Forum Thread: Infected - rundll32

Hello, once again I need some aid where my wits just won't suffice.

On my other PC, I installed windows 10 and Bitdefender as AV. Right from the start I was browsing process manager and saw 2 instances of rundll32.exe. It was suspicios to me since I've never seen the rundll to run as a process (at least not for very long). I terminated it and forgot about it. Today,however, I was away - when I got home I had a notification from Bitdefender that C\windows\syswow64\rundll32 is suspected as malicious process and blocked.(When I think again, the time it detected the virus is aprox. the time i turned on my pc, just didn't see the alert - hence it could be set to autorun) Yeah right, I checked the ps manager and there were 3 or 4 instances. Its a system file and only thing that comes to mind is that many migration modules inject into rundll. But I don't recall downloading or even running any suspicious files. Even if I did Bitdefender as one of the most toughest there that managed to detect my malware that went straight into memory - it would have alarmed me. How do I investigate this further? Any help is appreciated. Thanks.

10 Responses

I second Malwarebytes. Pretty solid protection but it as shown by many crypters, not invincible.

Nothing is invincible.

-Phoenix750

Run it through Chameleon. Just to be certain.

ghost_

I second Chameleon.

-Phoenix750

Hi. I think that you should try another antivirus like Avast. I used Bitdefender for a long time and then i switched to Avast (which is free, btw) and although i payed for bd avast detected viruses, tons of them. So try to switch to Avast, as BD is taking tons of resources.

Hope i helped.

Avast is considered a virus itself by a lot of people, including myself. Well, atleast the free version.

-Phoenix750

Considering the directory, it actually sounds like a legitimate system file. There are instances of malware using the filename but using a different directory, but I don't think it's anything to be worried about.

If you think there's an issue, run some scans just to be certain. But like I said, I don't think there is an issue as a dll is a valid part of Windows.

A dll is what's known as a dynamic link library; for more information on that, I would recommend Google.

ghost_

Thats exactly what I'm afraid of. If i remember correctly I sometimes use smart migrate on meterpreter which spawns a legitimate rundll and injects/migrates into it.

Yea, I'm pretty sure some malware can migrate to dll files.

Share Your Thoughts

  • Hot
  • Active