Why Runddl32.exe Want To Connect To The Internet?

Martien · Sep 26, 2020

Hi i noticed a strange thing on my system and i just wondering it happens.
Like the title already said i was looking in my task manager and noticed that rundll32.exe and avastUI had noticeable high CPU usage (both 20%-25%) when i wasn't connected to the internet.
now I fixed the CPU usage of avastUI by running CCleaner - registery cleanup.
only question on my mind is why does rundll32 needs internet?
because the only thing i can think off that simulate internet for some reason but i cant think a reason it need that.
does someone here knows why it does that?

Eldon · Sep 26, 2020

To rule out malware go here and follow the instructions in the Read & Run Me First.
https://forums.majorgeeks.com/forums/malware-help-mg-a-specialist-will-reply.35/

Martien · Sep 26, 2020

Thank you for the fast response
I did what you ask and already attached the logs with this post
I also gonna post the pics what exactly mean.
I cant post here because i am limited 5 attachments.
to clarify i saw this when i was playing an old game and noticed in my task manager that rundll32 took 25% off my processor capacity.

Martien · Sep 26, 2020

The pics

Eldon · Sep 26, 2020

I have asked that your thread be moved to Malware Help - MG.

In the mean time, you have a lot of PUPs - you need to take care what you download and pay attention during installation.

Replicator · Sep 27, 2020

Normally a valid windows process that should run from within this directory \Windows\System32\rundll32.exe
If its running from any other directory, then it may be an issue, but you look ok.
Its memory usage on your system is also minimal.

As stated, if your system is running strangely and seems very slow, get the experts to check it out.

Martien · Sep 27, 2020

@Eldon
Thanks for the request and advice.
I always try uncheck any unwanted software during a install.
I was surprised how much came up as PUPs, i always try keep the system clean as best as i can.

@Replicator
I double checked just to be sure but that not where to process run from.
For me it is C:\Windows\SysWOW64.
If i remember correctly that is a system folder for 32 bits files.

TimW · Sep 27, 2020

Please use ADWCleaner to remove these items:
PUP.Optional.Conduit HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}
PUP.Optional.WebCompanion HKCU\Software\Lavasoft\Web Companion
PUP.Optional.WebCompanion HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
PUP.Optional.WebCompanion HKLM\Software\Wow6432Node\Lavasoft\Web Companion

Next, use Rogue to remove these:
>>>>>> XX - Software
[PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\.DEFAULT\Software\ByteFence -- N/A -> Found
[PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-18\Software\ByteFence -- N/A -> Found
>>>>>> XX - System Policies

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Gen (Malicious)] (folder) Unpacker -- C:\Users\Hitman666\AppData\Roaming\Unpacker -> Found
[PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (folder) ByteFence -- C:\ProgramData\ByteFence -> Found

And finally use MBAM to remove these:
PUP.Optional.ByteFence, C:\ProgramData\ByteFence\RTOP\activity.log, No Action By User, [1018], [388718],1.0.18278
PUP.Optional.ByteFence, C:\ProgramData\ByteFence\RTOP\hosts_backup, No Action By User, [1018], [388718],1.0.18278
PUP.Optional.ByteFence, C:\ProgramData\ByteFence\RTOP\uclogfile.bin, No Action By User, [1018], [388718],1.0.18278
PUP.Optional.Conduit, C:\USERS\HITMAN666\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\Z3ARLDWO.DEFAULT\PREFS.JS, No Action By User, [193], [301520],1.0.18278
PUP.Optional.GameHack, C:\PROGRAM FILES (X86)\CHEAT ENGINE 6.8.3\STANDALONEPHASE1.DAT, No Action By User, [7926], [393793],1.0.18278

Reboot and rescan with ADW, Rogue and MBAM and attach the new logs.

Eldon · Sep 27, 2020

Thanks TimW.

Martien · Sep 27, 2020

thanks for fast response TimW
i have done what you asked also attached the logs
love your title, i am SW fan myself

TimW · Sep 27, 2020

Much better, but now rerun MBAM and have it remove everything EXCEPT:
Registry Data: 3
PUP.Optional.WinYahoo, HKU\S-1-5-21-334436486-3585389542-2030418961-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, No Action By User, [240], [293459],1.0.18286
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, No Action By User, [240], [293461],1.0.18286
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, No Action By User, [240], [293461],1.0.18286
Generic.Malware/Suspicious, C:\PROGRAM FILES (X86)\YOUTUBE DOWNLOADER\YOUTUBEDOWNLOADER.EXE, No Action By User, [0], [392686],1.0.18286
MachineLearning/Anomalous.95%, C:\DOCUMENTS AND SETTINGS\PUBLIC\Desktop\The Conquerors.lnk, No Action By User, [0], [392687],1.0.18286
MachineLearning/Anomalous.95%, C:\USERS\PUBLIC\Desktop\The Conquerors.lnk, No Action By User, [0], [392687],1.0.18286
MachineLearning/Anomalous.95%, C:\GAMES\MICROSOFT GAMES\AGE OF EMPIRES II\AGE2_X1\AGE2_X1.EXE, No Action By User, [0], [392687],1.0.18286

Remove ALL instances of SearchManager and the one instance of Conduit.

Reboot and rerun MBAM and attach the new log, please.

Martien · Sep 27, 2020

here you go

TimW · Sep 28, 2020

Please remove this last item in MBAM:
File: 5
PUP.Optional.Conduit, C:\USERS\HITMAN666\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\Z3ARLDWO.DEFAULT\PREFS.JS, No Action By User, 193, 301520, 1.0.30502, , ame, , C1831F0A13A0649ADE25EDCAB471AE9A, 18BB6FBF017505946735FAD4620849B10B6C6980417A5B99DE3229E46A342BED

Reboot and tell me how things are running now.

Martien · Sep 28, 2020

done it is pretty much the same.
no problems with system only that thing with runddl32 using 25% processor capacity.
i don't know if that is normal or not.
i will attach the last scan from MBAM + the pics about what i mean

TimW · Sep 28, 2020

Please remove/quarantine this:
File: 5
PUP.Optional.Conduit, C:\USERS\HITMAN666\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\Z3ARLDWO.DEFAULT\PREFS.JS, No Action By User, 193, 301520, 1.0.30522, , ame, , 2955010C1E6BA2C0FC5199BA7DC7FC26, A80534AC59B5871DB516FBCE46B7123B5FBC8550EFE62FAE56202A1FC1BE1077
As to Rundll:
Click on the following link and use the below steps to scan a file: Virustotal

Click the Browse... button.
Navigate to the file FileToBeScanned

Where FileToBeScanned is the actual file to be scanned. Like C:\WINDOWS\System32\vdmt16.sys
[/LIST]

Log in or Sign up

Why Runddl32.exe Want To Connect To The Internet?

Martien Private E-2

Eldon Major Geek Extraordinaire

Martien Private E-2

Attached Files:

AdwCleaner[S00].txt

Combat - 03-21-2020 01.44.03.log

HitmanPro_20200927_0011.log

Malwarebyte scan.txt

RogueKiller scan 26-9-2020.txt

Martien Private E-2

Eldon Major Geek Extraordinaire

Replicator MajorGeek

Martien Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Eldon Major Geek Extraordinaire

Martien Private E-2

Attached Files:

AdwCleaner[S02].txt

MBAM 27-9-2020.txt

RogueKiller 27-9-2020.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Martien Private E-2

Attached Files:

MBAM 28-9-2020.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Martien Private E-2

Attached Files:

MBAM 28-9-2020(1).txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member