Jump to content

Malwarebytes trigger rundll32.exe davclnt.dll,davsetcookie

Gantz4
 Share

Recommended Posts

Gantz4

Gantz4

Posted
Posted

Hi, I'm on a clean machine with a new installation of Windows 10 due to slowness of the precedent installation and the fear of a malware.

On this new installation, Cyberlock (ex VoodooShield) popup a warning if I start a scan with Malwarebytes. Let's say about two scan out of five trigger the popup. The other two somehow are autoallowed by Cyberlock.

The popup is:

rundll32.exe c:\windows\system32\davclnt.dll,davsetcookie desktop-####### http://desktop-#######/root/subscription%3anteventlogeventconsumer.name%3d%22scm%20event%20log%20consumer%22

The ####### part is a code like fnp4g7t, and that name "desktop-#######" is the same name of my pc (if a go in my router setting and I search for the connected device. desktop-###### is the name of my PC).

I've searched online and I found that "rundll32.exe c:\windows\system32\davclnt.dll,davsetcookie" is often associated with malware, and that the next part after that command is a host. In this case the host is the name of my PC I believe.

Is this something normal with malwarebytes? It need to create some sort of log o new file or run the rundll32.exe with davcInt.dll and davsetcookie?

If I block that command the scan is somehow stuck for a few seconds, then it finishes without founding nothing.

I have also scanne my system with KVRT, tdsskiller and EmsisoftEmergencyKit. It's all clean but Malwarebytes is the only one that trigger this specific command.

 

Thanks

 

Link to post
Share on other sites
Gantz4

Gantz4

Posted
  • Author
Posted
11 hours ago, digmorcrusher said:

Go to the WhitelistCloud section and see if Malwarebytes is marked as Safe, if not whitelist it. If this doesn't help I can pass this on to developer to see what he says.

Yes, Malwarebytes is whitelisted.

Since this problem, I've run numerous time the scan by MB and that particular message didn't return. Even if a open the registry of VoodooShield, I only found that particular entry listed two times, when the popup first occured.

I deleted the block setting and the registry to see if the message come back, but to this moment that particulat "script" didn't run.

I believe that the MB trigger was only a coincidence. In that particular moment something runs rundll with that option and at the same moment I was trying the scan from MB. I try again immediatly after and the blocked script popup again.

I don't know if a need to open another thread becuase now this seems uncorrelated.

I tried searching online and "rundll32.exe c:\windows\system32\davclnt.dll,davsetcookie" seems used by malware, buti n my case the host is note an IP, but the name of my PC... It seems like davsetcookie accessed /root/subscription:nteventlogeventconsumer.name:d"scm event log consumer" (I cleaned the previous script which contains many %).

 

I don't know how this nteventlogeventconsumer work. From my basic understanding davsetcookie in related to WebDav, a client to access remote documents. But I do not use remote document and I don't know if it's normal that the scm event log consumer was accessed via http or like a webpage, instead that normally written locally like a normal file.

15 hours ago, Porthos said:

Sounds like you need to allow or exclude Malwarebytes in that product.

Please see my upper quote. At this moment I believe the strange behaviour with MB was only a coincidence, and VoodooShiled only alerted the execution of the previous code, which I don't know if is maliciuos or not...

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.