1. When seeing a "Run a DLL as an App" error, suspect first that the file RUNDLL32.EXE or second that one of the numerous entries (usually a Dynamic Link Library file) in the system registry which relies on execution by this file (runtime) has been compromised. The most commonly trojaned or altered files and their valid checksums can be found in this " table " (search within this article using the error information above). Also note, that if you search for this file on your system and check the Properties/Version, you'll see that its "Description:" is "Run a DLL as an App" .



Note: If nothing else, extract a new copy of this file by putting the Windows XP CD ROM disk in the CD ROM drive, click Start, Run, type expand ?:\i386\rundll32.ex_ (a single space here) c:\windows\rundll32.exe (where ? is the letter of your CD ROM Drive), and then press ENTER. Restart the computer.



Caveat: Open the system registry and verify that the value data for the following address is "%1" %* and nothing else. If you find anything but, the system has most likely been compromised:



HKCR\exefile\shell\open\command



2. When you open Task Manager in Windows XP, you may see Rundll32.exe entries (a valid system file which "HOSTS" a function of a DLL and normally does not appear in the tasks window itself -- it runs something else ) in the Processes tab -- which should be suspect. Rundll32.exe error messages may occur at shutdown and the command may be "Rundll32.exe filename.dll", whereas Task Manager reports only the command name and not it's parameter. FYI, many trojaned/virus programs will rely on this file for execution.



3. Without having to use any third-party tools, use the recommended " What's the suspicious Rundll32.exe process? " to track down what is being executed to find out the module loaded by the process:



tasklist /m /fi "IMAGENAME eq rundll32.exe" >C:\rundll32.txt



4. Supplemental reading - " A description of Svchost.exe in Windows XP (Q314056) ."



5. Access this site and use this lengthy "Rundll32 Reference Guide" to see applicable file uses.