Author Topic: DLL doldrums  (Read 10627 times)

Brian

  • Posts: 733
DLL doldrums
« on: 19 Feb '08 - 21:13 »
Here's a depressing discovery, for me at least. When told to play an audio stream, xmplay.exe evidently calls wininet.dll, which in turn is hosted by rundll32.exe. The latter file is bad news on my system, as it sends the CPU load through the roof - stuck at 100% until I kill the process (a known and intractable issue, judging from my researches on the web).

So my forlorn request to Ian is: can XMPlay possibly be freed from this dire dependence on wininet.dll? Other players - Winamp, WMP, MPC, CoolPlayer - don't seem to have it. Many thanks.

Ian @ un4seen

  • Administrator
  • Posts: 20433
Re: DLL doldrums
« Reply #1 on: 20 Feb '08 - 14:03 »
It'd be possible, but I'm not sure it's worth the effort/bloatage. In particular, "https" support may be tricky. Regardless, there is clearly something wrong with your system (perhaps a virus/trojan hooking into wininet), so that needs sorting anyway.

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #2 on: 20 Feb '08 - 15:44 »
Ian - thanks for responding. Somehow I guessed you wouldn't be too keen. I agree that something's wrong somewhere, but if a virus or trojan is the culprit, NOD32 and TrojanHunter between them aren't clocking it. As I mentioned, ultra-high CPU usage triggered by rundll32.exe is a known problem, which doesn't seem to be malware-related.

Tsorovan

  • Posts: 1247
Re: DLL doldrums
« Reply #3 on: 20 Feb '08 - 15:51 »
It doesn't really say much that's it's rundll32.exe. It's a wrapper for all sorts of DLLs. It's not rundll32.exe that's responsible for the "known problem" here.

piovrauz

  • Posts: 967
Re: DLL doldrums
« Reply #4 on: 20 Feb '08 - 16:11 »
Not to hurt anyone, but I've seen a LOt of trojan masking as "rundll32.exe"... countless ones... even fakes recycle bin entry called by autorun.ini files that lauched fake xp dlls... so I think it's malware relatedd. (hey, not on my box, that's for sure)

But supposing it's the "real" rundll32.exe, it's easy and more logical to fix it than hevily modding an already working program. Btw: some pc specs and os verion may help...

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #5 on: 20 Feb '08 - 16:41 »
Many thanks for the feedback. I get the ultra-high CPU usage only when rundll32.exe is running, no matter what DLLs it is hosting, and the CPU returns to normal the moment I kill all instances of rundll32.exe. Running Vista Home Basic. If you google `rundll32.exe + CPU + 100%' you'll get hundreds of thousands of hits.

I just wanted to see what Ian thought about wininet.dll, since XMPlay calls it whereas several other players don't. I didn't intend to ask for major modifications to XMPlay, nor to take up the time of anyone on this forum with matters unrelated to XMPlay. Thanks again.

Zarggg

  • Posts: 1242
Re: DLL doldrums
« Reply #6 on: 20 Feb '08 - 17:20 »
Running Vista Home Basic.

Problem identified. Solution: Upgrade to Windows XP. ;)
(Or at least Home Premium. Basic is unnecessarily feature-limited.)

saga

  • Posts: 2181
Re: DLL doldrums
« Reply #7 on: 20 Feb '08 - 18:56 »
or ubuntu ;D

But upgrading to Windows XP might be a good idea... ;D

piovrauz

  • Posts: 967
Re: DLL doldrums
« Reply #8 on: 21 Feb '08 - 07:42 »
Vista... well, maybe it sounds partial, but it's better for you to upgrade to XP, as Zarggg suggested. So many friends did that after buyng a box with preinstalled (s)Vista (j/k in my language, don't think too much)...

Ubuntu... the day I learn to do the stuff nlite does on ubuntu (shortly: removing oo) I'll start using it more than now ;)

Since I've ditched Vista, I'm sorry I can't help you on it. sry :P

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #9 on: 21 Feb '08 - 10:16 »
I'm generally very pleased with Vista. This is the only Windows problem I have, so going back to XP just for that reason seems like overkill. In any case, people have been reporting the rundll32.exe/CPU issue on forums across the web since at least 2004. I've also established with a fair degree of certainty that my system isn't infected. The simplest answer for me at the moment is to use other players for mp3 and ogg streams (XMPlay doesn't call wininet.dll when deploying a plugin, as for example with Windows Media or AAC+ streams).

Zarggg

  • Posts: 1242
Re: DLL doldrums
« Reply #10 on: 21 Feb '08 - 17:17 »
I wasn't actually expecting to you take the suggestion seriously, you know. :P

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #11 on: 21 Feb '08 - 18:10 »
Yes, I know. I just felt like playing it deadpan.

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #12 on: 24 Mar '08 - 21:07 »
Ian - have you changed something here recently, please? With `stuff' version 3.4.2.33, rundll32.exe is no longer called, so the problem has all but disappeared. I hadn't updated since 3.4.2.24.

I say `all but disappeared', as I find I have to run xmplay.exe in Windows XP SP2 compatibility mode to maintain this happy state (which is OK). Sorry to ask, but are you absolutely sure that XMPlay is fully Vista-compatible? Many thanks for your kind attention.

