C:\WINDOWS\system32\rundll32.exe

Discussion in 'other security issues & news' started by burt64nyg, Mar 21, 2005.

Thread Status:
Not open for further replies.
  1. burt64nyg

    burt64nyg Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    2
    what is this? i have gotten so many different responses. need clarification on this please C:\WINDOWS\system32\rundll32.exe
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi burt64nyg, and welcome to the forum.

    I have moved your post from the test forum and into this one where it will receive better attention.

    Rundll32.exe is a valid system file, and from the path you've shown it to be in your post above, it is in the correct location. If it was in another location then I would be a bit more concerned that it was malware.

    This link might help describe better what rundll32.exe is and does:
    http://windowsxp.mvps.org/rundll32.htm

    Regards,

    snap
     
  3. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    The term DLL stands for Dynamic Link Library. Essentially, a DLL is a bunch of functions and routines that have been packaged up into a "library" for use by programmers. RunDLL simply is a "shell" executable that lets one invoke one of these "library" functions on its own.

    As an example, think about some hypothetical file encryption program. This encryption program has a GUI and the bulk of the code written in an executable than can be run by the user just like any other program. However, lets say that the designers of this encryption program wanted to support multiple encryption algorithms (eg, DES, 3DES, AES, BlowFish, etc.) and maybe even provide support for future algorithms also. Well, one way of doing this might be to have a DLL for each of the algorithms. That way each of the encryption/decryption algorithms could be packaged in their own library file (ie, aes.dll, des.dll, etc.) Programmers could work perhaps a little more independently. Some algorithms might even be purchased as existing library files from other vendors. Support for future algorithms might be fairly easily added by dropping in new DLL files. There might be any number of reasons for structuring it like this.

    But, now, say for example that you wanted to encrypt a file with the AES algorithm and you already knew exactly which file you wanted encrypted. You wouldn't necessarily need the whole GUI. Perhaps you want to perform this encryption from the command line or from a batch file or something. Even if the programmers didn't provide a command line version of their program, one way to do this might be to invoke the actual encryption routines directly from the DLL file using RunDLL. So, hypothetically, one could type in something like "rundll aes.dll,EncryptFile c:\somedirectory\somefile".

    The Windows operating system has the bulk of its functionality spread throughout various DLLs. These library routines are specifically designed as support functions for use by programmers. However, there are times when it makes sense for people to have access to this raw functionality directly. That is what rundll provides... raw, direct access to support routines.
     
  4. burt64nyg

    burt64nyg Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    2
    thanks snap. im just starting to really get into my computer and a friend gave me a program called hijack this. he told me to be careful with it beacause it will think some operations are currupted but there not. while searching for an answer i founf this site. im glad i did. thanks again.

    John
     
    Last edited by a moderator: Mar 21, 2005
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi John,

    I need to ask, are you suspicious that your computer is infected, or are you just needing to learn more about what to look for?

    A little about the HijackThis tool - HijackThis was created by Merijn and he has a tutorial on how to interpret the HijackThis logs under the "Articles" section on his page.

    There are other tutorials on the net, but basically learning how to read the logs correctly usually takes a great deal of patience and experience. Because this is a diagnostic tool used with step-by-step instructions given by malware removal Experts to help reveal and remove malware files (used in conjunction with other anti-malware scanners such as anti-virus, anti-trojan, anti-spyware, etc.), there is the potential for damaging a system if HijackThis is used by an inexperienced user since HijackThis will reveal both the good files AND any bad files if they are visibly present.

    Though most of what HijackThis reveals will be harmless and essential to your system, if the wrong files were accidently removed, it could render the computer unbootable. That is why we always recommend to those unfamiliar with using HijackThis to go to a forum that offers HijackThis log analysis.

    If you suspect your system is infected you can first go through the General Cleaning Instructions, but if you do have a spyware/hijacker problem that is persistant and you cannot remove it with the conventional scanners, then I would advise with posting a Hijackthis log at one of the forums that offer this type of cleaning service and log analysis. You can find a list of sites that offer this here: http://a-sap.org/ (Please note that we no longer do HijackThis log analysis here at Wilders)

    I hope the above is helpful, please let us know if you have any further questions.

    Regards,

    snap
     
  6. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    One handy way to use HJT is to afterwards use the official auto-analysis tool, at http://hijackthis.de/index.php?langselect=english . Regardless of whether you use that, or submit results for analysis by experts, you'll want to "Save as log" after you've scanned, without "fixing" anything yet.

    The auto-analysis tool shouldn't be treated as gospel, of course, but at least it'll quickly let you know about any obvious malware, plus it'll give you a pretty good idea of what's definitely (or at least highly probably) safe and can be added to HJT's ignore list to trim future reports way down.
     
    Last edited: Mar 22, 2005
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Hey Bubba,

    As you saw in my PM, I might have created a misleading impression by enclosing official in quotes, so I've now removed them. I assume that's what you meant by the question.

    Best,
    Mike
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Yeah kind of....I was concerned about the possibility that others would construe that to mean Merijn approved of the analysis tool....when in fact there's a little side note concerning Merijn and that analysis tool that I wasn't aware of until recently.

    Found here---> https://www.wilderssecurity.com/showpost.php?p=347218&postcount=17
     
  10. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Probably about the last word on this, since we've wandered off the original question -- I think we'll agree that the auto-analysis tool is handy if you understand that it's "quick and dirty" and no substitute for review by experts. In forums (fora?) which handle HJT logs, it's quite common for really serious problems to get handled by a team of experts working in consultation with each other.

    And apologies to Bubba and all for that "official" foulup, turns out the quotes probably should have stayed in after all. :oops:
     
Thread Status:
Not open for further replies.