rundll firewall block

[droogiee]

saw this in my firewall log... what is this about?
2026:06:15|02:46:06|Blocked|1|IPv4 TCP files.nflxso.ca/172.67.152.151:443(64973)|Windows host process (Rundll32)|MSOfflineZone/https[NoBln] Outgoing|C:\windows\syswow64\rundll32.exe

 

[ChatGPT]

Hi droogiee — that log entry is suspicious enough to investigate, but the good news is your firewall blocked the outbound connection.

What the entry means​

Your firewall blocked this:
C:\windows\syswow64\rundll32.exe
trying to make an outbound HTTPS connection to:
files.nflxso.ca / 172.67.152.151:443
rundll32.exe is a legitimate Microsoft Windows component used to load and run DLL functions. Microsoft describes it as a command that loads/runs 32-bit DLLs, which is why SysWOW64\rundll32.exe can be normal on 64-bit Windows.
However, rundll32.exe is also commonly abused by malware because it can run code from DLLs while looking like a Windows process.

Why this specific log looks concerning​

The domain files.nflxso.ca has appeared in prior malware/security reports involving a blocked malicious download path such as:
[url unfurl="true"]https://files.nflxso.ca/downloads/winapp/latest-installer.exe[/url]
A Microsoft Q&A result also references that domain/path as a malicious link related to rundll32.exe.
The IP 172.67.152.151 is a Cloudflare-hosted IP, so the IP alone does not identify the real server owner. The domain is the important part here.

What I would do next​

1. Do not allow it in the firewall.
2. Run a full scan with Microsoft Defender:
   Start-MpScan -ScanType FullScan
3. Run a second-opinion scan with Malwarebytes or another reputable scanner.
4. Check if anything is launching rundll32.exe:
   Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,CommandLine
5. Check startup locations:
   Get-CimInstance Win32_StartupCommand | Select-Object Name,Command,Location
6. Check scheduled tasks for odd entries:
   Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"} | Select-Object TaskName,TaskPath,State
7. If you find a suspicious command line, DLL path, startup item, or scheduled task, do not delete it immediately. Post it here first so we can identify it safely.

Also verify the file itself​

Right-click this file:
C:\Windows\SysWOW64\rundll32.exe
Then check:

1. Properties
2. Digital Signatures
3. It should be signed by Microsoft Windows

You can also run:
Get-AuthenticodeSignature C:\Windows\SysWOW64\rundll32.exe
Expected result should show:
Status : Valid

Bottom line​

The Windows file path is normal, but that destination is not something I’d trust. Since it was blocked, this may have prevented a download or callback. I’d treat it as a possible unwanted/malware-related event until the scans and command-line checks come back clean.

 

[droogiee]

it doesnt have a digital signature, but i also looked on my other win10 systems, and they dont either, and they have no odd behavior. also, under the what i should do next, it wasnt quiet clear, what exactly should i do i am running a full virus scan now

 

[ChatGPT]

Hi droogiee — thanks, that helps. Do not delete rundll32.exe. The lack of a visible “Digital Signatures” tab is not automatically proof of infection; some Windows files validate through catalog signing, and File Explorer may not show it clearly.
Since you’re already running a full scan, here’s the exact order I’d follow.

Do this first​

1. Let the full virus scan finish​

1. Let Microsoft Defender complete the Full scan.
2. If it finds anything, choose Quarantine.
3. Do not manually delete Windows system files.
4. Reboot after quarantine if Defender asks.

Then check the Windows system file​

Open PowerShell as Administrator and run:
Get-AuthenticodeSignature C:\Windows\SysWOW64\rundll32.exe | Format-List
What we want to see is:
Status : Valid
If it says NotSigned, HashMismatch, or anything else, don’t panic yet — just post the output here.
Also run this:
Get-Item C:\Windows\SysWOW64\rundll32.exe | Select-Object FullName,Length,CreationTime,LastWriteTime

Repair-check Windows files​

After the virus scan finishes, run these in Command Prompt as Administrator:
DISM /Online /Cleanup-Image /RestoreHealth
Then:
sfc /scannow
Expected result from sfc should ideally be:
Windows Resource Protection did not find any integrity violations.
If it says it repaired files, reboot and run sfc /scannow once more.

Find what launched rundll32.exe​

This is the most important part. rundll32.exe itself may be clean, but something may be using it.
Run this in PowerShell as Administrator:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
If it returns a command line, post it here. That command line usually reveals the DLL or component being loaded.
If it returns nothing, that means no rundll32.exe process is running at that moment.

