Re: RUNDLL32.EXE

From: luis (not@vaila.ble)
Date: 07/28/02 

From: "luis" <not@vaila.ble>
Date: Sun, 28 Jul 2002 13:20:54 GMT

This list shows the details related to the RUNDLL32.exe process that is
slowing my computer down while trying to make a connection to a remote
server ....
Maybe somebody can identify what the program is doing (note the reference
to SENSAPI.dll):

Process: RUNDLL32.EXE Pid: FFFBA899

Base Size Description
Version Time Path
0x400000 0x11000
6/28/02 7:05 PM D:\WINDOWS\SYSTEM\Rundll32.exe
0x60000000 0x5000 SENS Connectivity API DLL
5.50.4807.2300 9/1/01 12:35 AM D:\WINDOWS\SYSTEM\SENSAPI.DLL
0x63000000 0x94000 Internet Extensions for Win32
6.00.2715.0400 3/5/02 9:56 AM D:\WINDOWS\SYSTEM\WININET.DLL
0x65340000 0x9B000
2.40.4518.0000 9/10/01 8:18 PM D:\WINDOWS\SYSTEM\OLEAUT32.DLL
0x66800000 0x155000 Windows Shell Common Dll
4.72.3812.0600 12/6/01 11:25 PM D:\WINDOWS\SYSTEM\SHELL32.DLL
0x70BD0000 0x64000 Shell Light-weight Utility Library
6.00.2600.0000 8/17/01 12:00 AM D:\WINDOWS\SYSTEM\SHLWAPI.DLL
0x71300000 0x5E000 Crypto API32
5.131.1877.0005 11/5/99 12:00 AM D:\WINDOWS\SYSTEM\CRYPT32.DLL
0x719A0000 0x8000 Shell Folder Service
6.00.2600.0000 8/17/01 12:00 AM D:\WINDOWS\SYSTEM\SHFOLDER.DLL
0x75FA0000 0xA000 BSD Socket API for Windows
4.10.0000.1998 1/28/01 10:28 AM D:\WINDOWS\SYSTEM\WSOCK32.DLL
0x75FE0000 0x6000 Windows Socket 2.0 Helper for Windows 98
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\WS2HELP.DLL
0x76000000 0x12000 Windows Socket 2.0 32-Bit DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\WS2_32.DLL
0x78000000 0x46000 Microsoft (R) C Runtime Library
6.01.8637.0000 6/12/00 9:42 AM D:\WINDOWS\SYSTEM\MSVCRT.DLL
0x783C0000 0xF000 Windows Socket2 NameSpace DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RNR20.DLL
0x794D0000 0x15000 Microsoft WinSock Extension APIs
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSWSOCK.DLL
0x79E00000 0x25000 Microsoft Trust ASN APIs
5.131.1877.0003 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSOSS.DLL
0x7B410000 0xB000 Microsoft Windows Sockets 2.0 Service Provider
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSAFD.DLL
0x7F840000 0x8000
4/23/99 10:22 PM D:\WINDOWS\SYSTEM\NETBIOS.DLL
0x7F870000 0xA000 Microsoft Win32 Security Services
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\SECUR32.DLL
0x7F880000 0x35000 Dial-Up Networking Dynamic Linked Library
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RASAPI32.DLL
0x7F950000 0x8000 32-bit common Server API library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\SVRAPI.DLL
0x7F960000 0x1E000 Microsoft® Windows(TM) Telephony API Client DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\TAPI32.DLL
0x7F990000 0x5000 32-bit network API DLL
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\NETAPI32.DLL
0x7FB00000 0x13000 Microsoft 32-bit Network API Library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSNET32.DLL
0x7FB40000 0xA000 Password list management library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSPWL32.DLL
0x7FB90000 0x52000 Remote Procedure Call DLL
4.71.2900.0002 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RPCRT4.DLL
0x7FBF0000 0xE000 WIN32 Network Interface DLL
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MPR.DLL
0x7FC00000 0x2C000 Microsoft C Runtime Library
3.50.0746.0001 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\CRTDLL.DLL
0x7FC30000 0x45000 Microsoft® C Runtime Library
2.11.0000.0000 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSVCRT20.DLL
0x7FF20000 0xC1000 Microsoft OLE for Windows and Windows NT
4.71.2900.0000 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\OLE32.DLL
0xBFB70000 0x8E000 Common Controls Library
5.81.4807.2300 7/23/01 12:00 AM D:\WINDOWS\SYSTEM\COMCTL32.DLL
0xBFE80000 0x10000 Win32 ADVAPI32 core component
4.80.0000.1675 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\ADVAPI32.DLL
0xBFF20000 0x26000 Win32 GDI core component
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\GDI32.DLL
0xBFF50000 0x11000 Win32 USER32 core component
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\USER32.DLL
0xBFF70000 0x73000 Win32 Kernel core component
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\KERNEL32.DLL

