Scrooge

Thanks a lot Kevin, I thought if these were russian or chinese IPs, I would start worrying and rush right off the bat like crazy to block port 445 and 139 and maybe 137, 138 as well :)) but these our our guys form NSA and other three-letter "companies" so they probably 'forgot' that it says there in my file " PKIA somwhere in the Pasific":) Thanks again Kevin, and God bless America just in case..:)) p.s. So Microsoft has been using their servers for quite some time I see. It's like dedicated web hosting or something, right outsourcing and whatnot. who knows...

I'm on Windows 10 64-bit, version 1809 (OS Build 17763.292) the latest update January 22, 2019 I've had Emsisoft installed for some time and I haven't had any issues so far with infection. CPU usage is normal, when I do do anyting it's 1 to 4 %, when I start up a browser it goes to 8-11 %. Nothing out of the ordinary. I've started monitoring my network traffic recently and I noticed that Windows Host processes represented by svchost and their assocciated Windows processes conneting to these IP addresses. I didn't monitor my network before. Maybe these connections always were there. I don't know. Is this normal behavior for Windows 10 nowadays? I thought Windows host processes like Cryptographic service or Diagnostic Policy service must connect only to Microsoft IP addressess but why Google MSI Verizon and Cloudflare? I don't get it. They don't run very often, just occaionally pop up for a few second once a day, and quicly stop. Maybe I became a bot or something? I think Emsisoft would pick it up already External IP PID 216.58.209.35:80 Google LLC USA 4276 CryptSvc 93.184.220.29:80 MSI Communications UK 4276 CryptSvc 104.16.95.121:80 Cloudflare Inc USA 4276 CryptSvs 172.217.17.67:80 Google LLC US 4276 CryptSvc 93.184.221.240:80 MSI Communications UK 4276 CryptSvc 216.58.209.131:80 Google LLC US 4140 DPS

Thank you very much for your time. I really appreciate it. The topic can be closed now.

Dear Experts, I was wondering if my computer might be infected or maybe I'm just paranoid. Although nothing seems to be out of the ordinary, please tell me I'm just paranoid here on this. I've heard about dll injection when malware authors have been exploiting Windows dynamic library where executables access the library and share the memory space, with a malicious dll beieng injected into a legitimate process. Then we won't then see a malicious process runing in memory there because it's a legitimate executable that could very well be an essential Windows operating system process but carrying out the malicious activities because it's actually executing functions that are part of a malicious dll file. Because I have Windows 10 Pro 64-bit(Version 1809 17763.134) (X64) there are obviously two rundll32.exe for calling different programs respectively. One is located in C:\Windows\System32\rundll32.exe Another one is in C:\Windows\SysWOW64\rundll32.exe Sometimes when I turn on my computer I see them both ( I guess) starting up with Windows, and sometimes they don't start up with Windows. Today for example they started up again. See attached Task Manager screenshot. I scanned my computer with Emsisoft while they were runnng. The scan result attached. I ran FRABAR scan. FRST nad Addition scans attached. I also ran cmd command (tasklist /m /fi "IMAGENAME eq rundll32.exe") to identify loaded DLLs in these running rundll32.exe,. Screenshot attached. Am I paranoid? My browsing habbits are pretty rigorous. I don't visit suspicious websites, I don't download literally anyting unless I have to. I don't even click on links that I send to myself not to mention some attachments coming in an email. My browser security settings don't have even one weak cipher siute and they are all with forward secrecy, My browser user agent only supports TLS 1.2 and obviously 1.3 and it's immune to logjam, freak and poodle attacks with a bunch other firefox about:config strengthened security settings. I know I'm probably a very sick individual in terms of this hyphened sense of security but that the way it is now. Should I be worried about these two rundll32.exe? EEK SCAN.txt FRST.txt Addition.txt

Thank you. Maybe this reparse something was caused by the fact that I wanted to install Keeper password manager from Windows store until I didn't because I changed my mind and then I messed it even more in Windows 'head' by trying to install its desktop version until again I didn't because I changed my mind the second time.

Hi, it's me again. Today I scanned my laptop with this Rkill, I don't know why, maybe I souldn''t have but earlier it never showed this: Performing miscellaneous checks: * Reparse Point/Junctions Found (Most likely legitimate)! * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir] I attach the Rkil log. Should I be concerned about i? I immediately scan the whole computer with EEK but nothing was found, the same with Adwcleaner Just in case FARBAR logs here: Rkill.txt FRST.txt Addition.txt EEK_scan_180717-202459.txt Now it's gone but I;m curious whta that was Rkill.txt

Thank you. btw, just deleted FRST I'm planning to buy Emsisoft 3-year license. Is there such a thing like Emsisoft life time license? Anyway, I'd like to thank you for fixing my gal friday laptop. I trully appreciate it. The topic can be closed.

Thank you Kevin. If I can ask you one more thing. I was wondering would you adise to turn on this relatively recent feature "memory integrity" in Windows Defender Seurity Center with Emsisoft being installed? I've heard that some Windows users reported significant slowdowns and a decrease in system performance after they turned it on, even without any antivirus program being installed? p.s. I just tried to delete it but it doesn't want to be deleted somehow. It says the file or folder is open in another program but I don't know where it can be opened.

Fixlog here. Fixlog.txt I also have a question. What should I do with the folder FRST on my C?. Can I delete it? Because now everytime I start the Device Performace & health section it says 1 recommendation and when I run the troubleshooting it says that SASKUTL and SASDIFSV don't have drivers, which is quite understandble. I can always dismiss it but I'd like to get rid off it. They belong to SUPERAntiSpyware software and they are not essential for Windows. I don't have it any more and I don't want it. Can I just delete FRST? p.s. I'm sorry. It doesn't show any more when I restarted my computer again without dissmissing the recommendation.

Things are running smoothly thanks to you. I really appreciate it. Thank you very much Kevin. I really don't want to put you out, you helped me a lot already, but if you just could take a look at this farbar scans of another laptop for any possible signs of malware. FRST.txt Addition.txt

Done. The fixlog is attached. Fixlog.txt

I did like you said. And I changed the EEK user interface language to English before doing that. Just in case I also generated the forensics log of that entry. Here are the files. full path to installer.dat.txt Forensics_180710-082411.txt

Here they are. I ran the fresh EEK scan first and FRST second. Forensics_180709-091807.txt FRST.txt Addition.txt

Sure, I'll do it on Monday thirst thing in the morning. Thanks a lot for your patience with me.

Yes, I think I have AdwCleaner delete this TweakBit. Sorry, I must've attached the wrong file. I just ran AdwCleaner again but there is only the scan log. AdwCleaner[S00].txt