Hi all,
I recently set up my new workstation with Windows 11 (local account). After installing chipset drivers, graphics drivers, and the rest of my drivers from the motherboard manufacturer’s website, I installed my AV (F-Secure) and some second opinion scanners (MBAM, HM.P, EEK, and ESET Online Scanner). After a few days, I began receiving popups from WFC alerting me to rundll32.exe attempting to connect via TCP to a remote IP. It’s one single pop-up, but occurs every day since I choose the Block now and ask me later option. I ran a lookup on the IP and it lead back to Microsoft in Redmond. However, I’m not convinced, details for why below, alongside questions.
Questions / comments:
At this point, with my system being so fresh, the only thing that could have infected it was the drivers installation. But I made sure multiple times before downloading anything to ensure I’m on the correct site. I run a WHOIS on the download page’s URL / domain and verify I’m on the correct site before every download. And they all get scanned by VirusTotal, and their digital signature is verified. So there’s a slim chance I got “fake drivers.” So if I am indeed infected, then the official driver sites for either ASUS, NVIDIA, or AMD are compromised.
I sincerely doubt this theory, and I’m guessing it is normal for rundll32.exe to make these connections from time to time. Please confirm for me.
Many thanks!
I recently set up my new workstation with Windows 11 (local account). After installing chipset drivers, graphics drivers, and the rest of my drivers from the motherboard manufacturer’s website, I installed my AV (F-Secure) and some second opinion scanners (MBAM, HM.P, EEK, and ESET Online Scanner). After a few days, I began receiving popups from WFC alerting me to rundll32.exe attempting to connect via TCP to a remote IP. It’s one single pop-up, but occurs every day since I choose the Block now and ask me later option. I ran a lookup on the IP and it lead back to Microsoft in Redmond. However, I’m not convinced, details for why below, alongside questions.
Questions / comments:
- Is it ever necessary for rundll32.exe to make a remote connection like this? Even if it is to a Microsoft-controlled IP?
- The reason I don’t necessarily trust the Microsoft IP is because it could be someone using Azure to host something malicious. I’m not sure if it’s possible to differentiate between Microsoft’s own infrastructure and that of Azure. Pretty sure they’re under the same ASN. I’m not saying I suspect anything suspicious on my system… I’m simply curious if this is normal behavior for rundll32.exe, behavior that I was oblivious to until I installed WFC.
- Can someone check via VirusTotal (not from Properties in File Explorer) if their C:\Windows\System32\rundll32.exe is signed? Is rundll32.exe supposed to be signed? Mine isn’t. But it is located in the correct /System32/ folder. I uploaded it to VirusTotal and it says the file isn’t signed. But Google searches lead me to believe the file should be signed. Like many other Windows core files are. If someone can verify by uploading their rundll32.exe to VirusTotal, that would be great. Especially if you can grab a screenshot of the Details tab on VT.
- Please see image below of my WFC alert. Yes, I took this photo with my phone because I haven’t installed ShareX just yet. Still have a fresh workstation with just my chipset drivers, mobo drivers, graphics drivers, AV, and secondary scanners. And yes I blurred out a bunch of random stuff just messing around, ha.
- Imgur: (save as below)
- ImgBB: IMG-6721 hosted at ImgBB (same as above)
At this point, with my system being so fresh, the only thing that could have infected it was the drivers installation. But I made sure multiple times before downloading anything to ensure I’m on the correct site. I run a WHOIS on the download page’s URL / domain and verify I’m on the correct site before every download. And they all get scanned by VirusTotal, and their digital signature is verified. So there’s a slim chance I got “fake drivers.” So if I am indeed infected, then the official driver sites for either ASUS, NVIDIA, or AMD are compromised.
I sincerely doubt this theory, and I’m guessing it is normal for rundll32.exe to make these connections from time to time. Please confirm for me.
Many thanks!
Last edited: