Results 1 to 4 of 4

Thread: Run a DLL as an App-gave me a trojan

  1. #1
    persevering Guest

    Default Run a DLL as an App-gave me a trojan

    I hope I'm in the correct discussion group.
    Has anyone ever got this program "Run a DLL as an App" in their program list? I found explorer.exe in c:\windows\system32\dllcache in which dllcache is a hidden folder. I also found iexplorer.exe in the same hidden folder. when I blocked across the board the program "Run a DLL as an App", I was able to delete the 2 hidden executables. but there is still a lot of files in the dllcache folder (exe and dll files). Anyone ever dealt with this? should I just delete the entire dllcache folder? How did they get in? From other readings, somehow they got attached to the real explorer.exe. HOw do I prevent them from returning?

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm (Free)
    Software Version:6.5

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Run a DLL as an App-gave me a trojan

    Hi

    The dllcache in the C\WINDOWS\system32 is very legitimate. Do not delete this folder. It is required. Very important.

    Okay the explorer.exe should be in the C\WINDOWS folder and the rundll32.exe should be in the C\WINDOWS\system32 folder.

    Did you recently have a power outage or BSOD or a malware attack or a hard shutdown? This may have caused the mixup in their locations. The trick to see if they are legitimate or evil is relatively simple. Just right click the item and check out the Properties.
    The General tab has the exact time and date of installation. This can be a conclusive clue to the legitimatecy of the the item- does it match the time of the OS install (roughly).
    The Version tab has the exact manufacture name in it- if it says malware"r'us or Microsoft or the name of one of the hardware devices or the security/applications softwares. Second clue to it's origin.
    Third clue is the Google search itself. Great info on the net itself about the strange pieces of the WINDOWS directory.


    To help see what is running in the PC, just use Ctrl+Alt+Del all at the same time. The Task Manger will popup and check out the items in the Processes. Google these to see if any strange items are running or if they are legitimate. A great free tool is the Process Explorer from sysinternals.com. It is like the Task Manager, but with tons of details and shows the associated DLL's PLUS it has the Google search built right in it to help find info about the processes.


    If you have accidently deleted a legit Windows item, then do the system file check or just use the "sfc /scannnow" in the command prompt and insert the Windows Disk in the media drive. Let it do it's thing and the lost parts can be retrieved all by itself. Just type in "sfc /scannow" without the quotation marks and have a space between the sfc and the /scannow and hit the Enter key on the keyboard and have tour disk ready.


    To really be sure (the easy way) that the PC is malware free, just try some online scans. They are free and just require that the IE6 be used for these test.

    bitdefender.com
    ewido.net/
    housecalls from trendmicro.com

    are just a few of the many free online scans available.

    Check out the spywarewarrior.com for more details at;

    http://spywarewarrior.com/sww-help.htm

    plus it is a very detailed and informative site that has many links and places.

    Hope this helps you some.

    Take care.

    Oldsod

    Message Edited by Oldsod on 09-19-2006 07:16 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Anti-Spyware
    Software Version:6.1
    Best regards.
    oldsod

  3. #3
    critterjoe Guest

    Default Re: Run a DLL as an App-gave me a trojan

    What was it that made you think you have a trojan? Did you get some kind of alert from a monitoring program or scan? Or was it merely because you saw the progam "Run DLL as App" show up in your ZA program list?

    I also have "Run DLL as App" in my ZA program control list, as I also did with previous versions. It means that the program "rundll32.exe" (normally in the windows/system32 folder) has run at least once on your PC, and ZA recognized it and added it to the list. It is used to run some system files and maybe an occasional other program. I want to be aware if it tries to access the internet or interact with other programs, so I used ?? for all the permissions. I don't know this for sure, but I would bet if you asked most people, they will have "Run DLL..." show up in their list. Just be sure it is the normal version and in the right system folder. It is true that some malware can use this program or one like it to launch other programs, so I do keep an eye on it to be sure it is in the right place, right version, etc., and I don't grant it any program permissions.

    The DLL cache is like a backup for critical system files. It's hidden for a reason; to keep people like me from mucking it up It is not like a "cache" in the sense of a temporary storage. It's used to automatically replace system files of the wrong version, wrong location, accidentally deleted, virus-altered, etc. If it detects any change, the Windows File Protection system, if I understand correctly, will reach into that system DLL cache to replace any DLL's or certain system applications that are missing, corrupt, altered, etc. I'm no expert on the matter, but I *THINK* in some cases it can also include backups of files like explorer, iexplorer, notepad, etc. For instance, did your Windows XP already come with SP2 onboard, or did you update to SP1 and SP2 yourself? From what I've read searching around on the Web, I think that if your system came with SP2 already installed, that those are the people most likely to have those above applications backed up in the DLL cache, while those of us who did our own SP2 upgrade may have explorer, notepad, iexplorer, etc. backed up in our servicepack files directory instead. Again, I'm no expert on all that, but if you search on the Web like I just did, you'll see explanations of much of the above, then you'll have to decide if it applies to your own situation. Of course, since the question of a trojan has been raised, the suggestions by others to use several scan programs, either onboard your PC and/or various online scans from the well-known scan sites are also good advice. It will ultimately be up to you to decide if the explorer, iexplorer files you found in the DLL cache are normal backups or not. Files in the DLL cache are not immune from virus attacks, etc. It takes a little detective work, but hey, that's part of the fun, right? Good luck!

    Here's Microsoft's own description of how the Windows File Protection and DLL cache work, and it likely answers some of your questions:

    http://support.microsoft.com/kb/222193/

    If questions persist about what files should be in there, you might ask your question in one of the windowsXP newsgroups, since a lot of Microsoft technical folks read those. Good luck!

  4. #4
    mistoffeles Guest

    Default Re: Run a DLL as an App-gave me a trojan

    RunDLL.EXE is a part of Windows
    RunDL.EXE is a virus
    IEXPLORE.EXE is Internet Explorer
    IEXPLORER.EXE is a trojan

    If you can't see the difference, just get AVG Antivirus, ZoneAlarm free firewall, Spybot: Search & Destroy, SpywareBlaster, ewido anti-spyware, Ad-Aware SE Personal and about 3 days to wipe all the **bleep** off your computer and make it usable again.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •