A couple of days ago, I wrote about a serious new vulnerability discovered in Windows related to the way the operating system processes animated cursors - HERE. This issue was sufficiently serious that Microsoft elected to provide a patch "out of cycle", that is to say, before their normal "Patch Tuesday" on April 10th. This special patch was posted last night and some of those folks who have "Automatic Updates" turned on may wake up this morning (as I did) to find their PC rebooted and displaying the following error message:
ILLEGAL SYSTEM DLL RELOCATION
RTHDCPL.EXE
The system dll, user32.dll, was relocated in memory. The application will not run properly. Relocation occurred because the dll, C:\Windows\System32\HHCTRL.OCX occupied an address range reserved for Windows system dlls. The vendor supplying the dll should be contacted for a new dll.
This is actually a lot less ominous than it sounds.
The RTHDCPL is related to a RealTek High-definition audio component that loads on Windows startup. This means that only folks whose computer's audio hardware is from RealTek (probably mostly laptop users) are affected, and it's only part of their audio system that may not work (you may no longer have audio).
Microsoft has issued a "patch for the patch" (please hold ironic snorts and snickers till I've finished) that is available HERE.
This patch/update only takes about two minutes to install (no reboot required). If you ARE encountering this specific error and you don't install this follow-up patch, your audio may not work properly and you'll continue to encounter the annoying error message above every time you start Windows (unless you disable/delete the starup entry for the RTHDCPL).
BTW - the security patch that causes this error is a really, really good thing to have. The "Animated Cursor" vulnerability that it corrects is very serious and I can testify from personal experience that malicious exploits are out there and being encountered by users.
Yesterday at work (as a computer consultant specializing in malware and security), I encountered a customer system that had already been infected through this vulnerability (a .ANI file in the user's TEMP folder). Unfortunately, before I was able to examine this system, one of our junior techs had already scanned the drive offline and removed the numerous infected files, thereby eliminating the date/time stamp information that I might have used to forensically track down which email or website might have been the original source of the infection
Now, this particular system was a perfect example of how NOT to secure a PC against malware.
- It was connected directly to the Internet (through a Time-Warner cable modem) with no NAT-router/firewall device so that the PC was being assigned a routable IP address (the Windows "firewall was turned on, but that's relatively useless).
- The "hidden" default Administrator login account had no password.
- The installed antivirus software (the initial, 90-day trial version supplied by the manufacturer) had expired two years ago.
- And Windows Automatic Updates was turned off so the system had none of the Microsoft security patches issued over the past couple of years.
As a result, this system was infected by nearly two dozen of the most dangerous malwares out there (in literally hundreds of files and Registry entries). These included three different malwares designed to steal banking/credit account information and login passwords (the user WAS informed and urged to change any potential compromised accounts), three different SPAM relay servers, three different rootkits (that hide malicious files and Registry entries while the system is running, even from the best antivirus software), two different hacker remote-control programs and one malware that linked the system to a "botnet."
Over the years, I have developed sophisticated techniques for completely cleaning systems while avoiding the need to re-install the OS and all programs (since many home users have lost their OS re-install CDs and/or program installation CDs). However, in this instance, there was no alternative to formatting the drive and starting over from scratch.