How To Remove Virus Affecting rundll32.exe: Part 1
Posted by: Krutika on: July 13, 2008
Edit: 5th Dec ‘08: I have dropped in a line to McAfee’s Webimmune service and submitted the symptoms and the manifestations of the virus. Expecting a reply soon.
A request: Please read the whole post carefully and the second post too..Be assured i removed this virus in my PC and you can too..I have edited this post to write this because some readers have responded that they were unable to remove the virus. I have written my experience here with the rundll32.exe virus and the steps i took to remove it. I will try to help you in case this doesnt work. Good Luck!
FOR SOFTWARE ALSO READ: How To Remove Virus Affecting rundll32.exe: Part 2
HAS THE ICON OF rundll32.exe FILE TURNED INTO A PAGE TYPE ICON? THEN READ ON..
First, The Story: I am working on my project work at ISRO,Ahmedabad. I was allotted a PC which was relatively new and the company guys who maintained the PC had installed Windows Server 2003 OS with NO anti virus software..Can you believe that?? Some trainees worked on the PC for two months before me but none of them bothered to install anti-virus software.The very next day i brought my McAfee Setup from my home PC.McAfee ROCKS! I tried to install it but i got a FEAD error..couldnt figure it out then. I tried to install Adobe Reader 8 and got the same error. Then finally i got AVAST Server Edition from a friend. But every anti-virus software is as good as its updates.
So finally i was stranded in a world full of viruses! Some days back when i booted the PC in the morning, it showed all the following signs of virus:
I tried to click the existing shortcuts and got an APPLICATION ERROR: Coudnt find C:\Windows\system32\rundll32.exe
Try creating new shortcut: same error..
My Computer> Properties> Same error
Add-Remove Programs>Same error
Help and Support>Same error ..that meant i couldnt restore it too
I was really scared.It meant i couldnt install any new anti virus or anything else..nor could remove.
The only solution in distant horizon appeared to be the one horrible word – FORMAT..I hate this.
I was just wondering since how come the virus showed up suddenly.I had not inserted any pen drive that day.Then i remembered. Its my habit to HIBERNATE. I rarely SHUT DOWN my PC.The previous day in a hurry, i had not allowed it to hibernate properly and so it restarted next day instead of resuming windows.
SO THE SYMPTOMS:
Check this file C:\Windows\system32\rundll32.exe
It is an application so it should have the usual app symbol. But now the virus had turned its icon into a 
page. See the image
WHAT I DID TO REMOVE THE VIRUS??
1. There exists a copy of all the dlls in the following location: find a copy o f rundll32.exe here
C:\windows\system32\dllcache
I found one and its size was approx 68 kb .As seen in image, the size of infected files is 32.5 kb.
I copied it and pasted to replace the infected files and within seconds my copied file’s icon got changed too.
SO I figured out that some file was continuously running in the background to modify these files.
2. So i searched( thankfully search was not disabled) for files modified, created and accessed the day before.
Paying particular attention to the files modified, created and accessed in windows folder.
I found certain files and folders satisfying the criteria. I was not sure what they did. When i right clicked them, the properties showed UNKNOWN APPLICATION. So i was pretty confident that these much be the virus related files.
I cut and pasted the following folders: (so that if something malfunctions and it doesnt turn out to be the virus..DONT REMOVE THEM>>INSTEAD CUT AND PASTE IN LOCATION OTHER THAN WINDOWS..better still in another drive altogether)
C:\Windows\system32\ NTMS DATA ( FOLDER)
C:\Windows\system32\DRIVERS\ETC ( FOLDER)
C:\Windows\system32\FNTCACHE.DAT (FILE)
3. Then i created a shortcut in system32 folder itself and gave the path to the unaffected DLL file..( creation of shortcut was disabled only on desktop)
I m not sure which of these worked. But after carrying out all these steps ..
I m not saying that the files i suspected are viruses.THey may be some files but they had been modified and so i moved them to another location.
It worked for me though..GREAT RELIEF
Like everyone i first searched up the matter but dint find any useful information except something like HIJACK which was pretty advanced stuff and i dint want to find myself trying to revive the PC instead of doing my project coding.So i tried some real BASIC STEPS .I hope this is helpful for you.
And yes do drop me a comment on whether this works or not.
EDIT: In response to confused’s comment:
Please see the following screenshot which clearly shows how rundll32.exe file should look like. An exe file should have an application icon not a page icon.
HELP ME HELP OTHERS.
21 Responses to "How To Remove Virus Affecting rundll32.exe: Part 1"
[...] I have been featured on the home page in the HOW TO department for my post HOW TO REMOVE VIRUS AFFECTING RUNDLL32.EXE .. [...]
