Home Support

AVG Support Community

Share tips and solutions on AVG Products

Have a question?

Community topics

AVG Gurus

These community experts are here to help

  • (AB) Alan Binch
  • (BA) Borislav Angelov
  • (VB) Vladimir Bartl
  • (SK) Subhadeep Kanungo
  • (MS) Miloslav Serba
Dave HoudeDave Houde 

Rundll32.exe; Windows 7

I started getting a warning that my Rundll32 is infected with TrojanHorse SCGeneric4.BPWA.  I completely restored Windows t to 9 July from a system backup but as soon as I updated AVG I got the same warning.  Is this a false positive?
Alok KumarAlok Kumar (Avast)
Hello Dave,
I'm sorry to hear about this. Please share a screenshot of the AVG detection to assist you further. We will check with the screenshot and we will let you know about the detection. You can check the following link to see the instructions about taking the screenshot (http://support.avg.com/SupportArticleView?urlname=How-to-create-a-screenshot).
Best regards,
Alok.
Alan BinchAlan Binch
Dave, For your info, just in case that you are unaware, you can post the screenshot here in your topic. Click on 'Answer' & then click on the 'Image' [mountain symbol] & follow the instructions. 
AVG Guru
Dave HoudeDave Houde
Well...unfortunately I ran the AVG rescur disk which actually just deleted RunDLL.  I replaced it with a RunDLL from another machine that was dated 13 Jul 09 (so I can't get a screen shot of the detection since thos one passes the scan).  The one it replaced was quite a bit newer but I noticed some of the other \System32 files have a 13 Jul 09 date.  It could be that this was a valid alert and the RunDLL was replaced prior to 9 July and AVG only just now got the update to catch it.

I'll know more when my recent patches run again (if they replace RunDLL).

Oh...and I'm sorry about the double post...I'm new to this forum.

Cheers!

Dave
Alok KumarAlok Kumar (Avast)
Hello Dave,
I really appreciate your effort in resolving this issue. If the issue still persist, please take a screenshot of the error message for us to assist you further.
Best regards,
Alok.
Eric MercerEric Mercer
I also used the "Submit for Analysis" tool in the Virus Vault to submit the Rundll32.exe file to AVG.
K HK H
Hello, 
I have the same isuue on several computers. See attached screenshot.User-added image
Eric MercerEric Mercer
My AVG installation just finished a regularly scheduled anti-virus run and reported the same infection: "";"Trojan horse SCGeneric4.BPWA, C:\Windows\SysWOW64\Rundll32.exe";"Secured"

I have taken screenshots of the report, showing the basic report and then the detailed one split in two (I had to horizontal scroll to fit the whole detailed report in the non-expandable window).

-- Eric

AVG screenshot - overview
AVG screenshot - detailed left-half
AVG screnshot - detailed right-half
Abirami ShanmugamAbirami Shanmugam (Avast)
Hello K H,
Thank you for providing screenshot. Are you using AVG business edition in your PC? If so, we request you to contact our AVG business support team as this community deals with the technical queries regarding AVG home products. To contact AVG Business team, please click on  http://www.avg.com/us-en/customer-support-business or use below numbers:
USA & CA: +1 (855) 738-1284
AU & NZ: +61 280 152 133
UK: +44 1163 668 543
Thank you.
Abirami ShanmugamAbirami Shanmugam (Avast)
Hello Eric,
Please be informed that we are performing a major migration from 2016 to 2017 version.
We are performing this has mandatory update and planning to maintain the 2017 as a standard version.
We are receiving feedback from customer to add or remove some of the features, the changes will be at the earliest as possible.
Hence please uninstall AVG 2016 version as mentioned in this article ( http://avgread.me/1DEtNP0 ) and reinstall AVG 2017 version by going to AVG downloads page at https://www.avg.com/en-us/download .
Thank you.
George DropGeorge Drop

scgeneric4.bpwa false

Same exact problem with the SCGeneric4.BPWA

my rundll32.exe file hasnt been updated since march and i have scanned using other stuff and none are finding anything 

