Rundll32.exe scanning my computer.

Hello,

Yesterday I noticed how rundll32.exe was running on Windows 7 (64 bit
ultimate edition) while firewall was down (I stopped firewall myself
before).

I caught it with resource monitor scanning files, all kinds of executables.

This process started to run while the rest of the computer was inactive. I
noticed high harddisk activity.

I think I actually terminated the process, but then later it started running
again if I recall correctly.

Eventually there were multiple tcp connections to some ip's and ports, one
port was 80.

And it's IP was: 23.2.235.5

Running tracert shows:

Tracing route to a23-2-235-5.deploy.static.akamaitechnologies.com
[23.2.235.5]
over a maximum of 30 hops:

According to wikipedia:

"
Akamai Technologies, Inc. is a content delivery network or CDN and cloud
services provider headquartered in Cambridge, Massachusetts, in the United
States. Akamai's content delivery network is one of the world's largest
distributed computing platforms, responsible for serving between 15 and 30
percent of all web traffic.[7] The company operates a network of servers
around the world and rents capacity on these servers to customers who want
their websites to work faster by distributing content from locations close
to the user. Over the years their customers have included Apple, Facebook,
Bing, Twitter, eBay and healthcare.gov. When a user navigates to the URL of
an Akamai customer, their browser is redirected to one of Akamai’s copies of
this website, almost entirely invisible to the vast majority of its users.
"

Anyway possible conclusions:

1. Something is scanning my computer, possibly spyware.

2. Source of spyware is currently unknown is it windows itself scanning my
computer ? Or something else ?

What I want to do is "log" all activity of rundll32.exe.

What is launchinbg rundll32 ? What DLL is being run ?

Ofcourse I already tried to use process explorer to examine the running
instance of rundll32.exe. The strange/suspicious thing was process explorer
complained that it could not access the rundll32.exe information, some kind
of security error.

This made me extra suspicious and thus I terminated rundll32.exe from
running and taxing my harddisk.

My advice to USA is to stop building in backdoors and seize your spying
activity.

There is a clear trend going on in Russia, China and European Union for more
privacy.

Your USA products are in danger of being BANNED.

Bye,
Skybuck.

Here is some further help at getting some information about rundll32.exe
instances:

http://www.howtogeek.com/howto/windo...is-it-running/

1.

"
Simply launch Process Explorer, and you’ll want to choose File \ Show
Details for All Processes to make sure that you’re seeing everything.
"

2.

"
Now when you hover over the rundll32.exe in the list, you’ll see a tooltip
with the details of what it actually is:
"

3.

"
Or you can right-click, choose Properties, and then take a look at the Image
tab to see the full pathname that is being launched, and you can even see
the Parent process, which in this case is the Windows shell (explorer.exe),
indicating that it was likely launched from a shortcut or startup item.
"

Tip 3 seems best, I am not sure if this tip would have worked, next time I
catch rundll32.exe running like this I will try out these tips.

If for some reason it's not possibly or information is missing then perhaps
I will video tape it for futher evidence of suspicious activity !

Bye,
Skybuck.

Here is another trick to get more information about running rundll32.exe
process:

https://www.raymond.cc/blog/identify...ows-task-list/

1.

"
Identify Loaded DLL Files through Command Prompt

Here is a manual way of identifying DLL files in rundll32.exe. Open a
Command Prompt by pressing WinKey+R and type cmd. Then type or paste the
command below into the prompt and hit Enter.

tasklist /m /fi "IMAGENAME eq rundll32.exe"

Do take note that by default, Windows XP Home edition does not have the
tasklist.exe utility, only Professional. It is built into all versions of
Windows Vista and 7. If you want the Tasklist tool for XP Home you can
download it from this link:

Download Tasklist.exe

https://www.raymond.cc/blog/download/did/1221/

The dll modules are displayed on the right side of the tasklist result. You’ll
probably see a lot of modules being displayed which are the internal Windows
dll’s and it takes a little knowledge from an experienced user to identify
any dangerous dll on the list. If you’re unsure, you can always do a search
in Google on the dll file name.

Read Mo
https://www.raymond.cc/blog/identify...ows-task-list/
"

Anyway when I run this right now:

tasklist /m /fi "IMAGENAME eq rundll32.exe"

it produces this:

INFO: No tasks are running which match the specified criteria.

rundll32.exe is currently not running so I will assume this is normal ?!

Bye,
Skybuck.

On Tue, 27 Oct 2015 12:42:06 +0100, "Skybuck Flying"
Gave us:
snipped utter stupidity...

You are a true idiot.

Skybuck Flying wrote:

What is launchinbg rundll32 ? What DLL is being run ?

For Win7, in Task Manager you can add a column entry
that shows the command line invocation. If the machine
absolutely refuses to run Task Manager, then you know
you are in trouble.

http://www.howtogeek.com/howto/windo...is-it-running/

http://cdn5.howtogeek.com/wp-content...7/image178.png

Otherwise, download and run MBAM on-demand scanner (do not
tick "Trial", just use the free version which does not
provide real time protection).

(Orange Download button. You can download this on another computer,
if the suspect computer will not allow the browser to download this.
This program will download definitions, once it is installed.
It is for on-demand scanning only, for the free version.)

https://www.malwarebytes.org/

Paul

On 2015-10-27, Skybuck Flying wrote:
Hello,

Yesterday I noticed how rundll32.exe was running on Windows 7 (64 bit
ultimate edition) while firewall was down (I stopped firewall myself
before).

Why?


I caught it with resource monitor scanning files, all kinds of executables.

This process started to run while the rest of the computer was inactive. I
noticed high harddisk activity.

You have caught a virus/trojan. I think that the standard comment is
that without protection, a Windows machine will last about 5 min without
catching a virus.


I think I actually terminated the process, but then later it started running
again if I recall correctly.

Of couse.

Eventually there were multiple tcp connections to some ip's and ports, one
port was 80.

Yes, you have been owned. Your computer will now be used to send
spam/physhing email to others and be used to attack and infect other
machines. All of your email contacts will bet emails from you telling
them about some wonderful mcguffin you have found and advising them to
buy it/link to it/....


And it's IP was: 23.2.235.5

Probably an owned machine just as yours is now.



Running tracert shows:

Tracing route to a23-2-235-5.deploy.static.akamaitechnologies.com
[23.2.235.5]
over a maximum of 30 hops:

There is no reason to believe that is the bad guy. It is probably some
other Windows user who decided it was a good idea to go onto the net
without a firewall of virus scanner.



According to wikipedia:

"
Akamai Technologies, Inc. is a content delivery network or CDN and cloud
services provider headquartered in Cambridge, Massachusetts, in the United
States. Akamai's content delivery network is one of the world's largest
distributed computing platforms, responsible for serving between 15 and 30
percent of all web traffic.[7] The company operates a network of servers
around the world and rents capacity on these servers to customers who want
their websites to work faster by distributing content from locations close
to the user. Over the years their customers have included Apple, Facebook,
Bing, Twitter, eBay and healthcare.gov. When a user navigates to the URL of
an Akamai customer, their browser is redirected to one of Akamai?s copies of
this website, almost entirely invisible to the vast majority of its users.
"

Anyway possible conclusions:

1. Something is scanning my computer, possibly spyware.

Yes.


2. Source of spyware is currently unknown is it windows itself scanning my
computer ? Or something else ?

Well, it is both a progam on your system, and outsiders.


What I want to do is "log" all activity of rundll32.exe.

What you want to do is to erase your whole disk, reinstall, and
immediately put up a firewall and a good virus scanner.



What is launchinbg rundll32 ? What DLL is being run ?

Ofcourse I already tried to use process explorer to examine the running
instance of rundll32.exe. The strange/suspicious thing was process explorer
complained that it could not access the rundll32.exe information, some kind
of security error.

This made me extra suspicious and thus I terminated rundll32.exe from
running and taxing my harddisk.

My advice to USA is to stop building in backdoors and seize your spying
activity.

You are attacking the wrong source. This is almost certainly NOT the
USA, but one of the roughly 10,000,000 people out there from around te
world who want to use your machine to anonymize their nepharious
activity.



There is a clear trend going on in Russia, China and European Union for more
privacy.

So?


Your USA products are in danger of being BANNED.

And yet you keep using Windows.

On Tue, 27 Oct 2015 10:58:12 -0400, Paul wrote:

Skybuck Flying wrote:

What is launchinbg rundll32 ? What DLL is being run ?

For Win7, in Task Manager you can add a column entry
that shows the command line invocation. If the machine
absolutely refuses to run Task Manager, then you know
you are in trouble.
snip

That's usefull, thanks for the tip.

Cheers

On Tue, 27 Oct 2015 20:15:30 -0400, Martin Riddle
Gave us:

On Tue, 27 Oct 2015 10:58:12 -0400, Paul wrote:

Skybuck Flying wrote:

What is launchinbg rundll32 ? What DLL is being run ?

For Win7, in Task Manager you can add a column entry
that shows the command line invocation. If the machine
absolutely refuses to run Task Manager, then you know
you are in trouble.
snip

That's usefull, thanks for the tip.


You spelled use-fool wrong.

It's not a virus, if it were a virus it would be running every day.

I don't see it running at all.

It's something more special.

So your entire posting can be snipped away snipped

Bye,
Skybuck.

Meanwhile I have noticed another oddity.

Perhaps it's nothing or perhaps it's something.

The tool RAMMap will sometimes show "tunngle" still as a process, while task
manager, show all processes does not show it, neither does process explorer.

Perhaps RAMMap sometimes will also show some other app.

It seems to be only one 4KB page.

Perhaps it's a residue, or a left over or some bug in windows or a bug in
RAMMap.

However it could also be something suspicious.

Some app suspects:

1. Firefox
2. Tunngle
3. Star Trek Online
4. World of Warships.

And the ofcourse:

Windows itself.

and lastly could also be something from long ago that only runs very rarely.

Bye,
Skybuck.