Re: ZoneAlarm -- Alert for "Run a DLL"

From:
Date: 09/01/02

Next message: Wolfgang Kueter: "Re: Firewall Appliance with selective NAT?"
Previous message: Ballistica: "has anyone had success setting up a web server behind an SMC7004ABR Barricade?"
In reply to: : "ZoneAlarm -- Alert for "Run a DLL""
Next in thread: NeoSadist: "Re: ZoneAlarm -- Alert for "Run a DLL""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 01 Sep 2002 02:22:23 GMT

Dave, I noticed the problem a while ago and still don't know what to make of
it....
I am blocking it from accessing the internet also... but you also have to
delete it from your process. Unfortunately it doesn't show in the running
task list, but you can find "them'(because there is more than one instance
trying to connect and eating up your resources) by using a program called
Process Explorer (if you are running WIN98 or WINME) or use the built in
feature of your OS to access that list.
So far I have gathered that RUNDLL32 is used by many programs and it is
normal to see it being executed... In this case it is trying to run another
DLL file called SENSAPI.DLL. This SENS Connectivity API DLL is used in
routines in a curious way to determine the "quality of the connectivity". I
don't know how far it is being exploited by others to invade somebody
computer but, as far as I am concerned, the potential is there. I've got to
notice this issue because my hard drive would sometimes blink continuously
without any apparent reason. and the upload gage would show data being sent
at the same time... It stopped when I intercepted RUNDLL32. There is
problem and there is a solution although we are still trying to get to the
meaning of it.
Following is data from the Process Explorer that may help somebody enlighten
us on this issue.

1
****************************************************************************
**
Process: RUNDLL32.EXE Pid: FFFBA899

Base Size Description
Version Time Path
0x400000 0x11000
6/28/02 7:05 PM D:\WINDOWS\SYSTEM\Rundll32.exe
0x60000000 0x5000 SENS Connectivity API DLL
5.50.4807.2300 9/1/01 12:35 AM D:\WINDOWS\SYSTEM\SENSAPI.DLL
0x63000000 0x94000 Internet Extensions for Win32
6.00.2715.0400 3/5/02 9:56 AM D:\WINDOWS\SYSTEM\WININET.DLL
0x65340000 0x9B000
2.40.4518.0000 9/10/01 8:18 PM D:\WINDOWS\SYSTEM\OLEAUT32.DLL
0x66800000 0x155000 Windows Shell Common Dll
4.72.3812.0600 12/6/01 11:25 PM D:\WINDOWS\SYSTEM\SHELL32.DLL
0x70BD0000 0x64000 Shell Light-weight Utility Library
6.00.2600.0000 8/17/01 12:00 AM D:\WINDOWS\SYSTEM\SHLWAPI.DLL
0x71300000 0x5E000 Crypto API32
5.131.1877.0005 11/5/99 12:00 AM D:\WINDOWS\SYSTEM\CRYPT32.DLL
0x719A0000 0x8000 Shell Folder Service
6.00.2600.0000 8/17/01 12:00 AM D:\WINDOWS\SYSTEM\SHFOLDER.DLL
0x75FA0000 0xA000 BSD Socket API for Windows
4.10.0000.1998 1/28/01 10:28 AM D:\WINDOWS\SYSTEM\WSOCK32.DLL
0x75FE0000 0x6000 Windows Socket 2.0 Helper for Windows 98
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\WS2HELP.DLL
0x76000000 0x12000 Windows Socket 2.0 32-Bit DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\WS2_32.DLL
0x78000000 0x46000 Microsoft (R) C Runtime Library
6.01.8637.0000 6/12/00 9:42 AM D:\WINDOWS\SYSTEM\MSVCRT.DLL
0x783C0000 0xF000 Windows Socket2 NameSpace DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RNR20.DLL
0x794D0000 0x15000 Microsoft WinSock Extension APIs
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSWSOCK.DLL
0x79E00000 0x25000 Microsoft Trust ASN APIs
5.131.1877.0003 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSOSS.DLL
0x7B410000 0xB000 Microsoft Windows Sockets 2.0 Service Provider
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSAFD.DLL
0x7F840000 0x8000
4/23/99 10:22 PM D:\WINDOWS\SYSTEM\NETBIOS.DLL
0x7F870000 0xA000 Microsoft Win32 Security Services
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\SECUR32.DLL
0x7F880000 0x35000 Dial-Up Networking Dynamic Linked Library
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RASAPI32.DLL
0x7F950000 0x8000 32-bit common Server API library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\SVRAPI.DLL
0x7F960000 0x1E000 Microsoft® Windows(TM) Telephony API Client DLL
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\TAPI32.DLL
0x7F990000 0x5000 32-bit network API DLL
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\NETAPI32.DLL
0x7FB00000 0x13000 Microsoft 32-bit Network API Library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSNET32.DLL
0x7FB40000 0xA000 Password list management library
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSPWL32.DLL
0x7FB90000 0x52000 Remote Procedure Call DLL
4.71.2900.0002 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\RPCRT4.DLL
0x7FBF0000 0xE000 WIN32 Network Interface DLL
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MPR.DLL
0x7FC00000 0x2C000 Microsoft C Runtime Library
3.50.0746.0001 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\CRTDLL.DLL
0x7FC30000 0x45000 Microsoft® C Runtime Library
2.11.0000.0000 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\MSVCRT20.DLL
0x7FF20000 0xC1000 Microsoft OLE for Windows and Windows NT
4.71.2900.0000 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\OLE32.DLL
0xBFB70000 0x8E000 Common Controls Library
5.81.4807.2300 7/23/01 12:00 AM D:\WINDOWS\SYSTEM\COMCTL32.DLL
0xBFE80000 0x10000 Win32 ADVAPI32 core component
4.80.0000.1675 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\ADVAPI32.DLL
0xBFF20000 0x26000 Win32 GDI core component
4.10.0000.1998 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\GDI32.DLL
0xBFF50000 0x11000 Win32 USER32 core component
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\USER32.DLL
0xBFF70000 0x73000 Win32 Kernel core component
4.10.0000.2222 4/23/99 10:22 PM D:\WINDOWS\SYSTEM\KERNEL32.DLL