July 17, 2008 at 6:13 am
yup Ronny thanks..its one of my friends favourites..he would run msconfig than run 200mts..;-)
March 12, 2009 at 11:47 am
thnx for consulting for how to removing rundll.exe. file, i had solve this problem. plz send me computer related software advice!! thnx again very much. pls reply to me my e-mail id pjaanp@yahoo.com
[...] work around solution forthe virus affecting system file rundll32.exe without any antivirus at hand: How To Remove Virus Affecting rundll32.exe: Part 1 and felt that there was the need for a permanent [...]
August 14, 2008 at 7:54 pm
hey buddy!!! i am facing the same issue to which you have offered solution but the irony being that the file in the dll cache folder also shows page icon and is of same size i.e 32.5 kb…any solutions to this now… and one thing more.. i am using genuine… norton endpoint protection and i have also tried mcafee enterprise edition 8.5i….but these cannot catch this virus…
October 14, 2008 at 4:19 am
I have this same problem. The dll cache folder also shows page icon and whenever I restore both from Windows CD it is immediatly overwritten by the infected file. Even if I expand rundll32.exe to some other folder it gets infected.
Also can’t install several programs, this isn’t detected by any anti-spyware, IE crashes often.
I first noticed this when I couldn’t use the “rundll32.exe sethibernate” shotcut that I use to hibernate.
The solution of “Spyware Terminator” described in part 2 doesn’t detect anything!!
October 14, 2008 at 5:44 am
Thanks ARPcPro for commenting…The issue you talk about of overwriting the infected file has already been addressed in the post.
I have included some new software recommendations in PART 2…you can try them out and tell me if its works..
December 5, 2008 at 2:35 pm
Can you send me a fresh copy of rundll32.exe . I don’t have this. It also infected in my dllcache .
Thanks,
December 8, 2008 at 1:02 pm
Hi. I tried out your steps but all the rundll32.exe files for XP I found is not 68 KB nd they all have the page icon. Everything iss infected even the ones in the dll cache. I tried looking on the net but I still did not get any proper result. My Pc comes pre-installed with XP so I don’t have the installer disk.
Not to impose; but could you kindly send me a copy of your rundll32.exe. Also, if you have some spare time may i ask if you could compress the file in a zip format so that hopefully after downloading; it doesn’t get infected again.
Thanks in advance and I’ll owe you a debt of gratitude.
Ann
December 14, 2008 at 3:37 pm
Hi kir,
My files are also affected. rundll32.exe in the other folder also has been affected. As Ann said, can you please zip it and send to me?
Thanks much
January 23, 2009 at 6:50 pm
HI plz help me my system has very slow becaus registry virus so how
can remove that any can help me thanks
January 30, 2009 at 2:45 am
rundll32.exe is an executable file not a dll so it does not have the app symbol. also the correct size of that file should be 32.5 kb
March 31, 2009 at 5:03 pm
Second that. Are u sure this is correct?
I expanded the file from the windows xp install disk from an xp computer and also a vista one. Both results show the following.
rundll32.exe – XP(Dell Restore CD)
31kb (size on disk = 32.0kb)
Version 5.1.2600.0
Icon picture = PAGE icon(Not app icon!)
It follows that the 32.5kb file found on the computers is merely a different version.
rundll32.exe – Vista (Already installed on Hardrive)
43.5 (size on disk = 44.0kb)
Version 6.0.6000.16386
Icon picture = PAGE icon(Not app icon!)
Are you sure that the original file should be 68kb?? And that the icon is supposed to be app??
It is unlikely that the newly expanded file is immediate infected on both computers. If this is true, this means that both of the computers(vista and xp) are infected but instead, none of them shows sign of “multiple” rundll in the task manager and the control panel stuff works fine.
The control panel error only appears on another laptop, sadly with similar rundll32.exe
I hope that this is the case of misdiagnosis. Please revert!
April 1, 2009 at 9:55 am
thanks for commenting!
actually i have tried expanding the rundll32.exe from the original installation cd.
I believe immediate infection occurs.
Because i have seen original uninfected rundll32.exe file and it is an application icon. Now whichever PC or laptop you look, you will see a page icon. It is so widespread i wonder why nobody is alarmed. MY solution sadly doesnt work for all. It has woorked for some. It didnt work for others.
In my case i came to know about the problem in 5 minutes and solved it in about 2 hours.
You do any later and you fresh copy in dllcache would be infected too..In some cases i have seen that the virus hides the ‘dllcache’ folder itself..!
April 2, 2009 at 8:48 am
Thx for replying!
I doubt that the virus is that robust.. like i said, I expanded the same file in windows vista and in came to the exact size as that done on XP. To do that, the “vista virus” has to differentiate XP/Vista cd(replace the expanded file appropriately) and also alter the created/modified data attributes.
