Adlice forum
General Category => Malware removal help => Topic started by: HelpIsNeeded on December 15, 2022, 05:15:39 PM
-
Hi there. Roguekiller free found explorer and librewolf and rundll32 as malware. I had it remove them all, but librewolf malware keeps coming back as soon as i restart librewolf. Is this false positives? What was weird is that before i removed them the first time it found them as malware, i re-scanned, and it found nothing, and then i had to re-scan over and over until it finally found those files as malware again. And then randomly it found rundll32 as a malware. It only had found explorer librewolf before.
Please see screenshot
https://imgur.com/a/DLAqEJt
https://imgur.com/a/dWdOKRB
https://imgur.com/a/UHzahVb
-
Hi HelpIsNeeded,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller scan report with your next reply ?
Regards.
-
Thank you. Here it is.
Were you able to see my screenshots in my post? I can't see them! Weird.
EDIT: I updated it, so you can now click the links to see screenshots
-
Hi HelpIsNeeded,
We need to retrieve more information.
Please make sure to restart your system.
Please follow the following process :
- Download Process Explorer (x64) (http://live.sysinternals.com/procexp64.exe) and save it to your desktop.
- Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
- Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
- Save the dump on your desktop and compress it.
- Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Regards.
-
Here is it
https://ufile.io/qsel450i
-
Hi HelpIsNeeded,
This is not a false positive.
Something is injecting the EICAR string into explorer.exe at runtime.
Which security tools do you use ?
EDIT : Do you have an EICAR test file somewhere on your HDD ?
Regards.
-
Wow, I have been believing something is going on for a long time. That someone is doing it in a way to not be caught, but fortunately Rouge is the ONLY one that found this, and I had to re-scan multiple times for it to find it, sometimes it finds it sometime it does not, and when I delete it, it comes back. But I need to re-scan over and over and hope I'm lucky. I guess It's because they inject at the right time, I'm hitting scan getting lucky.
Im using malwarebytes (finds nothing) and norton 360. i have scanned with multiply scanners, nothing! Only rouge found it, and only when lucky when hitting scan.
-
Hi HelpIsNeeded,
Do you have an EICAR test file somewhere on your HDD ?
Regards.
-
I dont even know what that is, and how do i find it? How do i check if i have that?
I read "Some security software might put this file on your PC to test that it's working correctly."
Hmm. i wonder if its because of that? like maybe norton has that or malwarebytes or any other malware tool i have used? i hope there is a way for me to check.
-
Apparently it's not so harmless! You can make it harmful, i guess, to hide the real attack. "How to Create a Malicious Test File (EICAR) - VMware Carbon Black"
-
I found this when i searched, is it this causing it?
https://imgur.com/a/d63TqL5
https://imgur.com/a/GweDPdM
-
Hi HelpIsNeeded,
No, that's not it. The EICAR test signature is more complicated than that.
"How to Create a Malicious Test File (EICAR) - VMware Carbon Black" is a misleading title, it's a stantard EICAR file, completely harmless.
It will be quite complicated to find what is injecting the string, hence I advise you to ignore it.
For information purpose, you will find a memory map attached, listing all DLL loaded into explorer.exe with READ and WRITE permissions.
Maybe you will find some clue within it.
Regards.
-
Thanks, but im not an expert, so i dont understand it to check it. Dont you guys have experts that can do it for me?
-
Hi HelpIsNeeded,
Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.
Regards.
-
Hi HelpIsNeeded,
Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.
Regards.
Do you mean that process injection require live access to the system? Like someone would have to have physical access to my PC to do inject it? Or do you mean one needs physical access to PC to sit and detect the source?
Regards
-
Please, can you review these screenshots and tell me if it's a good idea to have those blocked. And do you have recommended files to add to that list?
https://ufile.io/m9aon98l
-
Hi HelpIsNeeded,
I meant that live access to the system is usually needed by an expert to detect exactly what is doing the injection.
Sorry for the misunderstanding.
Blocking applications can have unintented consequences. I would be very careful with that.
Regards.
-
Hi again. I downloaded EICAR test file and did as they said but my antivirus dont find it as a malware! so it seems my antivirus dont work as it should, im afraid someone has managed to do this to remain undetected. I mean why does it not find it as a virus, it just scans and say everything is ok. it should say something is wrong because its a test file not a real threat but it should still make it go "Alert!" but it does not hence why something is wrong. I did as they said and right-clicked the file and chose norton to scan it but it came out ok no detection. Please see my screenshot and see if i did it the right way.
https://imgur.com/a/zQ0vlDd
https://kcm.trellix.com/corporate/index?page=content&id=KB59742
-
Hi HelpIsNeeded,
It seems some AV engines does not detect it anymore.
The developers of one anti-virus software, Malwarebytes, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run"
Regards.
-
Hi HelpIsNeeded,
It seems most AV engines does not detect it anymore.
Please see the results of VirusTotal :
https://www.virustotal.com/gui/file/a29fbf9bbef6c3bbb204dd7bb9f5a6619529a6fb6371985a73242092133de227/detection (https://www.virustotal.com/gui/file/a29fbf9bbef6c3bbb204dd7bb9f5a6619529a6fb6371985a73242092133de227/detection)
So, no wonder Norton and MalwareBytes didn't detect it.
Regards.
Ok thanks. I saw this article https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ (not directly related but i have something to say)
And in this screenshot i point out that its a file internet shortcut, and thats exactly what i had in my pc for no reason at all, it was also a internet shortcut .ink that had your website name and EICAR in its name, now i cant find that file, but have it saved in my usb just in case needed as proof. i dont remember if i deleted it. I found it via searching the pc for EICAR when we spoke in the beginning.
https://imgur.com/a/KeFmzDG
is it a internet shortcut or is it "INFO ON .INK FILES
The INK file type is primarily associated with 'Tablet PC' " that can be seen in my screenshot?
https://imgur.com/a/m9Ozcn8
https://imgur.com/a/SHxva69
-
Hi HelpIsNeeded,
Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.
Regards.
-
Hi HelpIsNeeded,
Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.
Regards.
Oh! That's why I don't get librewolf or explorer to be flagged anymore, been scanning over and over for hours on end. I guess i can stop that now, lmao. Thanks for your help
-
Hi HelpIsNeeded,
You are welcome.
Thanks for your feedback.
Regards.
-
Hi again. Just a question. You said it was not a false positive, did you change RogueKiller so that it flagged what was found from my part as false positive? Regards
-
Hi HelpIsNeeded,
It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.
There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.
In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.
Regards.
-
Hi HelpIsNeeded,
It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.
There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.
In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.
Regards.
"content is cached in explorer.exe memory"
Is that of any concern? Regards
-
Hi HelpIsNeeded,
No, it's no concern at all.
Like I said the EICAR string is completely harmless.
Regards.