\FNTCACHE.DAT (FILE)!

Now… I haven’t powered down my computer yet. I am about to, but I wanted to let you all know that is what I did and am hopeful that is the damnable file that is causing all the havoc for us all. I will come back and repost. IF…. i haven’t “deleted” a functioning piece of the windows process.

In the meantime, someone google: FNTCACHE.DAT (FILE) and the purpose… and let us all know what it is.

I will chime in, once i’m back online



Alright so can someone confirm that i do have the rundll32 virus like the file is a page the size is same as the posted virus size but i only have one rundll32 in task manager and also when in system32 i cant find the prefech (folder) or the dllcashe (folder) oh and in the dllcashe folder there is no rundll32 backup at all

i have the same problem that of rindll32.exe but there is no dll cache folder in my system 32
what to do now??
i cant even copy or paste nything
plz help!

i am facing the same problem and the rundll32.exe is about 52.5kb.i did run my computer from ubuntu and fibd this file in both location as u specified.but the problem is the size.and it is infecting my windows operatin what to do now?

please help me to get rid of this.


just so you know I attempted to replace my friends Windows XP Home systems rundll32.exe with the one you said would be in driver cache. There is no driver cache to speak of. Furthermore the corrupted run is 32.5kb. So I downloaded a new one to replace it, and low and behold within 5 seconds of pasting the new one in. Whatever is in his computer overwrote it and changed it to 32.5kb and switched it from an application to a page file icon

im about to say screw it and just format.

To everyone who haves the page icon:
The page icon is normal.
I’ve checked all my pc’s (5) and they all had the page icon ;)

Don’t be worried people!

Hi Gold Sparrow, its not normal…:)

hi, i also have the virus, although when i went to the dllcache folder and searched for the rundll file. THe infected file is 51kb, and the one in the dllcache file is also 51kb and also a page icon. What do i do now?

Although Gold Sparrow said not to worry ifthe icon is a page, i know for sure mine is a virus because of the symptoms (applications like burning cds doesnt work and you can’t remove/change programs). And it doesn’t allow me to install anti-virus programs.

Is there any way without re-formatting because I have ALOT of important files i have not backed-up yet :(

my computer is affected by rundll32
when i connect the any removable media to pc . that exe and auto run file get copy in that removable media please help me ………..,

hello…my computer is also affected by RUNDLL virus…
i only scan and heal it with AVG Anti-Virus..
Thank god..then it was gone already..

hey all dat crap isnt required use macafee virus scan– free

this post was written 1.5 yrs maybe any decent antivirus would remove it…

when u have this virus u cant run basically anything and u cant download an antivirus program either

I really need help. My computer won’t even go into windows now. When I plug my computer in, it automatically turns on by itself. I have no clue what to do now. It is the run32 virus. Should I be worried about my information stored on my computer? I called the geek squad, but they can’t come until the end of the month! Is there anything I can do? Please help me. Thank you,

Hi Mary,

Check your mail… :)

Hi, Im having a problem like this one, when I turn on the computer it appears a message that is something like this


x x c:/windows/system32/asshnas (Ithink its that)
x x file not located”

Its something like that is that virus or a problem with the PC if it is virus tell me plz!, I searched for rundll32 and I have 2 rundlls32 and they have the same size that is (44kbs) I have windows vista, oh and when I turn on the PC it appears things that I dont want.

If you install a a new XP or 2k3 on a pc. rundl32 file always have the same page icon. you pc is not effected until there are not multipul instances running.

hi your guide isnt working for me. like i found the rundl32.exe with was 32.kb and such but im confused to shi te. could you halp me out?

hi so my computers a complete mess right now.
I have AVG and it got rid of some trojans, but I think it deleted my rundll32 by mistake because if I try to add/remove software it says the application is not found…
last night i had 2 rundll32.exe showing up in my task manager. I just checked now and I only have one. so i’m totally confused..
I ran a search for rundll32 and six pf files appeared in the prefetch folder so i’m wondering what that is. It says I have three rundll32 applications, one in i386, system32, and softwaredistribution. The last one looks iffy because its modified at a later date than the first two, but they’re all 33KB.
my dllcache was hidden and I managed to find it, but rundll32 isn’t there at all…
what do I have to do?

nice guide.

