I may be confusing things here. There are multiple instances of rundll32.exe in the Norton activity log when I do a scan.
But when not doing a scan, the windows task manager shows two instances of rundll32.exe. They use no CPU. There are lots of processes sitting in the task manager that are using no CPU. So can't it be that they are there just waiting to be used, much like
spoolsv.exe? Just there so that if they are needed they can be used?
Hope its ok to post a link to another site, but here is some stuff about having 2 rundll32.exe with Vista
http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=238922&messageID=2434434
These rundll32.exe services couldn’t be running spyware/malware could it? I mean my NAV would have stopped that right?
Rundll32.exe is a Microsoft application whose entire purpose in life is to run DLLs. The DLLs that get run could be viruses. But, like you said, in most cases they could just be normal services waiting for something to do (just like any service would). One of the best ways to get insight into how rundll32 is being used is to use the Process Explorer to see what DLLs are being loaded by rundll32.exe. (I mentioned how to get and use Process Explorer in my earlier posts...)
Just to give you an example of what I mean: My vista test workstation has 2 instances of rundll32.exe running right now. Both processes are taking up no CPU. To find out what those rundll32.exe processes are possibly doing, I simply start Process Explorer, select the rundll32 process that's running, and press Ctrl+D. This loads all the DLLs that rundll32 has loaded. Looking through my list, I see nvsvc64.dll. Checking it's properties, I see that it's a service for Nvidia software. It seems like this DLL is perfectly harmless to me.
So... to find out if those rundll32 processes are "good" or "bad", simply use Process Explorer to examine the rundll32.exe processes running on your system. Let me know what kind of DLLs are being loaded by rundll32.exe. Without this information, I won't know what's going on and will be unable to help provide any kind of diagnosis.
mind if we run a little survey test? Maybe everyone who sees this that runsVista 32bit can check the task manager and report how many rundll32.exe thye show just sitting in the task manager?
NY1986 wrote:
mind if we run a little survey test? Maybe everyone who sees this that runsVista 32bit can check the task manager and report how many rundll32.exe thye show just sitting in the task manager?
I think a better survey test would be to see which DLLs are running under those "rundll32.exe" processes just sitting in the task manager, right? As LNguyen points out, rundll32.exe is just running a DLL. The useful information would be to know WHICH DLL is running.
True and I found something about the task manager in Vista that makes it easy to do that- You can actually click a box in task manager that shows the command line and the dll that is being run. Would it be helpful for others if I post what I find?
Using process explorer to find out what is running in rundll32.exe is fairly straight forward. Just launch process explorer and double-click an instance of rundll32.exe.
Look at the command line, and it will tell you which DLL the process was asked to host, and what function was invoked inside the DLL.
I know this sounds stupid, but where do I launch it from? Is it a part of my machine or do I have to download it from somewhere?
There are 2 good programs. I use Anvir Taskmanager. Process Explorer is nice also but Anvir is alot more detailed and it also checks your start up folders and proceeses.
http://www.anvir.com/download.htm
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
OK I used the Command line in Vista version of Task Manager.Showing the processes for all users
I had two Instances of rundll32.exe both located in system 32 folder, so thats good.
One rundll32.exe has user indicated as system. When I look at the command line I see two things:
1.NVSVC.dll which is a NVIDIA Driver Helper and is signed by NVIDIA
2. nvsvcInitialize which has nothing after it like .dll or .exe I don't know what this is because I can't find it in my files
I assume it is with the NVIDIA stuff but it is not signed
The second rundll32.exe has user as ME. When I look at that command line I see two things:
1. NvMcTray.dll which has to do with the NVIDIA media center library and is signed by NVIDIA
2. NvTaskbar Init which I do not find the file for and it is not signed. I assume that this is related to NVIDIA too
So it seems that the two instances of rundll32.exe that seem to remain on have to do with the NVIDIA driver and Mediacenter Library
I don't know what this all means, so helpfully a Norton staffer (LNguyen?) may shed some light on this.
I also left the task manager open when went to run a Norton quick scan. Another rundll32.exe appeared, but it flashed so fast that I could not see the processes used
When I look in the NAV folder there are lots and LOTS of dll files
The "flash" that you see is expected. That's ccEraser.dll performing it's detection. The other rundll32.exe processes appear to be safe because they come from Nvidia. Unfortunately, I have no specific idea why Nvidia would use rundll32.exe to perform their operations since they are a separate company with their own internal development processes. You would probably have to ask Nvidia about it if you're still concerned about their use of rundll32.exe.
Hi
Have you used something like the program "Hijackthis" to see if more than one Rundll32.exe is running, and more that one registry value?? don't tick any entry in Hijackthis until you know.
Sometimes Viruses / Malware create their own non-legit file of the same name (whether Rundll32.exe, Winlogon.exe etc) in an attempt to hide themself. Or hide behind the process and attempt to launch it's own code.
Quads