Check startup entries​

Run:
Get-CimInstance Win32_StartupCommand | Select-Object Name,Command,Location,User
Look for anything strange, especially entries pointing to:

AppData
Temp
Downloads
ProgramData

or anything referencing:

rundll32.exe
files.nflxso.ca
nflxso

Check scheduled tasks​

Run:
Get-ScheduledTask | Where-Object {($_.Actions | Out-String) -match "rundll32|nflxso|AppData|Temp|Downloads"} | Select-Object TaskName,TaskPath,State
If anything appears, post the result before deleting or disabling it.

Optional but recommended: Defender Offline Scan​

If the full scan finds anything, or if that firewall block keeps recurring, run a Microsoft Defender Offline scan.

1. Save your work.
2. Open Windows Security.
3. Go to Virus & threat protection.
4. Click Scan options.
5. Choose Microsoft Defender Offline scan.
6. Click Scan now.

Warning: this will reboot the PC.

Bottom line​

Right now, I would treat this as:
Suspicious outbound attempt blocked, but not yet proof that rundll32.exe itself is infected.
The key thing is to find what called rundll32.exe. Please post the outputs from these after your full scan finishes:
Get-AuthenticodeSignature C:\Windows\SysWOW64\rundll32.exe | Format-List
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
sfc /scannow

 

[droogiee]

0 virus found
rundll came back as vaid

this Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
gave me this:
ProcessId ParentProcessId CommandLine
--------- --------------- -----------
2008 3556 "C:\Windows\System32\rundll32.exe" "C:\Users\****\AppData\Local\Temp\wsc35FD.tmp",Start verpostfix=bt
572 2008 "C:\Windows\System32\rundll32.exe" "C:\Users\*****\AppData\Local\Temp\wsc35FD.tmp",Start verpostfix=bt

nothing strange in startup, or in scheduled tasks

DISM /Online /Cleanup-Image /RestoreHealth
Image Version: 10.0.19045.6466
[==========================100.0%==========================] The restore operation completed successfully.
The operation completed successfully.

sfc /scannow came back: Windows Resource Protection did not find any integrity violations.
what's next?

 

[ChatGPT]

droogiee — that command line changes the situation. Your rundll32.exe is probably clean, but it is actively loading a suspicious temp DLL:
C:\Users\****\AppData\Local\Temp\wsc35FD.tmp
This pattern is not normal Windows behavior:
rundll32.exe "...AppData\Local\Temp\wsc####.tmp",Start verpostfix=bt
That exact style has been seen in malware sandbox reports, including activity involving files.nflxso.ca, register.nflxso.ca, RunOnce persistence, and an InetHelper folder under the user profile.
So: Defender finding 0 threats is good, but I would not call this system clean yet.

What to do next​

1. Disconnect from the internet now​

1. Turn off Wi-Fi or unplug Ethernet.
2. Leave the PC powered on for now.
3. Do not log into banking, email, password managers, or important accounts from this PC yet.

2. Identify the parent process​

Run this in PowerShell as Administrator:
Get-CimInstance Win32_Process -Filter "ProcessId=3556" | Select-Object ProcessId,Name,ExecutablePath,CommandLine
Post that result if it shows anything. PID 3556 is what started the first rundll32.exe, so that may reveal the original source.

3. Get the hash of the suspicious temp file​

Replace YOURNAME with your actual Windows username:

$bad="C:\Users\YOURNAME\AppData\Local\Temp\wsc35FD.tmp"
Get-Item $bad | Select-Object FullName,Length,CreationTime,LastWriteTime
Get-FileHash $bad -Algorithm SHA256
Get-AuthenticodeSignature $bad | Format-List

Expected: the file is likely unsigned or invalid. Please post the SHA256 hash if you can.

4. Stop the active suspicious processes​

Run:
Stop-Process -Id 572,2008 -Force
Then check that they are gone:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
If the same wsc35FD.tmp command comes back, there is still persistence somewhere.

5. Remove the known suspicious file and likely dropped folder​

Only do this after Step 3 if you want to keep the hash first.

Remove-Item "C:\Users\YOURNAME\AppData\Local\Temp\wsc35FD.tmp" -Force -ErrorAction SilentlyContinue
Remove-Item "C:\Users\YOURNAME\AppData\Local\Microsoft\Windows\InetHelper" -Recurse -Force -ErrorAction SilentlyContinue

If InetHelper does not exist, that is fine.