Abirami ShanmugamAbirami Shanmugam (Avast)
George,
From the screenshot, I see that you are using very older version of AVG product. Rundll32. exe is a supporting file of Run command. Hence it is false detection by AVG older version. As mentioned in previous post, please be informed that we are performing a major migration from 2016 to 2017 version.
We are performing this has mandatory update and planning to maintain the 2017 as a standard version.
We are receiving feedback from customer to add or remove some of the features, the changes will be at the earliest as possible.
Hence please uninstall AVG older version as mentioned in this article ( http://avgread.me/1DEtNP0 ) and reinstall AVG 2017 version by going to AVG downloads page at https://www.avg.com/en-us/download .
Thank you.
Eric MercerEric Mercer
Thank you for the information about the upgrade. However, can you please address the issue of whether AVG Protection has sent to to the virus vault a critical Win7 operating system component (Windows\SysWOW64\Rundll32.exe)., which it will not allow me to restore. I am not sure I will be able to upgrade without this component. I am not sure if I will be able to reboot my computer successfully without this component.
Abirami ShanmugamAbirami Shanmugam (Avast)
Eric,
Sorry to hear that. In some cases, AVG virus vault won't allow some files to restore but if you check the file location it would have been restored. Please check that Rundll32.exe file location and make sure that if it is restored or not. If you don't find the file in that location, do you encounter any error while trying to restore that file from AVG virus vault? If so, please share the screenshot of it to assist further.
Thank you.
Al SirutisAl Sirutis

My short answer:  this appears to be a false positive.  (See below for details.)

I am using Windows 7, latest build 7601, and AVG Free v.16.121.7859.  I also have just begun receiving these notices that SCgeneric4.BPWA TrojanHorse has infected rundll32.exe.  (For me, the triggering event occurred when I went to adjust my time zone by clicking on the time just above the date in the taskbar, and then clicking on "Change date and time settings...", though for some reason, I did not get the AVG warning every time, but only sporadically [I'm guessing rundll32.exe may have still been in memory, only being caught by AVG when Windows decideded to reload it from disk?!]).

I have done some sleuthing, and suspect that this warning is a false positive, caused by a recent Windows Update, which replaced the 2009 version of rundll32.exe with one dated in 2017 (March 30, 2017, 45,056 bytes, created at the same time as my June Windows Update that I did on June 14, 2017).  I went back to two backups to verify this, by examing rundll32.exe that was backed up on June 2 (prior to the June 14th Windows Update), and the one backed up on July 1 (after the same Windows Update).  The current versions in C:\Windows\System32, and also in C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7601.23755_none_da6bed36226a053d, are byte-for-byte identical to the one backed up on July 1, but differ from the older one from 2009, backed up on June 2nd.  The older version was used with Windows 7 Build 7600, the current version is used with Build 7601, (as displayed on my desktop wallpaper, and in the file properties dialog).  

I noted that the creation date of the file (rundll32.exe) was June 14, 2017, within seconds of the time stamp for my June 14th Windows Update "2017-06 Security Monthly Quality Rollup for Windows 7 for x86-based Systems (KB4022719)".  The 'Date modified' from the Windows Properties window was originally March 30, 2017, but has been updated after AVG has removed the file, and Windows has recreated it (I presume), so is now dated July 23, 2017 on my system.  But the file is byte-for-byte identical to the backed-up March 30th version.

While not conclusive, there's enough 'evidence' here to lead me to suspect a false positive.  I can send a zip file containing my current rundll32.exe, if that would be of interest, but would need an email address or other instructions.  (Too bad, but I don't see how to attach it here!)  (I did submit the last rundll32.exe caught by AVG, using the 'submit for analysis' function in the Virus Vault, and presume it is the same as the one I have saved in the zip file on my hard drive.)