Ian @ un4seen

  • Administrator
  • Posts: 20433
Re: DLL doldrums
« Reply #13 on: 25 Mar '08 - 16:44 »
Nope, I don't recall changing anything relating to internet stuff recently.

"rundll32" is not being loaded by XMPlay on Vista here. To get some clues about what's happening there, you could try Process Explorer; that'll tell you what rundll's target is.

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #14 on: 25 Mar '08 - 18:09 »
Ian - thanks for responding. Perhaps something has changed somewhere else on my system. I've recently installed Vista SP1, so that might be relevant. However, even after that, I was still getting the problem until I updated to 3.4.2.33.

As I mentioned at the start of this thread, it was wininet.dll that was calling rundll32.exe, at the precise moment when XMPlay connected to any mp3 or ogg stream. I found this out via Process Explorer, which is how I came to raise the issue in the first place.

So it's all still a bit of a mystery to me, but at least I've now found a way of sidestepping the problem.
« Last Edit: 25 Mar '08 - 18:35 by Brian »

Ian @ un4seen

  • Administrator
  • Posts: 20433
Re: DLL doldrums
« Reply #15 on: 26 Mar '08 - 17:48 »
As I mentioned at the start of this thread, it was wininet.dll that was calling rundll32.exe, at the precise moment when XMPlay connected to any mp3 or ogg stream. I found this out via Process Explorer, which is how I came to raise the issue in the first place.

Just a guess, but perhaps it's a firewall or other network software/driver then? The only things I see hosted by rundll32 here are audio/video driver "helpers", eg. traybar apps.

Btw, from the mention of "mp3 or ogg stream", does that mean the problem doesn't happen with AAC streams via xmp-aac? Note that all native format (inc. plugins) streaming is handled by XMPlay in exactly the same way, except for WMA (and RA).

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #16 on: 26 Mar '08 - 20:09 »
Ian - I don't have a software firewall, as there's a hardware one built into my router.

Yes, I made a mistake with my list of affected input plugins - AAC+ streams are also included.

The problem reappeared today just as mysteriously as it disappeared yesterday. However, on the offchance, I've replaced the copy of wininet.dll in my System32 folder with a fresh copy from store, and the problem has now vanished again, at least for the moment. So, very tentatively, perhaps this DLL had somewhow got corrupted and started playing silly tricks like rousing rundll32.exe from its lair, whereas it doesn't do so if working properly (as on your system, evidently). I'm keeping my fingers crossed!

Edit 27 March: I spoke too soon - the problem is back again today. It has now become completely unpredictable. This still seems to suggest a corrupted file somewhere, but I've run out of ideas as to which one it could be.

« Last Edit: 27 Mar '08 - 11:06 by Brian »

Tsorovan

  • Posts: 1247
Re: DLL doldrums
« Reply #17 on: 27 Mar '08 - 13:35 »
This sounds totally third-party. Do you have an on-demand (not really an accurate epithet... more like on-file access) antivirus scanner or similar?

Auren

  • Posts: 144
Re: DLL doldrums
« Reply #18 on: 27 Mar '08 - 13:44 »
Brian
Try to open any streams in other players than XMPlay. If this behaviour persists it may indicate a virus infiltration.

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #19 on: 27 Mar '08 - 14:01 »
Many thanks for the comments.

As I mentioned at the start of this thread, this issue doesn't arise with other players on my system.

My system is clean of malware of any kind, unless NOD32, Kaspersky, TrojanHunter and HijackThis have all missed something.

I have NOD32 file system protection running in the background. If something was falling foul of that, I'd expect to see an alert. The issue doesn't go away if I disable NOD32.

I now fully accept that this isn't an `internal' XMPlay issue. It's just that it only seems to arise when using XMPlay to connect to a stream, so I hoped to draw on the collective wisdom here to track it down. Thanks again.


piovrauz

  • Posts: 967
Re: DLL doldrums
« Reply #20 on: 27 Mar '08 - 14:25 »
My 2 (euro)cent: I'm listening some stream since sometime, changed various stuff versions of xmply, but rundll32.exe doesn't even show.

I know for seeing it on an infected box, there are virus that create a fake rundll32.exe. And NOD didn't recognised it at the time. I feel like it's something similar. Like xmplay folder having some "unwanted guest".

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #21 on: 27 Mar '08 - 14:41 »
I tried replacing rundll32.exe with a fresh copy, and it made no difference.

Auren

  • Posts: 144
Re: DLL doldrums
« Reply #22 on: 27 Mar '08 - 18:22 »
Anyway, I recommend you to check your system at http://virusinfo.info/showthread.php?t=9184 to be absolutely sure that there are no viruses.
« Last Edit: 27 Mar '08 - 19:24 by Auren »

Brian

  • Posts: 733
Re: DLL doldrums
« Reply #23 on: 27 Mar '08 - 23:31 »
I must admit I was rather doubtful that malware could still be involved, after all the different scans I've tried. However, I've just run the Trend Micro online scan (HouseCall), and the problem seems to have disappeared (at least for the moment). An immovable popup window on the website prevented me from seeing the scan results, so if this has indeed fixed or removed something, I have no idea what it was.

PS This hasn't stopped rundll32.exe from hammering the CPU when it runs, but for the moment it doesn't run when XMPlay connects to a stream.

« Last Edit: 28 Mar '08 - 14:13 by Brian »