Process: RUNDLL32.EXE Pid: FFFF34A9

Name Type Access Share
  0x4 Process 0x001F0FFF
RUNDLL32.EXE(FFFF34A9)
  0x8 Mutex 0x001F0001
OLESCMLOCKMUTEX
  0xC MappedFile 0x00000000
rpcrt4sharedmem
  0x10 Mutex 0x00100000
_!MSFTHISTORY!_
  0x14 Mutex 0x00100000
d:!windows!temporary internet files!content.ie5!
  0x18 File 0x00000133
D:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
  0x1C MappedFile 0x00000000
D:_WINDOWS_Temporary Internet Files_Content.IE5_index.dat_6619136
  0x20 Mutex 0x00100000
d:!windows!cookies!
  0x24 File 0x00000133
D:\WINDOWS\COOKIES\INDEX.DAT
  0x28 MappedFile 0x00000000
D:_WINDOWS_Cookies_index.dat_229376
  0x2C Mutex 0x00100000
d:!windows!history!history.ie5!
  0x30 File 0x00000133
D:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
  0x34 MappedFile 0x00000000
D:_WINDOWS_History_History.IE5_index.dat_1949696
  0x38 Mutex 0x001F0001
WininetStartupMutex
  0x40 Mutex 0x001F0001
WininetConnectionMutex
  0x48 Mutex 0x001F0001
WininetProxyRegistryMutex
  0x50 Mutex 0x001F0001
Winsock2ProtocolCatalogMutex
  0x54 Mutex 0x001F0001
Winsock2ProtocolCatalogMutex
  0x58 Thread 0x001F03FF
RUNDLL32.EXE(FFFF34A9): FFFF36E9
  0x5C Mutex 0x001F0001
MPRMutex
  0x68 Mutex 0x001F0001 svrapi
  0x6C Device 0x00000000 WSOCK2
  0x70 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE2EFD
  0x74 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE7EB5
  0x78 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE72B9
  0x80 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD9B29
  0x88 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD8F15
  0x90 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD817D
  0x98 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD90F1
  0xA4 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDA2F5
  0xA8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDB90D
  0xB0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDB37D
  0xB8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCDB9
  0xC0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCFC5
  0xC8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC8A1
  0xD0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCA9D
  0xD8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC4D9
  0xE0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC115
  0xE8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC351
  0xF0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDD981
  0xF8 Device 0x00000000 VNETBIO
  0x114 MappedFile 0x00000000 SENS
Information Cache

I apologize if this is not the right NG for this post... Please suggest a
more appropriate one.
Regards...
Luis