6. Check and remove matching RunOnce entries​

Run these first:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"

Look for entries mentioning:

wsc35FD.tmp
cleaninethelper
InetHelper
nflxso
rundll32

If you see cleaninethelper or InetHelper pointing to the suspicious temp file or InetHelper folder, remove them:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v cleaninethelper /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v InetHelper /f

If Windows says the value was not found, that is okay.

7. Run Defender Offline Scan​

This is worth doing because the active process may hide from normal scanning. Microsoft Defender Offline runs outside the normal Windows environment and restarts the PC during the scan.

1. Save your work.
2. Open Windows Security.
3. Go to Virus & threat protection.
4. Click Scan options.
5. Select Microsoft Defender Offline scan.
6. Click Scan now.

Or from PowerShell as Administrator:
Start-MpWDOScan

8. After reboot, check if it returned​

Run this again:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Also run:

Get-ChildItem "$env:LOCALAPPDATA\Temp" -Filter "wsc*.tmp" -Force
Get-ChildItem "$env:LOCALAPPDATA\Microsoft\Windows" -Directory -Force | Where-Object {$_.Name -match "InetHelper"}

If nothing comes back, that is a good sign.

9. Change passwords from a clean device​

Because this behavior resembles a loader/infostealer chain, I would change important passwords from another clean PC or phone, especially:

Email
Microsoft account
Browser-synced accounts
Banking/financial accounts
Game/store accounts
Password manager master password

Also enable 2FA/MFA where available.

Bottom line​

Your Windows system files look fine:

DISM: clean
SFC: clean
rundll32.exe: valid
Defender full scan: 0 found

But this part is not fine:
rundll32.exe "...\AppData\Local\Temp\wsc35FD.tmp",Start verpostfix=bt
That is the thing to remove and trace. If it respawns after killing it and deleting the temp file, the safest next step is either a deeper malware-removal pass or a clean Windows reinstall.

 

[droogiee]

Get-CimInstance Win32_Process -Filter "ProcessId=3556" | Select-Object ProcessId,Name,ExecutablePath,CommandLine

ProcessId Name ExecutablePath CommandLine
--------- ---- -------------- -----------
3556 explorer.exe C:\Windows\Explorer.EXE C:\Windows\Explorer.EXE

nothiung under step 6

im not going to reinstall windows

 

[ChatGPT]

droogiee — understood, and you do not have to jump straight to reinstalling Windows. Since rundll32.exe is valid and the parent was explorer.exe, this likely means something was launched from your user session, possibly a downloaded installer, temp payload, or one-time startup action.
The important suspicious item is still:
C:\Users\****\AppData\Local\Temp\wsc35FD.tmp
That is what we should remove/trace.

Do this next, in order​

1. Stay offline for cleanup​

1. Disconnect Wi-Fi/Ethernet.
2. Leave the PC on.
3. Do not sign into important accounts from this PC yet.

2. Create a restore point first​

Run PowerShell as Administrator:
Checkpoint-Computer -Description "Before rundll cleanup" -RestorePointType "MODIFY_SETTINGS"
If it says restore points are disabled, continue, but don’t worry about that right now.

3. Save evidence before deleting the temp file​

Run this:

$bad="$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Get-Item $bad -Force | Select-Object FullName,Length,CreationTime,LastWriteTime
Get-FileHash $bad -Algorithm SHA256
Get-AuthenticodeSignature $bad | Format-List

Please copy the output somewhere. The SHA256 hash is useful if we need to identify the exact malware family.

4. Kill the two active rundll32.exe processes​

Run:
Stop-Process -Id 2008,572 -Force
Then confirm they are gone:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
If nothing referencing wsc35FD.tmp returns, continue.

5. Delete the suspicious temp file​

Run:
Remove-Item "$env:LOCALAPPDATA\Temp\wsc35FD.tmp" -Force -ErrorAction SilentlyContinue
Then check for similar files:
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"} | Select-Object FullName,Length,CreationTime,LastWriteTime
If more wsc*.tmp or wns*.tmp files appear, post the list before deleting them.

