Run.dll Question

TDS picked up an alert on run.dll, but only 1 byte, no threat - I deleted. Likely fragment from a scheduled task I fiddled with. Examined registry and confirmed no %system% entries for that threat.

Rarely, when transposing links in MS Word, my firewall asks if I want to run.dll as a app. Question: Is the sub-folder run.dll (23.0 KB) in c:\windows\systen32 normal? I'm sure it is, but freaks me out when it tries to access the internet. Doesn't ask if I want Word to access the net, just to run.dll as an app. Is that file required? Leave it alone? Or delete it altogether?

Thanks, Rick (XP Home User)

 

Hi LWM...Yep, it's c:\windows\system32\ and the file run.dll is in there. Also WININIT.INI & WINNT32.LOG among the bunch. Strange we'd have different paths using the same OS - or is something amiss? I know of no other avenue to that file and there's no primary folder via Start > My Computer> C: with the title WINNT - just "Windows." Never renamed anything, except TDS. Thanks, Rick

 

Sorry LWM, brain damage here, I should have said run.dll.exe is there. It does say 31.0 KB (must have had a brain-fart) But since you also have this, everything is A-OK. As Gilda Radnor of SNL used to say, "Neever Minnd! Still freaks me out when it asks to connect to the net though. Best Regards, Rick

 

Hi Rickster,

I would be very cautious of a file named run.dll.exe

I would recommend that you submit it to your AV company and to TDS submit@diamondcs.com.au for them to have a look. In the meantime I would archive it in a zip file and remove the original file.

Regards,

Dan

 

Will do, thanks a bunch Dan.

 

Hi Guys: Noted LWM has his run.dll.exe on path C:\WINNT\system32\rundll32.exe

Seems to be normally supplied file. Date created matches adjacent files in system32, all before I bought the system new.

Also here:

http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/

WinTasks Process Library
rundll32 - rundll32.exe - Process Information
Process File: rundll32 or rundll32.exe
Process Name: Windows RUNDLL32 Helper
Description: The Windows Rundll32 Program is used to run DLLs as programs and is used by many programs to execute functions located in a DLL file
Common Errors: N/A
System Process: No

TDS full system scan is clear. The exploit version of run.dll.exe per AV, uses run.dll.exe + %system% and can be found in registry (not). So seems to boil down to whether you want to run dll's as a application. ZA list this function in program menu like any other - I block and can't think of any reason I'd use it Just a little trepidation about doing away it per above "...and is used by many programs to execute functions located in a DLL file"

I occurs to me, the MS baseline security analyzer uses an entry of %system% but don't know if it makes use of run.dll - but the 1 byte fragment TDS originally found was shorty after using the analyzer, so that's probably the association.

Thanks for your help - again. Rick

 

No, run.dll.exe is *definitely* a different file than rundll32.exe

The latter is a valid filename for an OS provided file but the former is a pretty clear indication of something wrong. If your file is actually named run.dll.exe as you stated above I would really advise archiving it so it cannot do anything while the experts analyze the file.

 

Dan, I apologize for wasting your time, I meant run.dll32.exe - I had to correct myself in the first post above on that to LWM. I feel like an idiot - not even qualified to be here anymore. It all started on the TDS find and I can see I have to be careful about being very exact when expressing file names - I'm not writing some paper, this is another world and I should be more careful. I won't bother you guys again.

Regards, Rick

 

Hi Rickster,

As LWM stated, it is no bother at all! If we didn't like responding to questions/concerns we wouldn't be doing this. I really hope you don't feel disinclined to post other questions or responses!

It's very much part of this sort of work that we feel like idiots at times, I hope you don't take it to heart. I know I have made a *plethora* of mistypes in the forum and have made ample use of the edit post feature

Regards,

Dan