dwm.exe keeps crashing on windows 10

Question

dwm.exe keeps crashing on windows 10

Anonymous

Hello Microsoft Community,

My PC is running Windows 10 Pro x64, and very recently dwm.exe stops responding constantly, It drove me to the point where I've done a full scan to my PC to see if the problem is caused by a malware. The results were that it has found Trojan:Win32/Bagsu!rfn. Now I've done a little bit of digging about it and I found that it deletes '%systemroot%\strings.txt'. Now if I restore this rich text file will it fix my problem? If so, how? (I want to stay as far as I can from resetting my PC, but if it is the only way I'll give it a shot). If not how to fix the problem stated in the beginning? I've already ran sfc /scannow dozens of times and chkdsk reports that there is no bad sectors. my PC specs (all drivers are up to date):

Pocessor: Intel core i3-3110M CPU @ 2.40 GHz
RAM: 4.00 GB (3.88 GB available)
Graphics Card: Intel HD Graphics 4000

UPDATE: I have ran Windows in safe mode and then made a clean boot. what I've noticed is that there is a startup process called mdi264 and that was what caused the problem, I deleted its respective .dll found in my user's temp folder using CMD boot. and everything became normal again. but what I found mysterious is that every time I opened the location of the process, it redirected me to "C:\Windows\sysWOW64\rundll32.exe". Now from what I know is that rundll32.exe in only found in the system32 folder. could this be an impersonator? Because you know the 32 in rundll32 and the 64 in sysWOW64 made me think of that too. Here is a picture describing my starement

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

2 additional answers

Answer 1

You are right, it was a coincidence. But what I am trying to say is that a faulty startup process called mdi264 is what caused the problem. Now the thing is this process appeared suddenly and without my consent. I found it when I wanted to see what startup processes are causing the problem (since every thing worked properly in safe mode). Note that I was out of clean boot by then and that I have already disabled most of the startup processes after I have upgraded to Windows 10. So logically, OneDrive, my touchpad driver, and my sound card diver cannot be the ones that caused the problem but that wild mdi264 process that suddenly appeared could've. So I've done a little bit of digging to see where this faulty process operates and followed it right to the following directory "C:\Users\Elias\AppData\Local\Temp\mdi264.dll" now the thing is that it cannot be deleted while Windows is running so I had to reboot into CMD mode (using advanced startup options), and execuded the following commands (Note that it first loads the Driver letter X:):

D: (not C: because it is system reserved on my laptop)

cd\Users\Elias\AppData\Local\Temp\

del mdi264.dll

Then I started Windows normally and my problem is gone.

And thanks for the info on rundll32. I thought it was misplaced for an instant. I hope I did not bother you.

Answer 2

Anonymous

No bother at all. :-)

And thanks for the follow-up with details on how you resolved the issue.

-steve

0 comments

Answer 3

Found by what? Defender?

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=%0D%0A%09%09%09%09Trojan:Win32/Bagsu!rfn%0D%0A%09%09%09%09#tab=1

The rundll32 and location are normal.

I suspect that your problem with dwm and the finding of the malware are coincidental, though I can't tell you what to do with the dwm not responding situation other than working from a clean boot condition until the problem was isolated.

-steve

Share via

dwm.exe keeps crashing on windows 10

2 additional answers