Please Help!

ProAsm

ProAsm

Expert Member
Joined
Aug 31, 2003
Messages
2,191
Reaction score
106
Location
Hilton
Hi,

I dont often have a problem but I have one now and I dont know whats causing it.
I have a USB Microcom router which has been running very successfully for several years now.
I've never had a hack, a virus or anything go wrong.
My O/S is WinXp Pro SP3, I run ZoneAlarm Pro as my firewall, and AVG8 as my AntiVirus.
In the 5 odd years that I've had 512 ADSL, only twice have I exceeded my 3 gig cap which gives you an idea of my activity.
Last night for some reason I logged onto Saix to checked my user stats and wow, there I saw I had download 1.6 gigs for yesterday alone.
I ran up NetMeter (DUMeter) and it agreed as its total for the day also said approx 1.6 gigs.
Needless to say I was flabbergasted as I doubt I even did 30 megs for the day.
Anyway watching Netmeter I saw that there was continious downloading going on.
It would download 600KB at approx 30 KB/sec, pause for 10 seconds, then do another 600KB and so it would continue for ever and ever.
At this point I saw AVG8 trying to download a 40 meg update which it was just resuming all the time an not getting anywhere.
Thinking that AVG8 might be the problem I disabled it with no luck.
After checking the ZoneAlarm firewall stats I saw that there were still several AVG files running, so I completely uninstalled AVG8.
Still no luck, the downloading continued.
After killing several programs, still the downloading continued.
At this point and after some desperation, I grabbed spare hard drive, formatted it and installed Xp Pro onto it, installed ZoneAlarm pro and installed the Microcom router software.
The very instant the router saw a PC attached the friggin downloads started, 600KB, 10 second pause and then another 600KB and so on.
At this point there were only 7 programs 'allowed' through ZoneAlarm
1. Generic Host Process for Win32 Services
2. Internet Explorer
3. Run a DLL as an App
4. Services and Controller App
5. Windows Explorer
6. WindowsNT Logon Application
7. Zone Labs Client
I started blocking each program one by one and when I got to 'Run a DLL as an App' the downloads stopped.
I enabled it and the downloads started up.
Remembering this is a brand new installation of Windows etc so there are no hacks or viruses etc on the PC.
My question is, what is this 'Run a DLL as an App' ?
How can I find out which DLL is being activating ?
What can I use to check whats causing this and where its coming from ?

Any idea's would be greatly appreciated.
 
try switching to LAN (if possible) and see if the problem persist. i have just realized the my monitor is also picking up some kind of download and upload when its ideal...23k at n time every 10sec
 
TCPView will let you see what program is making a connection to the Internet. Most importantly, it will let you see what address the program is making a connection to.

Post back what you find out.
 
Last edited:
Thanks for the replies.

dr.grimm, I installed SP3 about a month ago.
The new drive is SP2 only.
I'll make up a LAN cable in the morning, good idea :)

fz1, thanks for that proggie.
Strange thing happens when I run it.
It shows all the programs running with one in red being Rundll32.exe which I think is normal and it points its Remote address at my router being 10.0.0.2
The strange thing is while TCPView is running, it only does 1 x 600 KB download and stops in its track.
When I exit TCPView it continues downloading again.

Maybe I run TCPView permanently :)

Another thing that has happened since my last post is looks like Telkom or someone has removed the 1.6 gig for yesterday on my adsl stats and replaced it with 85 megs odd, and my total at combined(bytes) for the month so far has also been reduced by 1.4 gigs.
Maybe this was a Telkom fault and they tried rectifying something although the downloads still continue if I enable that 'Run a DLL as an App' which obviously activates RunDLL32.exe
 
Sounds dodgy to me. RunDLL32.exe is not supposed to run in the background all the time. It's intended for once-off commands.

d/l Process monitor and see if you can find out
1) With what parameters Rundll32.exe was launched. (See example below for why this is important.)
2) Location of Rundll32.exe

Then compare the filesize/MD5 of that exe to known ones on the net.

Change the passwords on your router for all the accounts or even better do a hard reset and then change them.

It's not Telkom...your DU meter shows that the problem is very real.

Block Rundll32 for now till you figure out whats going on.

The fact that TCPView is showing the router addr as the remote address is also dodgy....see if this changes if its connected via LAN.

AVG misses a lot of stuff...maybe do the online scan at kaspersky.