6. Check for the known dropped folder​

Run:
Get-ChildItem "$env:LOCALAPPDATA\Microsoft\Windows" -Force -ErrorAction SilentlyContinue | Where-Object {$_.Name -match "InetHelper"}
If it exists, remove it:
Remove-Item "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper" -Recurse -Force -ErrorAction SilentlyContinue

7. Check more persistence locations​

Since your first Run/RunOnce check was clean, check the less obvious places too.
Run these in Command Prompt as Administrator:

reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Run
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"

Normal Winlogon values should look roughly like:

Shell    REG_SZ    explorer.exe
Userinit REG_SZ    C:\Windows\system32\userinit.exe,

Important: Do not change Shell or Userinit unless you post the output first. Bad edits there can break login.

8. Check WMI persistence​

Run PowerShell as Administrator:

Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

If those return entries referencing rundll32, wsc35FD.tmp, InetHelper, AppData, Temp, or unknown commands, post them.

9. Check Defender exclusions​

Malware sometimes adds exclusions so scans show clean.
Run:

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension

If you see exclusions for AppData, Temp, rundll32.exe, .tmp, or anything you did not add, post them.

10. Run Microsoft Defender Offline Scan​

After the file is removed and processes are stopped:
Start-MpWDOScan
This will reboot and scan outside normal Windows.

11. After reboot, verify it did not return​

Run:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Then:

Test-Path "$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"}
Test-Path "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper"

Expected good result:

No rundll32 process loading wsc35FD.tmp
False for wsc35FD.tmp
False for InetHelper
No wsc/wns temp files listed

If it comes back​

If the same rundll32 ... wsc35FD.tmp command returns after reboot, then something is still launching it. At that point, I would use Microsoft Sysinternals Autoruns and check the Logon, Scheduled Tasks, Services, Drivers, WMI, and AppInit tabs.
But first, do steps 3 through 11. You’re not at “must reinstall” yet, but this is definitely more than a harmless firewall log.

 

[droogiee]

i had already deleted the tmp file..
step 7 gives me ERROR: The system was unable to find the specified registry key or value.

 

[ChatGPT]

droogiee — that registry message is usually good news, not bad.
ERROR: The system was unable to find the specified registry key or value.
For some of those checks, especially these:

reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Run

…it means there is no Load or Run value there, which is normal on most systems.
Since you already deleted the .tmp file, the priority now is to confirm nothing is still running or recreating it.

Do this now​

1. Check whether the suspicious rundll32.exe is still running​

Run PowerShell as Administrator:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
If you still see this:
wsc35FD.tmp
or any wsc*.tmp / wns*.tmp, stop it:
Stop-Process -Name rundll32 -Force
Note: This may close legitimate Control Panel/dialog windows using rundll32, but that is usually harmless.

2. Confirm the deleted file did not come back​

Run:
Test-Path "$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Good result:
False
Then run:
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"} | Select-Object FullName,Length,CreationTime,LastWriteTime
Good result: no output.

3. Check for the dropped InetHelper folder​

Run:
Test-Path "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper"
Good result:
False
If it says True, remove it:
Remove-Item "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper" -Recurse -Force

4. Check Defender exclusions​

This is important because malware can hide by adding exclusions.
Run:

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension

If those commands show nothing, that is good.
If they show exclusions for any of these, post them here:

AppData
Temp
rundll32.exe
.tmp
C:\
Users

5. Run Microsoft Defender Offline Scan​

Since the suspicious file was active before deletion, run the offline scan next:
Start-MpWDOScan
This will reboot the PC and scan outside the normal Windows session.

6. After reboot, verify again​

After Windows comes back up, run:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Then:

Test-Path "$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Test-Path "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper"
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"}

What result we want​

You want all of this to be true:

No rundll32.exe loading wsc35FD.tmp
wsc35FD.tmp = False
InetHelper = False
No wsc*.tmp or wns*.tmp files listed
No new firewall blocks to files.nflxso.ca

If it does not come back​

If the file stays gone, no suspicious rundll32.exe returns, and Defender Offline finds nothing, then you may have caught a one-time dropped payload before it fully persisted.

If it comes back​

If wsc35FD.tmp or a similar file returns after reboot, then something is still launching it. In that case, the next tool I’d use is Sysinternals Autoruns, not a reinstall.
For now, please post the result of this one command after reboot:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine

 

[droogiee]

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell this one gave me explorer.exe
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\Windows\system32\userinit.exe,

the rest under 7 look fine, everything are things i know.

ok, from last response.
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine, nothing showed up

section 2, no output, eveything looks good
4 is good, nothing there

 

[ChatGPT]

droogiee — those results are encouraging.
Your Winlogon values are normal:

Shell    explorer.exe
Userinit C:\Windows\system32\userinit.exe,

And these are also good signs:

No rundll32.exe process currently running
No wsc*.tmp / wns*.tmp files found
No Defender exclusions
No obvious Run/RunOnce/startup persistence
DISM clean
SFC clean
Defender full scan found 0
rundll32.exe valid

So at this point, I would not reinstall Windows based on what you’ve shown.

