Hi

 

Have you used something like the program "Hijackthis" to see if more than one Rundll32.exe is running, and more that one registry value?? don't tick any entry in Hijackthis until you know.

Sometimes Viruses / Malware create their own non-legit file of the same name (whether Rundll32.exe, Winlogon.exe etc) in an attempt to hide themself. Or hide behind the process and attempt to launch it's own code.

 

Quads 

 

 

when I check the task manager, I see only two rundll.exe working. I do know that when I look into the folder for NAV2008, I do see many dll applications and extensions. So maybe several run when i do a scan. Nothing like this occurs when I check live update. I would think if something tricky were going on, then it would happen when I try to update

The file "Rundll32.exe" is used to run dll's as an application. I just can't think of a reason why it would continually try and access the internet on that regualr a basis for a legitimate process.

 

There are a couple of nasties that try and attempt to terminate Antivirus software.

 

If you use Hijackthis, I am willing to see the log if you like to see if any entries like F0 - system.ini: Shell=Explorer.exe, F1 - win.ini: or "F2 - REG:system.ini:Rundll32.exe..............." and so on.

 

and any other nasties in the log.

 

You can private message me the log if you like, 

 

 

Quads 

 

 

If it is a type of infection (unknown at this point) it doesn't mean that it should affect LU as it depends on what is going on and what is trying to be done.

 

Like infections affect Windows in different ways , more serverly or not, and so is sometimes easily noticed. Or sometimes uses the PC's resources, but somtimes works really quietly.

 

 

 

sorry all I should correct things

I'm talking about Navw32.exe and rundll32.exe  I suspect if I had nav32.exe and or rundll.exe that might be cause for alarm.

But the Navw32.exe is digitally signed by symantec

Hi, 

 

The  "rundll32.exe" to me more of a concern the way it is trying to access the internet, when clean systems generally down have that.

 

Th name "rundll32.exe" can remain the same, but certian viruses and trojans use the file (modified or not) to try and access the net, and/or in the process attempt to shut down security software, or disable silently in an attempt to give free internet access.

 

"rundll32.exe" is a legitimate file and process and is used by legitimate programs (dll's). People making viruses also realise this and can create a program to modify or use "rundll32.exe" to run the dll the viral program (or trojan). Or create it's own file like for instance,

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 

 O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

In this case is the "Lovegate" Virus. 

 

I can't remember in Vista but in XP there could (or should) be a backup version of "rundll32.exe" in the "dllcache". (a hdden folder). 

 

 

 

This is in case of the original file being modified, corrupted etc. by an infection. the file can be replaced with a clean version.

 

I can't think of any reason why "rundll32.exe" would continually want to access the internet if for legitimate reasons. like you showed in your first post. 

 

more info for you. 

 

Regards

 

Quads 

I know that other users have noticed this on their systems too. So it may just be something common.

Hi NY1986,

 

I think that Quads made you a great offer to help you run and check a Hijack log about the multiple rundll's.

 

I'd take him up on that!

 

Best Wishes.

I appreciate all the help. I can tell you that my file

 

rundll32.exe shows no modifications. It is as it was when it came from the store