Also, if your computer is infected with a RAT (Remote admin tool – that gives full access to the hacker… e.g. you see your mouse moving automatically. LOL )

Do this >

1. open CMD (Start > RUN > type: cmd )

2. Type in: netstat – ano
(it shows all ur network accessing process with their Process identification codes = PID )

3. if you see a Text like this > ESTABLISHED with a foreign IP, note down its PID.

It will also show the EXE accessing it.

– then go to VIEW > Tick PID

5. in the Proccess TAB > just click that PID process EXE file.

6. now disconnect your internet & scan your whole Computer with SpyBot SD 1.6 & NOD32 v.4

7. your are virus free now.

NOTE: you will say why didnt i disconnected internet at Start !! thats cus teh RAT virus will also get exit, will come again whn u access the net & netstat needs internet connection ON to show PID.

I have McAfee 8.5i and yes it rocks. But the folder C:\windows\system32\dllcache doesn’t exist on my computer, and if i open windows task manager i see the program Rundll32.exe suddenly start 53 copies at once for one second and then they all go away for about half a minute. it does that whatever I’m running, even in safe mode. Also, when i right click on the process (this only happens with rundll) the menu that comes up is blank.

dll cache would be hidden…

hey thanks for the information!

Exept the rundll32.exe in the Dllcache is also has a page icon and has the exact same size as the other one!

Can you please post a reply.. i’m really getting desperate here.

Thanks in advance!

Anyone still having problems with your RunDLL32.exe, it may well be a sp.dll, which is a browser hi-jacker. Coolwebsearch and crap like that. It affects programs in your computer, especially the rundll32.exe file. It can’t run on its own so it attaches itself to other programs such as, in my case, adobe. I found mine in Documents and settings/All Users/Application Data/Adobe. I still haven’t found a way to disable it or delete it, I’m posting this hoping if someone who knows more about this stuff can post a way I can remove this file.

my pc doesn’t have the problem but my pen-drive did. that virus change all the folder to shortcut. can you tell me how to solve it. thanks.

To reverse the changes made to a registry:

1. Click Start > Run.

2. In the Run dialog box, type regedit, and then click OK.

3. In the Registry Editor, navigate to the following key:

4. In the right pane, delete the following value:
rundll “c:\windows\system\rundll.exe”

5. Navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Active Setup\ Installed Components\Rundll

6. In the right pane, delete the following values:
rundll “c:\windows\system\rundll.exe”
rundll32 “c:\windows\system\rundll32.exe”

7. Exit the Registry Editor.

7 of the most easiest steps to delete the virus compared to the book of instructions (thats mostly rambling) you need to read from this guys page.

I have a RUNDLL.exe virus; it has disable regedit and system restore. I tried using your fix, but I do not have a rundll32.exe in my C:\windows\system32\dllcache

My system also severly affected by rundll32 virus. It disabled all. The programs folder also empty. I couldn’t access all the drives and sometimes desktop too. The above mentioned is under safe mode. Under normal mode either the login icon is missing or it couldn’t accept the password.(it accept the same under safe mode). Is there any solution other than formatting.
Advance thanks

I formated my drive and installed windows 7. after i turned on my firewall it said that rundll32 is accessing the net and i remembered it from before so i blocked it. I got windows 7 from a site and burned it from my infected computer. would that virus come from that cd? mine shows as a page and is 44.5kb. now when i checked it it says that it was last modified in 2009 i must of not formated properly.

Krutika or anyone that could help me… I’ve followed the directions to the point where I create a shortcut in my C:/Windows/System32 folder but the virus won’t let me finish the shortcut settings.

Any idea how to get around this? When I click create shortcut the screen that pops up to link the path flashes off almost immediately.


as steps given by u ar pretty and simple but ican’t find some files like dllcache , NTMS DATA , FNTCAHE . DAT …………….SO CAN YOU TELL ME SME OTHER WAY to cure it……………..

hay your steps are quite confidential but i can’t able 2 resolve my problem ……………………………….. so help me curing it………

Yo!. Absolutely dug reading your post. It was especially educational and effective. I trust you do not mind me writing concerning this post on my personal internet site. Will definitely link back to you. Luv the look and feel of your site! Merci.

RunDLL32 recently started trying to do something (it triggered a firewall alert) every time I loaded a new page in Firefox (on Win/XP). I found that a couple of days ago something had installed itself (sorry I don’t know where it came from, but it was via browsing some web page). I was able to remove it by deleting advMainCtrl from registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. It was executing “rundll32.exe “C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\kbdNetSched\advMainCtrl.dll”,HandlerEvent80 smpMouseClock”.

