Jump to content

Recommended Posts

Hello, I'm a bit worried about an event that took place a few days ago. I've been searching for info on it for the past few days with no luck....

Running tcp viewer, I caught rundll32.exe (in the correct folder) connecting to a certification website overseas, and searches of the IP seem to indicate several types malware communicates with it. No browser was running, I had just finished updating MBAM, McAfee, and checking windows updates.

At the time I was running McAfee firewall with netguard on rundll32.exe, which allowed the outbound connection, and MBAM 3 which also did not block it. I've run full scans with MBAM, McAfee, RogueKiller, etc etc all with clean results, but I can't help but think there might be something wrong.

I've also run Farbar and can post logs if need be.. but (again, maybe just being paranoid) do they contain anything that can compromise my security?

 

Any help would be appreciated!

Link to post
Share on other sites

I'm concerned about the connection rundll32 made the other day.... It seems to try to connect when it detects internet signal, either right before or after the Windows Store app/WShost.exe (which I have blocked since I do not use it). The IP it tries to connect to is 213.222.201.210, which resolves to certum.pl. (There were several other connections made with it, but they all began with an address of 23 and I figured it was Microsoft....) I don't believe have any software/apps that use that certification. Is there any reason for that behavior?

I've looked all over the internet for someone posting something similar but couldn't find anything, other than that IP is used by several types of malware, and a few apps which I do not have.

I haven't noticed any other strange behavior with the system though.

Link to post
Share on other sites

Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Fixlog attached,

Malwarebytes scan had no issues.

I had a small problem with the Junkware Removal.... I followed the directions, but it wouldn't let me run it as administrator and I'm not sure why. I even made another Windows account with administrator privileges but still told me I wasn't running as administrator. Please let me know if this is a problem. I did run it though and it's contents are:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 8.1 x64
Ran by CD$A1111 (Limited) on Thu 03/16/2017 at 20:47:02.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 1

Successfully deleted: C:\Users\Public\Desktop\ebay.lnk (Shortcut)

 

Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B31554C5-774A-4EDE-97F3-585BE6B2F99D} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{B31554C5-774A-4EDE-97F3-585BE6B2F99D} (Registry Key)

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/16/2017 at 20:50:59.94
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AdwCleaner had no issues.

Sophos found nothing wrong as well, it took a little over an hour to run, but the bar was only about halfway filled when it completed scan, is that normal?

 

My main concern was catching that connection in tcp viewer and being unsure if it was an infected dll running, or something to do with Windows store.

 

Thanks!

Fixlog.txt

Link to post
Share on other sites

Does tcp viewer produce a log, can you post that...? Also try the following:

You could try "CurrPorts" and monitor what is happening yourself, it is a portable tool no installation necessary. Download from the following link and unzip the contents to your Desktop.

http://www.nirsoft.net/utils/cports-x64.zip <------ 64 bit

http://www.nirsoft.net/utils/cports.zip <------32 bit

Read the contained instructions for a basic understanding, it is very easy to use..... Right click on the tool and select "Run as Administrator"

When opened you will see your network activity. The easiest way to check what is happening is to "Right click" direct anywhere in the field and select "HTML report - All Items"
That will open the report in an easier to read fomat, have a look at the connections check the "Established" entries, are any suspicious and not known or recognized by your self.
Make a note of any unusual or suspicious IP addresses, you can send in reply for me to check or check them yourself at the following link:

http://whois.domaintools.com/

Does that help, is anything obvious found with currports....
Edited by kevinf80
Link to post
Share on other sites

TCP Viewer does not produce logs.

I've just downloaded currports and it looks like a better version TCP Viewer, not showing any suspicious connections or listening processes. I don't allow rundll32 to connect at all anymore.

The event that caused me to post this seems to have happened right after McAfee blocked Store Broker from connecting (McAfee doesn't have an exportable log), do you think there could be a connection to that updating something? I tried to do some searching in Event Viewer and saw the Windows Store using rundll32 to check "bannedappslist", and Windows Update trying to check licenses tagged "SLS." I'm not sure if this is relevant at all, but it was my first log on since daylight savings, and I'm not sure if certificates need to be updated then or not. I really hope I'm just worrying over nothing....

But all the scans and such are showing a clean system?

 

Link to post
Share on other sites

Rundll32 must have been called by another process or program to access the Internet as it shouldn't be accessing it on its own. As you have rundll32 blocked wait and see if there are any adverse effects. If a program that you are legitimately using fails to work properly then, you can unblock rundll in the firewall settings, if that is where it was blocked...

All the produced logs seem to be clean, run the following again and post fresh logs..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thank you,

Kevin

Edited by kevinf80
typing error
Link to post
Share on other sites

Is there a log or something in Windows that allows you to see what would have caused rundll32 to run at that time? The only .dll file connected to rundll32 was WSClient.dll, found after some long searching through Event Viewer.

I've had it blocked since Monday and haven't noticed anything adverse.... but then again if it were related to Store Broker I wouldn't notice because that's blocked as well.

 

FRST logs attached

Addition.txt

FRST.txt

Link to post
Share on other sites

There is no definite log within windows that i`m aware of to identify specific rundll32 connections, what you`ve already done with Eventviewer is the way to go. Currports is a great tool to check current connections, maybe have that running whenever you boot up and keep an eye on what happens...

Those last logs from FRST are clean, nothing to indicate anything malicious etc... Unless you have any other issues I guess we can clean up...

Uninstall Sophos AV and RogueKiller http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Uninstalled with Delfix, the taskbar temporarily disappeared, and the McAfee icon left the tray but is still running... probably something that will fix itself on reboot.

One quick question about currports, would it show an attempted connection and the IP it's trying to connect to if the firewall is blocking it from connecting?

Thank for you for all your help!

Link to post
Share on other sites

The connection attempt would probably show, it would need currports open and running, log changes would have to be active from the file menu....  probably better if you open the currports folder, select cports.chm entry and read through all of the instructions, i`m not 100% sure how to setup for an attempted connection to show in a log...

Link to post
Share on other sites

Sorry to bump this back up....

But I decided to allow rundll32 to connect, and with CurrPorts caught four more connections: 23.50.75.27 , 23.111.11.211 ,  213.222.198.210 , 23.54.181.163

All 4 opened almost simultaneously and closed after about 10 seconds. Not sure if this is relevant information to the topic....

 

Link to post
Share on other sites

rundll32 does not try to connect on its own, a process, program or application would use it to call an IP address. The enty ip addresses you posted would really need to be connected and "Listening" or "Established" to be classed as possibly suspicious...

If they open and then close either your firewall made a block or possibly Malwarebytes. Can you check the F/Wall logs or check Malwarebytes > Open Malwarebytes > select > Reports... Any blocked entries would show, If there are blocked entries Checkmark against the entry then select "View Report"

Link to post
Share on other sites

The firewall logs show nothing around the time of the connections, no blocked programs or IPs. The firewall is McAfee's and the rundll32 process is run with netguard on, and it's showing no risky connections under there. The Malwarebytes protection reports are all scan reports that show nothing. I tried to google all the IPs and most again seem to be certificate authentication, but I can't figure out what would need all those.

Link to post
Share on other sites

Personally I do not believe your system has any malware or infection, your security is not blocking the connections quoted. Why they should make and break seem strange, not what you would expect to happen...

Maybe is worthwhile blocking rundll32 again, see if anything normally used will stop working with rundll32 blocked...

Link to post
Share on other sites

I decided to block it, but before I did, the currports log showed two more outbound connections, again both to certificate associated IPs, so I'm assuming it's just some task that gets carried out every so often, since they never happen at the same time or go to the same IPs.

I hate to be a pest, but I do have a few more concerns..

I downloaded something from NoVirusThanks called Process Logger to see if I could find what was calling rundll32, but when I tried to run the program it gave me a runtime error 216, which upon googling says it could be a sign of a subseven infection.... Ran some anti virus scans with no results.

Also, I ran a scan of HitManPro which flagged drivers\mbae64.sys in the system32 folder as suspicious, but I'm assuming it's a false positive? My MB 3.0 trial did expire right before the scan

And lastly, just now when I tried to log in here, I got a server not found (or something similar) page, the currports logged it as 92.242.140.21 ..... Is any of this relevant?

And again, I'd like to thank you for all your help these past few days.

Link to post
Share on other sites

NoVirusThanks was originally a paid for application but has since dropped the licence fee requirement. Is now offered free I  believe, it is classed as Freeware. Freeware is nice to have but is known to come with unwanted extras, I`m not saying NoVirusThanks behaves that way as I have no experience with it, or have ever tried it...

The IP address 92.242.140.21 goes to barefruit.co.uk In the UK I understand that is related to Tiscali, is that your ISP..?

Server not found could simply mean the site is very busy I guess...

I want you to run the following when you have free time and your PC is not needed... Is very thorough scan so may take several hours...

Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop.

Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how

Right click on user posted image and select "Run as Administrator"

In the new Window accept the terms of service

user posted image

In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings"

user posted image

In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan"

user posted image

In the new Window new virus database signatures will download, Do Not Select Stop

user posted image

The Window will progress showing the scan in action....

user posted image

In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply...

user posted image

If threats are found the following Window will open:

user posted image

Click on "Select All" then "Save to Text file" name and save that file, attach to your reply.

Now select "Do not clean" and then close out....
Link to post
Share on other sites

Turned off real-time anti-virus and ran ESET, it said something about McAfee Live being on, but I have no idea what that is... and the Action Center confirmed there was no anti-virus/anti-spyware running at the time of the ESET scan, which came back all clear.

After a bit of research, the barefruit seems to be where my ISP directs me when it has trouble resolving an address..

And lastly about the NoVirusThanks, I didn't think it came with malware, I just thought the error when I tried to run it might indicate it according to an online search.

So, in your opinion, would you say after all this, it's an all clear for my system? I've been holding off rebooting the machine and logging onto accounts and such until I had this resolved..

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.