2*************************************************************************
Process: RUNDLL32.EXE Pid: FFFF34A9

Name Type Access Share
  0x4 Process 0x001F0FFF
RUNDLL32.EXE(FFFF34A9)
  0x8 Mutex 0x001F0001
OLESCMLOCKMUTEX
  0xC MappedFile 0x00000000
rpcrt4sharedmem
  0x10 Mutex 0x00100000
_!MSFTHISTORY!_
  0x14 Mutex 0x00100000
d:!windows!temporary internet files!content.ie5!
  0x18 File 0x00000133
D:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
  0x1C MappedFile 0x00000000
D:_WINDOWS_Temporary Internet Files_Content.IE5_index.dat_6619136
  0x20 Mutex 0x00100000
d:!windows!cookies!
  0x24 File 0x00000133
D:\WINDOWS\COOKIES\INDEX.DAT
  0x28 MappedFile 0x00000000
D:_WINDOWS_Cookies_index.dat_229376
  0x2C Mutex 0x00100000
d:!windows!history!history.ie5!
  0x30 File 0x00000133
D:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
  0x34 MappedFile 0x00000000
D:_WINDOWS_History_History.IE5_index.dat_1949696
  0x38 Mutex 0x001F0001
WininetStartupMutex
  0x40 Mutex 0x001F0001
WininetConnectionMutex
  0x48 Mutex 0x001F0001
WininetProxyRegistryMutex
  0x50 Mutex 0x001F0001
Winsock2ProtocolCatalogMutex
  0x54 Mutex 0x001F0001
Winsock2ProtocolCatalogMutex
  0x58 Thread 0x001F03FF
RUNDLL32.EXE(FFFF34A9): FFFF36E9
  0x5C Mutex 0x001F0001
MPRMutex
  0x68 Mutex 0x001F0001 svrapi
  0x6C Device 0x00000000 WSOCK2
  0x70 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE2EFD
  0x74 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE7EB5
  0x78 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFE72B9
  0x80 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD9B29
  0x88 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD8F15
  0x90 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD817D
  0x98 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFD90F1
  0xA4 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDA2F5
  0xA8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDB90D
  0xB0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDB37D
  0xB8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCDB9
  0xC0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCFC5
  0xC8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC8A1
  0xD0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDCA9D
  0xD8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC4D9
  0xE0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC115
  0xE8 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDC351
  0xF0 Thread 0x00000000
RUNDLL32.EXE(FFFF34A9): FFFDD981
  0xF8 Device 0x00000000 VNETBIO
  0x114 MappedFile 0x00000000 SENS
Information Cache

"Dave Gonzalez" <dgonzalezxp@attbi.com> wrote in message
news:iA3c9.252853$983.528477@rwcrnsc53...
> I keep getting an alert in Zone Alarm that "Run a DLL" (RUNDLL32.DLL) is
> trying to access the Internet. Anyone know what this is? Should I grant
> access?
>
> -- Dave
>
>

Next message: Wolfgang Kueter: "Re: Firewall Appliance with selective NAT?"
Previous message: Ballistica: "has anyone had success setting up a web server behind an SMC7004ABR Barricade?"
In reply to: : "ZoneAlarm -- Alert for "Run a DLL""
Next in thread: NeoSadist: "Re: ZoneAlarm -- Alert for "Run a DLL""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: RUNDLL32.EXE
... 0x66800000 0x155000 Windows Shell Common Dll ... 0x75FA0000 0xA000 BSD Socket API for Windows ... 0x794D0000 0x15000 Microsoft WinSock Extension APIs ...
(comp.security.firewalls)
Skype codec
... user32.dll Windows XP USER API Client DLL ... LINKINFO.dll Windows Volume Tracking ... SETUPAPI.dll Windows Setup API ... MSVFW32.dll Microsoft Video for Windows DLL ...
(microsoft.public.win32.programmer.mmedia)
Re: DLL-Einsprungspunkt
... In der API ist ein Modul mit deklarierten ... mit VB auf diese dll zugriff zu bekommen? ... "- Die Datei ist keine ausführbare DLL. ... Fordern Sie die entsprechende DLL für Microsoft Windows an. ...
(microsoft.public.de.vb)
C# .NET CF Today API
... I can´t find any information about Today API in C# on the internet. ... Could anyone please tell me how to create a Today DLL in C#? ... I dont have too much knowledge in C#, I dont know how to declare the ...
(comp.programming)
RE: Skins
... there is no API to create XP Visual Styles or change the behavior of them. ... Microsoft is providing this information as a convenience to you. ... There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you ...
(microsoft.public.win32.programmer.ui)