What I think happened​

Most likely, something launched a temporary payload from:
AppData\Local\Temp\wsc35FD.tmp
using:
rundll32.exe
The firewall blocked its outbound connection. You deleted the temp file, and so far it does not appear to have persistent startup entries.
explorer.exe being the parent does not automatically mean Explorer is infected. It often just means something was launched from your logged-in desktop session, such as a downloaded file, installer, archive, browser-opened file, or temp installer.

Do these final checks​

1. Run Defender Offline Scan​

Even though the full scan was clean, I would still run the offline scan once.
Run PowerShell as Administrator:
Start-MpWDOScan
The PC will reboot and scan outside the normal Windows session.

2. After reboot, verify it stayed gone​

Run these after Windows starts again:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Then:

Test-Path "$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Test-Path "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper"
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"}

Good results are:

No rundll32.exe loading a temp file
False for wsc35FD.tmp
False for InetHelper
No wsc*.tmp or wns*.tmp files listed

3. Update Defender signatures​

After reconnecting to the internet, run:
Update-MpSignature
Then run a quick scan:
Start-MpScan -ScanType QuickScan

4. Watch for recurrence​

For the next day or two, occasionally run:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Also watch your firewall logs for more blocks to:

files.nflxso.ca
register.nflxso.ca
nflxso.ca

If it does not come back after reboot/offline scan, that is a very good sign.

Optional: check with Autoruns​

If you want one more thorough check without reinstalling:

1. Download Microsoft Sysinternals Autoruns from Microsoft.
2. Run it as Administrator.
3. Go to Options.
4. Enable Hide Microsoft Entries.
5. Check these tabs: Logon, Scheduled Tasks, Services, Drivers, WMI, AppInit.
6. Look for entries pointing to AppData, Temp, InetHelper, wsc*.tmp, wns*.tmp, or odd rundll32.exe commands.
7. Disable suspicious entries first, don’t delete them immediately. You can re-enable them if needed.

Password safety​

Because that command pattern can be associated with loaders/stealers, I’d still change important passwords from another clean device, especially email, Microsoft account, banking, and password manager accounts. Also enable 2FA/MFA where possible.

Bottom line​

Right now, this looks contained, assuming the Defender Offline scan is clean and the wsc35FD.tmp command does not return after reboot. I would not reinstall Windows unless the temp DLL or suspicious rundll32.exe command keeps coming back.

 

[droogiee]

ok, i ran another virus scan, came back with - issues.. rebooted the machine, and i got a popup, saying rundll could not start the wsc35fd.tmp and also
10728 8132 "C:\Windows\System32\rundll32.exe" "C:\Users\******\AppData\Local\Temp\wsc35FD.tmp",Start verpostfix=bt was back

 

[ChatGPT]

droogiee — that means something is still trying to launch the deleted payload at logon/startup.
The good part: since you deleted:
C:\Users\pjrey\AppData\Local\Temp\wsc35FD.tmp
…the popup means the payload file is missing. The bad part: the startup/persistence trigger is still present somewhere.
We need to find and remove the launcher, not rundll32.exe.

First: stop the current failed rundll32.exe​

Run PowerShell as Administrator:
Stop-Process -Id 10728 -Force
Then check if it is gone:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine

Next: identify parent PID 8132​

Run this:
Get-CimInstance Win32_Process -Filter "ProcessId=8132" | Select-Object ProcessId,Name,ExecutablePath,CommandLine
If it says explorer.exe, the trigger is probably a user logon/startup entry. If it shows anything else, post it.

Search the registry for the exact trigger​

Run Command Prompt as Administrator.

1. Search HKCU​

reg query HKCU /f "wsc35FD.tmp" /s
reg query HKCU /f "verpostfix=bt" /s
reg query HKCU /f "cleaninethelper" /s
reg query HKCU /f "InetHelper" /s

2. Search HKLM​

reg query HKLM /f "wsc35FD.tmp" /s
reg query HKLM /f "verpostfix=bt" /s
reg query HKLM /f "cleaninethelper" /s
reg query HKLM /f "InetHelper" /s

If any result appears, do not delete it yet. Post the key path and value name here.

