When you login to your computer, error message window with RunDll in the title may appear, mentioning a DLL file name such as the following:
There was a problem starting C:\Users\desktop\AppData\Local\Microsoft\Protect\protecthost.dll
The specified module could not be found.
Though the DLL name and the folder path appears legit in this example, it’s not really so. A malware had dropped the DLL file there and added a startup entry so that the DLL is executed at every startup. The message "The specified module could not be found." usually denotes that your antivirus software has already taken care of the problematic module by deleting or quarantining it. Now, all you need to do is remove the entry from startup or scheduled task, where ever it’s loading from.
Task Manager – Startup tab
Open Task Manager and click the Startup tab. Enable the Command line column by right-clicking the column header and enabling "Command line" check box. This shows the full command-line for each startup item listed. To prevent the error message window from appearing at startup, right-click the appropriate (rundll32) entry in the list and click Disable.
Task Manager lists startup entries only from the RunOnce/Run keys and Startup folder, but there are several other startup launchpoints. It’s better to use Autoruns to manage startup programs.
In Autoruns, missing files are highlighted in yellow which is an easy indicator to locate the rundll32 entries. You can disable or delete the entries from there. Note that some malware load as scheduled task instead of from startup. You may need to inspect 3rd party task scheduler entries in addition. To prevent accidental deletion of built-in entries added by Windows, make sure you enable "Hide Microsoft Entries" in Autoruns Options menu.
What is Rundll32.exe?
Rundll32.exe is a valid Windows file, which can load a DLL and run a specified entry-point function inside the DLL file. The problem is not rundll32.exe, but the rogue DLL file which was dropped by a Malware, and the corresponding startup entry. To know more about a module, you can look it up on the web. In some cases the module names and folder locations contain random characters and numbers, as is the case of most startup entries and scheduled tasks added by Malware.
After removing the entries, follow up with a thorough scan using your anti-virus program, as well as using Malwarebytes Antimalware.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.