Repeatedly Having "infected Web Resource Detected"

dzikakulka

So, the full alert says:

Infected web resource detected

The application rundll32.exe accessed a web resource <malicious URL here> that has been detected as infected. The web resource has been succesfully blocked and your PS is now safe.

This repeats every minute or two (URL changes sometimes) every time I start up the system until I manually kill the rundll32.exe process that is normally shown in task manager, even before I click "show processes from all users".

Terminating the process stops it and doesn't seem to influence the system in any other way.

Full system scan revealed few threats that were removed and says that I'm safe now but this keeps happening after every reboot.

I have saved a dump file for this process that I can send but the form for sending files only lets me choose "False Positive" or "False Negative" and no description box, I don't think this problem fits either. What could I do to resolve this?

Thanks!

Sorin G.

Hello,

Please check your Task Scheduler as you might have a reoccurring task to access the infected url.

I would also advise you to contact our support to further investigate this issue.

bitsy@bitdefender.com

dzikakulka

I've found cause for this issue:

Some software I had to install few days ago created a %appdata%\local\Microsoft\Protect\protecthost.dll file and a rule for the system startup (Startup item: "Microsoft system protection service", Command: "rundll32.exe <path to DLL>").

Virustotal.com scan showed it is indeed malicious: https://virustotal.com/pl/file/bd0c045c26a9943642aceb14e1e9f64fe3e4baa80e9c2d801608eb289f63779a/analysis/1470216453/

Deleting the file and disabling the rule in the msconfig seems to have fixed the issue, I've already sent this file using Bitdefender submit form as a false negative.

Cheers!

Sorin G.

Hello,

Glad to hear that the situation has been resolved and would also like to thank you for the time to send the False Negative.