Check scheduled tasks more deeply​

Run PowerShell as Administrator:

Get-ScheduledTask | ForEach-Object {
    $task = $_
    foreach ($action in $task.Actions) {
        if (($action.Execute + " " + $action.Arguments) -match "wsc35FD|verpostfix|rundll32|InetHelper|AppData\\Local\\Temp") {
            [PSCustomObject]@{
                TaskName = $task.TaskName
                TaskPath = $task.TaskPath
                State = $task.State
                Execute = $action.Execute
                Arguments = $action.Arguments
            }
        }
    }
}

If this returns anything, post it.

Check Startup folders​

Run:

Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" -Force
Get-ChildItem "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" -Force

If you see any shortcut or script you don’t recognize, right-click it, check Properties, and see if the target points to rundll32, Temp, or wsc35FD.tmp.

Check WMI persistence​

Run PowerShell as Administrator:

Get-WmiObject -Namespace root\subscription -Class __EventFilter | Format-List *
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer | Format-List *
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Format-List *

If anything references:

rundll32
wsc35FD.tmp
verpostfix
Temp
InetHelper

post it.

Use Autoruns now​

At this point, Autoruns is the right tool. It is Microsoft Sysinternals’ official startup inspection tool, and Microsoft specifically notes that Hide Signed Microsoft Entries helps focus on third-party auto-start entries.

Steps​

1. Download Autoruns from Microsoft Sysinternals only.
2. Extract the ZIP.
3. Right-click Autoruns64.exe.
4. Choose Run as administrator.
5. Go to Options.
6. Enable Hide Microsoft Entries.
7. Enable Verify Code Signatures.
8. Press Ctrl+F.
9. Search for:

wsc35FD

1. Search again for:

verpostfix

1. Search again for:

rundll32

1. Search again for:

InetHelper

1. If you find the entry, uncheck it first instead of deleting it.
2. Reboot.
3. If the popup is gone, go back to Autoruns and delete that disabled entry later.

Important​

Do not recreate the missing wsc35FD.tmp file. The popup is annoying, but it also means the malicious/suspicious payload is not loading successfully.

Most likely source​

Because it returned after reboot and complains about the missing file, the remaining trigger is probably one of these:

HKCU Run / RunOnce
HKCU Policies Explorer Run
Scheduled Task
Startup folder shortcut
WMI event consumer
Autoruns-hidden logon entry

Please post these two outputs next​

Get-CimInstance Win32_Process -Filter "ProcessId=8132" | Select-Object ProcessId,Name,ExecutablePath,CommandLine
And any hits from:

reg query HKCU /f "wsc35FD.tmp" /s
reg query HKLM /f "wsc35FD.tmp" /s

We’re looking for the launcher now. Once that’s removed, the popup and rundll32 ... wsc35FD.tmp process should stop coming back.

 

[droogiee]

running the reg searches now.
C:\Windows\System32>reg query HKCU /f "wsc35FD.tmp" /s

End of search: 0 match(es) found.

C:\Windows\System32>reg query HKCU /f "verpostfix=bt" /s

End of search: 0 match(es) found.


tasks:
TaskName : PcaPatchDbTask
TaskPath : \Microsoft\Windows\Application Experience\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : %windir%\system32\PcaSvc.dll,PcaPatchSdbTask

TaskName : PcaWallpaperAppDetect
TaskPath : \Microsoft\Windows\Application Experience\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : %windir%\system32\PcaSvc.dll,PcaWallpaperAppDetect

TaskName : StartupAppTask
TaskPath : \Microsoft\Windows\Application Experience\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : Startupscan.dll,SusRunTask

TaskName : CleanupTemporaryState
TaskPath : \Microsoft\Windows\ApplicationData\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : Windows.Storage.ApplicationData.dll,CleanupTemporaryState

TaskName : Pre-staged app cleanup
TaskPath : \Microsoft\Windows\AppxDeploymentClient\
State : Disabled
Execute : %windir%\system32\rundll32.exe
Arguments : %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask

TaskName : Proxy
TaskPath : \Microsoft\Windows\Autochk\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : /d acproxy.dll,PerformAutochkOperations

TaskName : Microsoft-Windows-DiskDiagnosticDataCollector
TaskPath : \Microsoft\Windows\DiskDiagnostic\
State : Disabled
Execute : %windir%\system32\rundll32.exe
Arguments : dfdts.dll,DfdGetDefaultPolicyAndSMART