Remembering this is a brand new installation of Windows etc so there are no hacks or viruses etc on the PC.
Click to expand...
I'm not convinced. You wouldn't by any chance be running a cracked/Black edition or something along those lines.;)

My question is, what is this 'Run a DLL as an App' ?
Click to expand...
The quick answer is "whatever you want it to be". It provides a way to execute a function in a dll view the command line.

If you put the following in the run dialog, then it switches the mouse buttons
Warning: To reverse the effects you will have to navigate through the control panel with reversed mouse buttons...the following command only works one-way.
RUNDLL32.EXE USER32.DLL,SwapMouseButton
Click to expand...

i.e. This can be used to execute a function in some dll lurking somewhere on your PC without an actual exe.
 
@dr.grimm
I disconnected the USB cable and connected to the router via the NIC and set the (TCP/IP) properties to "Obtain an IP address automatically".
The problem was still there and exactly the same.
Secondly I switched back to my original hard drive as I need all the othe stuff in there and anyway the problem was also on the new drive so I did not achieve anything there.

@HavocXphere
Its a legit version of Windows Xp Pro SP2 CD and ZoneAlarm Pro and AVG is the free version ;)
Regarding the Rundll.exe file, there are 2 Rundll32.exe files, one in the System32 folder and one in the Windows\ServicePackFiles\i386 folder and they are both 33,280 bytes in size.
The rundll32.exe commands in Process Monitor are always one of the following (saved as .CSV)
Code: 
"469","11:02:31.5971970","rundll32.exe","740","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial","SUCCESS","Type: REG_SZ, Length: 4, Data: 0"
"470","11:02:31.5979714","rundll32.exe","740","QueryStandardInformationFile","C:\Documents and Settings\ProAsm\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 2,031,616, EndOfFile: 2,031,616, NumberOfLinks: 1, DeletePending: False, Directory: False"

Next I did a cold boot on the router, logged into it and changed the Configuration and User Password, saved and rebooted it.
For good mesure at this point I rebooted the PC as well.
Things have now somewhat changed as follows:
The Rundll32.exe now runs permanently, no longer are there any 10 second breaks, BUT... instead of it running at 30KB/sec as before it is now running at 1.2KB/sec
Also before the graph was solid red during each 600KB period, indicating a download, whereas now the graph is yellow, indicating equal up and download.

I did not do the following command as I dont know what follows.
RUNDLL32.EXE USER32.DLL,SwapMouseButton
You say its only a once off command, will rebooting the PC reset it as I dont want to spend forever doing things backwards trying to figure out how to fix it :)

Finally, I removed the LAN connection and went back to the USB connection as another PC uses the LAN connection and again the situation has changed.
Its now been running for about an hour, and so far there are no down or uploads happening at all, like its fixed and the 'Run a DLL as an App' is enabled.
If I exit 'ZoneAlarm' all is still well, as before if I did this the downloads would startup according to Netmeter.

I will however keep a very close watchfull eye on this lot and if it returns I'll re-open this thread.
In the meantime thanks a mil for the help as something, possibly the passwords, has made it go away ;)
 
AVG8 apparently has a malware scanner that runs a lot that chows ure bandwidth.
 
dr.grimm said:
Something still does not add up...
Click to expand...
I agree with you here.
Also what happened to the extra 1.4 odd gigs that my stats showed.
Basically at 1 am yesterday morning, my total combined(bytes) was 2.93 gigs which left me with less than 70 megs for yesterday and today, but when I checked this morning again, it said I had 1.84 which includes the last 36 odd hours... strange.
Well its been running since my last post and its still behaving itself perfectly.
Netmeter says total for today is 16 MB up and down which is about right.
I have a feeling someone from somewhere locked onto me somehow, just plain wierd.
 
ProAsm said:
...
I have a feeling someone from somewhere locked onto me somehow, just plain wierd.
Click to expand...

Hellkom, with it's ADSL-delivered spyware. They're expanding into new markets; abusing South Africans (only) via exorbitant prices and sub-standard service is not fun any more. The integration testing between the usage tracker and the spyware program was not completed properly, requiring an on-the-fly fix to be applied to the production environment. At least they thought about turning off their program when it detected that you were running TCPView :p
 
i just thought of it, it can also maybe be a fault with your line? does your data light flicker when your PC is of??
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X