When you log in to your computer, an error message window with RunDll in the title may appear, mentioning a DLL file name such as the following:
There was a problem starting C:\Users\desktop\AppData\Local\Microsoft\Protect\protecthost.dll The specified module could not be found.
Though the DLL name and the folder path may appear legit in some cases, it’s not really so. Some malware seems to have dropped the DLL file there and added a startup entry so that the DLL is executed at every startup.
The message “The specified module could not be found.” usually denotes that your antivirus program has already quarantined or deleted the malware file. Now, all you need to do is remove its startup entry or scheduled task, where ever it’s loading from.
The RunDLL or RunDLL32 entry may be coming from the startup folder, “Run” registry location, or scheduled tasks. The scheduled task may be configured to run at startup or triggered to run at specific intervals. Task Manager lists startup entries only from the RunOnce/Run keys and Startup folder, but there are several other startup launch points. It’s better to use Autoruns to manage startup programs and scheduled tasks.
- Download Autoruns from Microsoft.
- Run Autoruns as administrator.
- Wait for the entries to populate in Autoruns.
- In Autoruns, uncheck “Hide Microsoft Entries” and “Hide Windows Entries” from the Options menu.
- Select the “Everything” tab.
- In the Quick Filter box, search for the string
You may find the offending entry under the Run registry location, as in the following image:
However, these days, viruses use Task Scheduler (instead of the Run registry keys) to launch the
rundll32.execommand-line. Here’s an example where the offending
rundll32.execommand was listed under “Task Scheduler.”
- Right-click on the offending item and choose Delete.
Use Task Manager to disable the startup entry
If rundll32.exe is loading from the registry Run keys or the startup folder, you can disable it using Task Manager.
- Open Task Manager, and click the Startup tab.
- Enable the Command line column by right-clicking the column header and enabling “Command line” check box. This shows the full command-line for each startup item listed.
- To stop the RunDLL error message from appearing at startup, right-click the appropriate (rundll32) entry in the list and click Disable.
However, the Autoruns method is recommended as it can delete the entry instead of just disabling it, as Autoruns covers many other startup launch points.
What is Rundll32.exe?
Rundll32.exe is a legitimate Windows file that can load a DLL and run a specified entry-point function inside the DLL file. The problem is not rundll32.exe but the rogue DLL file, which was dropped by Malware. You can look it up on the web to learn more about a module. In some cases, the module names and folder locations contain random characters and numbers, as is the case of most startup entries and scheduled tasks added by Malware.
After removing the entries, follow up with a thorough scan using your anti-virus program and Malwarebytes Antimalware.