I’m facing problem with L/P please help to solve the problem. I could not install anything it keeps on prompting me to choose program to open the file.


Useful information. Fortunate me I found your web site by accident, and I’m stunned why this accident did not happened earlier! I bookmarked it.

Thanks for every other informative website. Where else could I am getting that kind of info written in such a perfect way? I’ve a challenge that I’m just now operating on, and I have been on the glance out for such info.

Please mail me the solution about rundll.exe. my one pc is effected with this problem. my mail ID

I visit everyday some websites and websites to read articles or reviews, but
this website offers quality based articles.

Thanks to my father who shared with me regarding this webpage, this web site is in
fact remarkable.

I blog also and I’m authoring a little something alike
to this particular posting, “How To Remove Virus Affecting
rundll32.exe: Part 1 An Inscrutable Girl”.
Do you really care in the event I reallyuse several of your own ideas?

Many thanks -Kimberley

hey there and thank you for your info – I’ve certainly picked up something new from right here. I did however expertise a few technical issues using this web site, since I experienced to reload the site many times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I’m complaining, but sluggish
loading instances times will sometimes affect your placement in google
and can damage your quality score if advertising and marketing with Adwords.
Anyway I am adding this RSS to my email and can look out for a lot more of your respective intriguing content.
Make sure you update this again soon.

hey plese help me
my problem is that i connect pendrive to my pc and everything in that pendrive is gone to shortcut of that pendrive name

It’s going to be finish of mine day, except before ending I am reading this fantastic post to increase my know-how.

hello!,I really like your writing very a lot! percentage we
keep up a correspondence extra about your article on
AOL? I need an expert in this area to solve my problem.
Maybe that’s you! Taking a look forward to peer you.

For the reason that the admin of this web page is working, no question very rapidly it will be famous, due
to its feature contents.

Constructivists do not educate algorithms. Constructivism
is really a philosophy of training that eschews direct instruction apart
from as a approach of last resort, to become utilised soon after college students
are completely engaged and have real queries.
? It really is based on a really massive amount of very solid study.

It might arrive as being a shock towards the common public, that have been fed the myth that our schools are failing for many years, but educating is continually improving each of the time, just like
other professions.

Thanks for sharing your thoughts. I really appreciate your efforts and I am
waiting for your further write ups thanks once again.

Pretty nice post. I simply stumbled upon your weblog and wanted to mention that I’ve truly loved surfing around your weblog posts. In any case I’ll be subscribing in your rss feed
and I am hoping you write again soon!

It’s going to be ending of mine day, except before ending I am reading this wonderful article to improve my experience.

With havin so much content do you ever run into any problems of plagorism or copyright infringement?
My blog has a lot of completely unique content I’ve either created myself or outsourced but it appears a lot of it is popping it up all over the web without my permission. Do you know any techniques to help reduce content from being stolen? I’d certainly appreciate it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The problem with the illusion that it has been accomplished
-George Bernard Shaw

Tweety says:

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Page Rank..Umm..! & Ratings

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 7 other followers

July 2008
« Jun   Aug »

Blog Stats

  • 187,604 hits

You Are Here!

My Visual DNA

Youniverse Personality TestYouniverse Personality Test

Tiny URL

Enter a long URL to make tiny:
Name That Code
Created by OnePlusYou
You Are an “A-OK”
Your life philosophy can be summed up as, “Whatever will be, will be.”
Your greatest wish is to live each day a little better than the next.

You are naturally calm and stable. Some people would call you a rock.
You feel one with the world. You are a spiritual person, though no one who knows you would guess it. Registered & Protected

Dont go for the figures..Test taken at a rather dull moment at 3 in the morning..

Free IQ Test - Free IQ Test

See what i meant when i said ‘dull moment’ above…;-)

Free IQ Test - Free IQ Test
Anyway these tests are not accurate, i know!

EQ..m having fun taking quizzes!

Your EQ is 147
You are remarkable when it comes to relating with others. Only the biggest losers get under your skin.

You are warm and open. Even when life gets you down, you're unafraid of the world and its challenges.
You are comfortable with who you are. And you accept your weaknesses - as well as the weaknesses of others.

While you are quite stable, you don't respond perfectly to every bad situation that comes up.
But you have enough emotional intelligence to know when you need a course correction.

Get every new post delivered to your Inbox.

%d bloggers like this: