Jump to content

rundll32.exe and dllhost.exe and regsvr32.exe keep popping up as malicious


Recommended Posts

Hi,, earlier my computer got infected with a ransomware and I have been attempting to remove all traces of it. I've been using malwarebytes and everything seems to be working fine. Except- whenever I try changing from my private or public home wifis, or whenever I open a website on chrome or microsoft edge, I get RTP's for rundll32, dllhost or regsvr32 and I cant seem to figure out why. I have been looking everywhere through this forum for someone who had a similar issue but can't find one. I put examples in the images. Hope someone can help

 

 

Capture.PNG

2.PNG

3.PNG

4.PNG

Link to post
Share on other sites

8 minutes ago, AdvancedSetup said:

Hello @jasminej

I can help you to clean up the computer. But if you have encrypted data already it's best to go to another site for help to see if you can get your data back.

Let me know, thanks

 

Hey! 

Thank you for the quick response, I'm very grateful.

All of my files have been encrypted. My only hope is that I have some backups from a month ago, but the rest is unfortunately gone. I dont mind doing a full system formatting if it's what it takes to get it back to normal, that data is not a problem.

I just want to ensure no malwares are left and no chances of any of my personal information data being stolen. Such as passwords or so. I already use a password manager, but if the malware or such is trying to read my banking information through chrome or WiFi information I'm not sure that'll be of help.  

Link to post
Share on other sites

  • Root Admin

Well if you really want to do it the right way, then yes a full clean install of Windows and a factory reset of the router would be recommended. Let me get some logs though and we'll see what we can find.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

I see this is an HP 8860.  Is this a desktop computer? Did you purchase new from HP?

BIOS: AMI F.10 07/29/2021
Motherboard: HP 8860

 

We can probably do a Factory Reset pretty easily. Just need to verify the exact model number

Can you tell me the exact model number and if it's a Desktop or Laptop

 

Link to post
Share on other sites

I have a small update. I think two of my Gmail accounts were hacked into around 5 or 6 hours ago. One of them was logged in from Russia while the other was from England. I'm not sure what this means. 

I changed both of those accounts passwords and set up two factor authentication, as well as made sure all my emails were signed out except on my phone. 

Not sure what to do next.

Link to post
Share on other sites

Also, my YouTube account on one of them got suspended. 
The one that was signed in from Russia had my YouTube account suspended. I didn't know why.

I got an email from YouTube that my account was suspended and apparently they were trying to post videos that didn't go with the guidelines.

I don't have and have never uploaded YouTube videos

Link to post
Share on other sites

  • Root Admin

It looks like HP may not have their own Factory reset. If they do I'm having trouble locating it. You can try a Windows PC Reset.

https://support.hp.com/us-en/document/ish_2026006-1490761-16

Try that, please.

For the most part for now just assume most if not all online accounts have been compromised. Once the computer and router are clean you can look at recovering or changing to new accounts.

 

Then, if you own your own Router you can do a factory reset on it too.

 

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.

 

 

Link to post
Share on other sites

Okay, I will be doing a Windows reset and a router reset tomorrow and keep you updated.

I have an important question, whilst the computer is shut off, is there any chance of the malware compromising anything else (specifically on my phone or other devices logged onto my account?) 

I have all of my emails except one which I absolutely cannot remove at the minute due to pending subscriptions I'm attempting to cancel. I have attempted to check whether anything on this specific email has been compromised and it doesn't look like it at the minute. 

Thank you in advance 

Link to post
Share on other sites

  • Root Admin

Basically once compromised they can scrape all your email for keywords to find account, password, important numbers, names, etc. in hopes to possibly come back and blackmail you or threaten you with private information, etc. Not very pleasant people that do this for a living.

While the computer is off it cannot do anything more. You can unplug from the wall to make double-sure it cannot be remotely turned on.

Keep me posted

 

Link to post
Share on other sites

Thank you for the information. I've done a windows reset and reinstalled malwarebytes to make sure everything is safe. So far so good. I was able to restore most of my data from my cloud and my last subscription cancellation is still pending. 

I'll be calling my Internet provider to make sure everything is safe on their end, let them know I've been compromised, as well as to change my password. 

Thank you again!

 

Link to post
Share on other sites

  • Root Admin

Were you able to do a factory reset on your router?

I'd suggest getting me some new logs from Farbar to review, just in case.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Okay,this was a Reset, not a clean install. It may have removed much of the issues but not all.

Did you set up these Proxy items?

Startup: C:\Users\pixen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proxy2Service.lnk [2022-05-29]
ShortcutTarget: Proxy2Service.lnk -> C:\Program Files (x86)\Proxy2Service\client.exe () [File not signed]

 

 

 

Please run the following fix

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.