"Andrew Rossmann" <andyross@no_junk.worldnet.att.net> wrote in message
news:MPG.17ac6cf52337cd82989d3c@netnews.att.net...
> In article <j1w09.136344$_51.93086@rwcrnsc52.ops.asp.att.net>,
> not@vaila.ble says...
> > I have thousands of entries on my ZAPro log indicating that RUNDLL32.EXE
was
> > trying to connect from my computer... the entries look like this on the
Log
> > file:
> >
> > FWIN,2002/02/09,22:21:18 -5:00 GMT,24.129.2.34:53,66.176.63.8:1184,UDP
> > FWIN,2002/02/09,22:21:24 -5:00 GMT,24.129.2.34:53,66.176.63.8:1187,UDP
> > FWIN,2002/02/09,22:21:44 -5:00 GMT,24.129.2.34:53,66.176.63.8:1190,UDP
> > FWIN,2002/02/09,22:22:53 -5:00 GMT,24.129.2.34:53,66.176.63.8:1204,UDP
> > FWIN,2002/02/09,22:23:44 -5:00 GMT,24.129.2.34:53,66.176.63.8:1206,UDP
> > FWIN,2002/02/09,22:24:15 -5:00 GMT,24.129.2.34:53,66.176.63.8:1218,UDP
> > FWIN,2002/02/09,22:26:24 -5:00 GMT,24.129.2.34:53,66.176.63.8:1235,UDP
> > FWIN,2002/02/09,22:26:24 -5:00 GMT,24.129.2.34:53,66.176.63.8:1237,UDP
> > FWIN,2002/02/09,22:26:24 -5:00 GMT,24.129.2.34:53,66.176.63.8:1238,UDP
> > FWIN,2002/02/09,22:26:28 -5:00 GMT,24.129.2.34:53,66.176.63.8:1249,UDP
> > FWIN,2002/02/09,22:26:35 -5:00 GMT,24.129.2.34:53,66.176.63.8:1253,UDP
> > FWIN,2002/02/09,22:27:14 -5:00 GMT,24.129.2.34:53,66.176.63.8:1288,UDP
> > FWIN,2002/02/09,22:27:33 -5:00 GMT,24.129.2.34:53,66.176.63.8:1310,UDP
> > FWIN,2002/02/09,22:27:35 -5:00 GMT,24.129.2.34:53,66.176.63.8:1312,UDP
> > FWIN,2002/02/09,22:27:37 -5:00 GMT,24.129.2.34:53,66.176.63.8:1315,UDP
> >
> > This started after I noticed that there was a lot of uploading activity
> > going on my computer and I turned the protection up.
> > My Hard drive is constantly making noise as if something is being read
and I
> > get lots of blocked activity... I can see that ICQ has to do with it
but I
> > am also suspecting the possibility of a Trojan. Any help is
appreciated.
>
> RUNDLL32 is just a wrapper for .DLL files to run as programs. The tricky
> part is trying to find out what program is using it.
>
> Download programs like AdAware (www.lavasoft.nu) and similar to search
> for spyware and trojans.
>
> --
> If there is a no_junk in my address, please REMOVE it before replying!
> All junk mail senders will be prosecuted to the fullest extent of the
> law!!
> http://home.att.net/~andyross

Relevant Pages

  • Re: VMware per Mac OS X x86, che dite?
    ... considerando naturalmente che serve anche una licenza di Windows (solo ... di riferimento usato per i build standard di Python per Windows); ... versione di riferimento del relativo compilatore Microsoft (compreso ... l'uso delle DLL runtime di quel dato specifico compilatore). ...
    (it.comp.macintosh)
  • Re: ZoneAlarm -- Alert for "Run a DLL"
    ... I am blocking it from accessing the internet also... ... DLL file called SENSAPI.DLL. ... 0x60000000 0x5000 SENS Connectivity API DLL ... 0x794D0000 0x15000 Microsoft WinSock Extension APIs ...
    (comp.security.firewalls)
  • Re: newbe about API
    ... Emne: Re: newbe about API ... > I found all these API-CALL strings are finally compiled to ... more than that...and Windows simply takes this to an extreme that this ... DLL, when a weak point is found (which, with Microsoft, is something ...
    (alt.lang.asm)
  • Re: undestroyable process
    ... Since when Windows hooks spy upon API ... including injection of DLL into the fogeign ... inject a DLL into some system process ...
    (microsoft.public.win32.programmer.kernel)
  • Skype codec
    ... user32.dll Windows XP USER API Client DLL ... LINKINFO.dll Windows Volume Tracking ... SETUPAPI.dll Windows Setup API ... MSVFW32.dll Microsoft Video for Windows DLL ...
    (microsoft.public.win32.programmer.mmedia)