This might be true because the infected laptop has many system files that were “edited/created” on the same date i.e 8/4/2002 . One of which is the control panel .ico files. I think such a widespread compromise can only be fixed fully by reformatting, which I did but this time installing linux.
I just hope this is not the case for the other computers.
Just to confirm, can u upload the properties for the file opened on windows explorer? Anyway, I don’t think fixing this is as easy as replacing the rundll32.exe file. Other files are perhaps impossible to find since the time attributes seem to be messed up.
The weird thing is that these computers do not exhibit the symptoms mentioned.
April 20, 2009 at 3:59 pm
I have the similar problem, in taskmanager there are 100’s of rundll32.exe process running, it consumes lots of memory & makes the system slow. donno whether it is a virus or system process.
June 3, 2009 at 11:57 am
There will be a folder ‘Prefetch’ in system32
C:\Windows\system32\Prefetch (Folder)
Inside that folder there will be some files in the name of ‘RUNDLL32.EXE’ delete all the files in that name. I hope this works, it worked for me.
June 26, 2009 at 1:12 am
i LOOKED AT THE FILES LISTED ABOVE AND not only looked at the date modifie, but I right clicked on the bar and looked the date created. The only one that was newly created ( as in 06/11/09) was the C:\Windows\system32\FNTCACHE.DAT (FILE)!
Now… I haven’t powered down my computer yet. I am about to, but I wanted to let you all know that is what I did and am hopeful that is the damnable file that is causing all the havoc for us all. I will come back and repost. IF…. i haven’t “deleted” a functioning piece of the windows process.
In the meantime, someone google: FNTCACHE.DAT (FILE) and the purpose… and let us all know what it is.
I will chime in, once i’m back online
Peace
HARK
July 6, 2009 at 4:48 am
Alright so can someone confirm that i do have the rundll32 virus like the file is a page the size is same as the posted virus size but i only have one rundll32 in task manager and also when in system32 i cant find the prefech (folder) or the dllcashe (folder) oh and in the dllcashe folder there is no rundll32 backup at all
Leave a Reply
Random Posts
Page Rank..Umm..! & Ratings
Grab My Feed Via Email or Reader
- How To Remove Virus Affecting rundll32.exe: Part 1
- How To Remove Virus Affecting rundll32.exe: Part 2
- Wow..on wordpress home page..
- "Dream a little dream of me" song and lyrics
- That wonderful feeling called love..
- ABOUT ME
- You can't scroll chat window in IE 7 and 8? Here's the solution!
- Peek-A-Boo: A method to remove virus out of your USB drive without getting infected!
- It's A Virus! How To Remove virusremoval.vbs?
- "I Just Called To Say I Love You" Song and Lyrics
- Owen: Alright so can someone confirm that i do have the rundll32 virus like the file is a page the size is same as the posted virus size but i only have on
- shobhit kaul: thanks dude..same thing happened with me too ..i got the same mail ..last week ...but my frnd from wipro told me abt this ...
- HARK: i LOOKED AT THE FILES LISTED ABOVE AND not only looked at the date modifie, but I right clicked on the bar and looked the date created. The only one t
My Visual DNA
Created by OnePlusYou
| You Are an “A-OK” |
Your life philosophy can be summed up as, “Whatever will be, will be.” Your greatest wish is to live each day a little better than the next. You are naturally calm and stable. Some people would call you a rock. You feel one with the world. You are a spiritual person, though no one who knows you would guess it. |
From the viewpoint of an architecture student…
- Colonial Eclectism and Regionalistic approach of British architects in India May 9, 2009 Akshay Anand
- From War to Cold War by Noorani, A.G – Article Review November 17, 2008 Akshay Anand
- From Bauhaus to Our House by Tom Wolfe – a book review November 17, 2008 Akshay Anand
- Ahmedabad City woes November 7, 2008 Akshay Anand
- Destruction in the name of development November 6, 2008 Akshay Anand
Dont go for the figures..Test taken at a rather dull moment at 3 in the morning..
See what i meant when i said ‘dull moment’ above…;-)
EQ..m having fun taking quizzes!
| Your EQ is 147 |
You are remarkable when it comes to relating with others. Only the biggest losers get under your skin.You are warm and open. Even when life gets you down, you're unafraid of the world and its challenges. You are comfortable with who you are. And you accept your weaknesses - as well as the weaknesses of others. While you are quite stable, you don't respond perfectly to every bad situation that comes up. But you have enough emotional intelligence to know when you need a course correction. |
July 17, 2008 at 3:35 am
Nice post.
To stop unwanted programs from running in the background on your pc just go to Start > Run > then type “msconfig”, click ok, click the “Startup” tab. You can now uncheck whatever programs you dont want to startup with windows. Usually there’s alotta crap there which you dont want slowing your pc down.