TaskName : Account Cleanup
TaskPath : \Microsoft\Windows\SharedPC\
State : Disabled
Execute : %windir%\System32\rundll32.exe
Arguments : %windir%\System32\Windows.SharedPC.AccountManager.dll,StartMaintenance

TaskName : MaintenanceTasks
TaskPath : \Microsoft\Windows\StateRepository\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : %windir%\system32\Windows.StateRepositoryClient.dll,StateRepositoryDoMaintenanceTasks

TaskName : WsSwapAssessmentTask
TaskPath : \Microsoft\Windows\Sysmain\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : sysmain.dll,PfSvWsSwapAssessmentTask

TaskName : BfeOnServiceStartTypeChange
TaskPath : \Microsoft\Windows\Windows Filtering Platform\
State : Ready
Execute : %windir%\system32\rundll32.exe
Arguments : bfe.dll,BfeOnServiceStartTypeChange

TaskName : AutomaticBackup
TaskPath : \Microsoft\Windows\WindowsBackup\
State : Disabled
Execute : %systemroot%\system32\rundll32.exe
Arguments : /d sdengin2.dll,ExecuteScheduledBackup

startup folders just shows desktop.ini

nothing under WMI

nothing found while searching autoruns

Get-CimInstance Win32_Process -Filter "ProcessId=8132" | Select-Object ProcessId,Name,ExecutablePath,CommandLine came back EXPLORER.EXE

i have gone down your list, and done everything,
what is calling this??

 

[ChatGPT]

droogiee — I get the frustration. Based on what you posted, the obvious places are clean, and the Microsoft scheduled tasks you listed are normal. Do not disable those \Microsoft\Windows\... rundll32 tasks.
The key clue is this:
ParentProcessId = explorer.exe
That usually means the launch happened during user logon / Explorer startup, not from a Windows service. If Autoruns and the registry search didn’t find it, there are two likely explanations:

1. It was a RunOnce-style entry that deleted itself after trying to run.
2. The launcher is in a less-obvious logon mechanism that we haven’t captured yet.

First question​

When you said the scan “came back with - issues,” did you mean:
0 issues
or did Defender actually find something and remove/quarantine it?
Check:

1. Open Windows Security.
2. Go to Virus & threat protection.
3. Open Protection history.
4. Look for anything around the reboot time.
5. If there is a detection name, post it.

Most important next test​

Because RunOnce entries can disappear after they execute, do this:

1. Kill the current failed rundll32​

Stop-Process -Id 10728 -Force

2. Reboot one more time​

After reboot, check:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
If it does not come back, then the startup entry probably already self-deleted and only fired once after the scan/reboot.
If it does come back again, continue below.

Search all loaded user registry hives, not just HKCU​

Run Command Prompt as Administrator:

reg query HKU /f "wsc35FD.tmp" /s
reg query HKU /f "verpostfix=bt" /s
reg query HKU /f "cleaninethelper" /s
reg query HKU /f "InetHelper" /s
reg query HKU /f "nflxso" /s

Then run:

reg query HKLM /f "wsc35FD.tmp" /s
reg query HKLM /f "verpostfix=bt" /s
reg query HKLM /f "cleaninethelper" /s
reg query HKLM /f "InetHelper" /s
reg query HKLM /f "nflxso" /s

If anything appears, post the full result.

Check Active Setup​

Active Setup runs during user logon and can be launched under Explorer.
Run:

reg query "HKCU\Software\Microsoft\Active Setup\Installed Components" /s /f "wsc35FD"
reg query "HKCU\Software\Microsoft\Active Setup\Installed Components" /s /f "verpostfix"
reg query "HKLM\Software\Microsoft\Active Setup\Installed Components" /s /f "wsc35FD"
reg query "HKLM\Software\Microsoft\Active Setup\Installed Components" /s /f "verpostfix"
reg query "HKLM\Software\WOW6432Node\Microsoft\Active Setup\Installed Components" /s /f "wsc35FD"
reg query "HKLM\Software\WOW6432Node\Microsoft\Active Setup\Installed Components" /s /f "verpostfix"

Check logon scripts/policies​

Run:

reg query "HKCU\Software\Policies\Microsoft\Windows\System\Scripts" /s
reg query "HKLM\Software\Policies\Microsoft\Windows\System\Scripts" /s
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" /s
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" /s

If those say key/value not found, that is fine.

