2

I recently found there are always two instance of rundll32.exe running on my computer. I was able to retrieve info about modules that are using them, but what are these modules? Am I infected by a hard to remove virus ? Or worse, my computer is hacked? 

Image Name                     PID Modules                                     
========================= ======== ============================================
rundll32.exe                  2892 ntdll.dll, wow64.dll, wow64win.dll,         
                                   wow64cpu.dll                                
rundll32.exe                  2956 ntdll.dll, kernel32.dll, KERNELBASE.dll,    
                                   USER32.dll, GDI32.dll, LPK.dll, USP10.dll,  
                                   msvcrt.dll, imagehlp.dll, ADVAPI32.dll,     
                                   sechost.dll, RPCRT4.dll, IMM32.DLL,         
                                   MSCTF.dll, saHook.dll, ole32.dll,           
                                   OLEAUT32.dll, uxtheme.dll, dwmapi.dll,      
                                   CRYPTBASE.dll, CLBCatQ.DLL, CRYPTSP.dll,    
                                   rsaenh.dll, RpcRtRemote.dll, HcApi.dll,     
                                   HcThe.dll
shadow master
  • 181
  • 1
  • 2
  • 6
  • 2
    Possible duplicate of [How can I get more info on high-CPU rundll32.exe process?](http://superuser.com/questions/67932/how-can-i-get-more-info-on-high-cpu-rundll32-exe-process) What does your research tell you about those modules? Are the files located in system folders or elsewhere? Have you run any malware/rootkit scans? – Karan May 04 '15 at 04:45
  • the second instance shown looks normal for base internal workings can't say i recognize wow64* – linuxdev2013 May 04 '15 at 04:53
  • @Karan I searched the first couple of ones, and processlibrary.com says they are windows os modules. But this one ----saHook.dll has a result of unknow and unsecure level, another module with similiar name called 180saHook.dll is a known spyware according to processlibrary. How can I find this file in my computer? – shadow master May 04 '15 at 05:01
  • @shadowmaster: Did you look at the question I linked to and try Process Explorer? – Karan May 04 '15 at 05:10
  • @Karan I did, and rundll32.exe points to C:\Windows\SysWOW64\rundll32.exe and C:\Windows\System32\rundll32.exe ; and I found that saHook.dll points to c:\PROGRA~2\mcafee\SITEAD~1\x64\saHook.dll which is McAfee anti-virus . Looks legit. – shadow master May 04 '15 at 05:36

0 Answers0