Al Sirutis
July 23, 2017
 

Abirami ShanmugamAbirami Shanmugam (Avast)
Al,
I have forwarded this to senior team for further suggestion.
Please keep checking the post to know about the status.
Thank you.
Michael BrownMichael Brown
Thanks for your thorough assessment, Al.  I feel safe assuming this is a false positive because I have many computers across many customers all suddenly reporting this same issue. Plus, AVG has been having an unusually high number of false positives lately.  So many, in fact, I am considering replacing the product across the several hundred computers we have deployed it to.  And we've been faithfully deploying AVG to our customers since the 2011 version.
 
Jane FlemingJane Fleming
I thought I posted a reply with screen shots from my Windows 7 machine, but don't see it.
Same error.  
virustotal.com says my rundll32.exe is clean:  https://www.virustotal.com/en/file/3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670/analysis/

Agree with the number of false positives claim.  A few days ago, AVG wanted to delete notepad.exe on my Windows 10 machine.

Please fix your product.
Onur ErdemOnur Erdem
So I received the same report aswell and reverted the system to 3 days earlier.. However after I learned that this was most likely a false positive(any confirmation ??), I remembered avg deleted another file 1 month ago due to it being infected by a trojan again.. You know what I found out ? That was a false positive aswell and although I was able to save rundll.32 I can't even recover that other  file cause I emptied the virus vault after removing that... !!! Now I'll attach the screenshots of both files to the thread and I want to know what that "Native images system file" is and If yes how do I replace it ??
User-added image
User-added image
Frank RichterFrank Richter
Same with us - Despite it is a Sunday we got the first Customer reactions... Even our own Computers are affected.  Not looking forward to that Monday... No time and a lot of trouble caused by this problem :-(
 
Mick EllisonMick Ellison

I have questions, 1) what is the deal with AVG asking fpor these screen shots? The first poster asked a question with all of the information that would be in a screen shot "I started getting a warning that my Rundll32 is infected with TrojanHorse SCGeneric4.BPWA." .   Why can you not look that up? Why the delay in getting a screen shot?
2) even if it is a business version, why can you not just TELL US, the answer to the question? it is a false positive or not, it is a secret? (must be).
3) you still did not totally answer the question about the false postive, but said to upgrade to the new version, WHY? you can not flag it in the old version?  Should we turn it off and back on to see if that fixes it too? 

Why all of the delays, this is kind of serious, especially for business customers, for which you will be loosing this one, this is not funny anymore.

Mick EllisonMick Ellison
I have questions, 1) what is the deal with AVG asking fpor these screen shots? The first poster asked a question with all of the information that would be in a screen shot "I started getting a warning that my Rundll32 is infected with TrojanHorse SCGeneric4.BPWA." .   Why can you not look that up? Why the delay in getting a screen shot?
2) even if it is a business version, why can you not just TELL US, the answer to the question? it is a false positive or not, it is a secret? (must be).
3) you still did not totally answer the question about the false postive, but said to upgrade to the new version, WHY? you can not flag it in the old version?  Should we turn it off and back on to see if that fixes it too? 

Why all of the delays, this is kind of serious, especially for business customers, for which you will be loosing this one, this is not funny anymore.
Dirk KnopDirk Knop
During a test with the current virus database (4779 / 14730) on a Windows 7 x64 machine AVG doesn't detect rundll32.exe anymore, so updating the virus database should suffice to solve the issue now.

Dirk Knop, Jakobsoftware
Balasubramanian SBalasubramanian S (Avast) 
Hello Al,

I appreciate your patience in this matter.
This particular threat detection is confirmed as False Positive.
Please update the program once and check whether the issue gets fixed.
Thank you.
Balasubramanian SBalasubramanian S (Avast) 
Hello Dirk,

Thank you for sharing the information here.
Ask a question
Struggling with non-AVG technology? We can fix that, too!