Check hidden startup shortcuts with PowerShell​

Run:

Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" -Force | Select-Object FullName,Length,CreationTime,LastWriteTime,Attributes
Get-ChildItem "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" -Force | Select-Object FullName,Length,CreationTime,LastWriteTime,Attributes

Then check shortcut targets:

$shell = New-Object -ComObject WScript.Shell
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup","$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" -Filter *.lnk -Force -ErrorAction SilentlyContinue | ForEach-Object {
    $lnk = $shell.CreateShortcut($_.FullName)
    [PSCustomObject]@{
        Shortcut = $_.FullName
        Target = $lnk.TargetPath
        Arguments = $lnk.Arguments
        WorkingDirectory = $lnk.WorkingDirectory
    }
}

If it still comes back: use Process Monitor boot logging​

This is the best way to answer “what is calling this?”

Steps​

1. Download Process Monitor from Microsoft Sysinternals.
2. Run Procmon64.exe as Administrator.
3. Go to Options.
4. Click Enable Boot Logging.
5. Accept the default boot logging option.
6. Reboot.
7. Wait for the rundll popup to appear.
8. Open Process Monitor again.
9. Let it load the boot log.
10. Press Ctrl+L for Filter.
11. Add this filter:

Command Line contains wsc35FD then Include

1. Also add:

Path contains wsc35FD then Include

1. Look for the event that starts:

rundll32.exe "C:\Users\pjrey\AppData\Local\Temp\wsc35FD.tmp",Start verpostfix=bt

1. Add/show columns for Parent PID, Command Line, and Process Name.
2. The events immediately before it should show where Explorer read the startup command from.

My current read​

You are not looking for malware inside rundll32.exe. You are looking for a leftover launcher. Since the file is missing, it fails to load, which is better than the payload running.
Most likely causes now are:

A one-time RunOnce entry that has already self-deleted
Active Setup
Hidden/odd startup shortcut
Policy logon script
A recreated startup entry

Do the one more reboot test first. If it comes back again, Process Monitor boot logging should reveal the exact source.

 

[droogiee]

restarted and i got no popups..
should i keep searching, or let this one go?

 

[ChatGPT]

droogiee — that’s a good sign. If you rebooted and got:

No popup
No rundll32.exe loading wsc35FD.tmp
No temp file recreated

then the most likely explanation is:
A one-time startup/RunOnce-style entry tried to launch the deleted temp payload, failed, then removed itself.
So no, I would not keep digging endlessly unless it comes back.

Do these final checks, then let it go​

1. Confirm rundll32.exe is clean after reboot​

Run:
Get-CimInstance Win32_Process -Filter "name='rundll32.exe'" | Select-Object ProcessId,ParentProcessId,CommandLine
Good result: either no output, or only normal Windows/control-panel related entries — nothing with:

wsc35FD.tmp
AppData\Local\Temp
verpostfix=bt

2. Confirm the file/folder did not return​

Run:

Test-Path "$env:LOCALAPPDATA\Temp\wsc35FD.tmp"
Test-Path "$env:LOCALAPPDATA\Microsoft\Windows\InetHelper"
Get-ChildItem "$env:LOCALAPPDATA\Temp" -Force | Where-Object {$_.Name -match "^(wsc|wns).+\.tmp$"}

Good result:

False
False
No output from the Get-ChildItem command

3. Check firewall logs over the next day​

Watch for any new blocks to:

files.nflxso.ca
register.nflxso.ca
nflxso.ca

If you see no new attempts, that supports the idea that it’s gone.

4. Keep the system online only after updating Defender​

Run:

Update-MpSignature
Start-MpScan -ScanType QuickScan

I would still do this​

Because the original behavior looked like a loader/stealer pattern, I’d change important passwords from a different clean device, especially:

Email
Microsoft account
Banking
Password manager
Browser-synced accounts
Gaming/store accounts

Also enable 2FA/MFA where possible.

When to worry again​

Start investigating again only if one of these happens:

The rundll popup returns
wsc35FD.tmp or another wsc*.tmp / wns*.tmp returns
Firewall blocks nflxso.ca again
Unknown Defender exclusions appear
Unknown startup entries appear
Browser/account logins look suspicious

Bottom line​

At this point, I’d call it contained but worth monitoring. Don’t reinstall Windows based on the current state. Keep an eye on it for 24–48 hours, and if nothing comes back, you can reasonably let this one go.