Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome sending data over port 239.255.255.250


  • Please log in to reply
11 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 15 August 2016 - 07:32 AM

I made a post in the Web Browsing/Email and Other internet Applications forum, and they gave me the following info, but suggested I ask just to be sure. The address seems to be multicast and to do with UPnP. However I just wanted to check to be sure. The connections are brief and very little data is sent. Is this connections in chrome normal? Thanks for the help :)



BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 682 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 15 August 2016 - 07:52 AM

Hello HairyApricot

It seems to be normal behaviour of the Chrome. I am not sure what is its purpose but it might be related to Chrome's Chromecast support. It might query Chromecast supported devices in your network.

You can of course run malware scanner to ensure that your PC is not infected :)

Download 51a46ae42d560-malwarebytes_anti_malware.MalwareBytes Anti-Malware to your desktop.
  • Double-click mbam-setup-2.2.1.1043.exe to start the installation of Malwarebytes Anti-Malware.
  • Follow the instructions on your screen to complete the installation. You can find the complete installation procedure here.
  • Click the Scan Now button, a threat scan will start automatically.
  • MalwareBytes Anti-Malware will now check for the latest updates. Click Update Now if new updates are available.
  • Your computer is now being scanned, please do not use your computer during the scan.
  • If no threats were found, click View detailed log.
    • Click Export and save the log as a .txt file on your Desktop or another location.
  • If the scan detected any threats, click Remove Selected.
    • If you are prompted to restart computer click Yes.
    • After reboot, start Malwarebytes Anti-Malware again and click the History Tab at the top and select Application Logs.
    • Check the box next to Scan Log. Choose the most current scan double click it.
    • Click Export and save the log as a .txt file on your Desktop or another location.
Providing the MalwareBytes' Anti-Malware log file
  • Attach the log file you just saved to your next reply for further review.

Edited by Slurppa, 15 August 2016 - 07:53 AM.


#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 15 August 2016 - 03:00 PM

Nah nothing on that. I actually posted on this forum a few months ago for a different issue and I came up clean. I checked that chromecast thing. It was set to default, so not sure if that meant it was on or not.



#4 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 16 August 2016 - 10:20 AM

I also wonder if I could query you about something else. I recently noticed a nother rundll32 process beside the usual one. On the command line it seems to be shcreatelocalserverrundll. I think it also connected to 65.55.252.171, which seems to be microsoft. Any idea what this could be. Not actually sure what causes it to run. At time of writing, its not running. Thanks :)



#5 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 682 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 16 August 2016 - 02:32 PM

Hi HairyApricot,
 
Glad to hear that you are not having any problems.
 
Rundll32 is a operating system built-in program that Windows uses to load other DLLs. There might be more than one instance running due to different programs registering their own DLL files for running.
As is shown in the article, you can find what DLL is loaded by examining command line in which RunDll32 was started. SHCreateLocalServerRunDll is part of DCOM server on Windows. and is legitimate as such. There are of course malicious programs that pretend to be these legit ones. Their location(path) usually gives them away. If you encounter suspicious files you could upload them to some online scanner such as VirusTotal.

 

I hope this answers your questions.

 



#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 16 August 2016 - 03:04 PM

Ah I see. Nah the file path was legit, system32. Any idea what would cause it to actually run?



#7 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 682 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 16 August 2016 - 03:10 PM

Hi HairyApricot,

 

I am not sure, but there are some indications that it might be related to Autoplay feature on Windows.



#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 23 August 2016 - 05:07 AM

Huh. I wonder why it only appears sometimes?



#9 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 682 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 23 August 2016 - 06:00 AM

Huh. I wonder why it only appears sometimes?


It is hard to say exact reason without digging deeper into the Windows itself and particularly in Shell32 DLL and API.
There is possibility of Windows using that for Bing search functionality in Windows 8 and later versions since that IP seems to point to Bing search server.

#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 25 August 2016 - 07:03 AM

I am probably putting too much thought into this XD It is a valid system32 process so I am sure its fine :)



#11 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 682 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 27 August 2016 - 07:43 AM

Yes its valid Windows file :)
If there are no abnormal behaviors on the system I wouldn't worry much about it. Just make sure you have up-to-date antivirus and firewall programs.
Also remember to keep your Windows and other programs updated to mitigate possibility of getting infections from exploits used in old versions.

#12 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 27 August 2016 - 12:23 PM

Alright, thanks for the help :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users