Messages

1

Malware removal help / Re: explorer.exe rundll32

« on: December 22, 2022, 05:25:08 PM »

Hi HelpIsNeeded,

It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.

There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.

In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.

Regards.

"content is cached in explorer.exe memory"
Is that of any concern? Regards

2

Malware removal help / Re: explorer.exe rundll32

« on: December 20, 2022, 06:04:20 AM »

Hi again. Just a question. You said it was not a false positive, did you change RogueKiller so that it flagged what was found from my part as false positive? Regards

3

Malware removal help / Re: explorer.exe rundll32

« on: December 19, 2022, 09:46:44 PM »

Hi HelpIsNeeded,

Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.

Regards.

Oh! That's why I don't get librewolf or explorer to be flagged anymore, been scanning over and over for hours on end. I guess i can stop that now, lmao. Thanks for your help

4

Malware removal help / Re: explorer.exe rundll32

« on: December 18, 2022, 11:42:48 PM »

Hi HelpIsNeeded,

It seems most AV engines does not detect it anymore.

Please see the results of VirusTotal :
https://www.virustotal.com/gui/file/a29fbf9bbef6c3bbb204dd7bb9f5a6619529a6fb6371985a73242092133de227/detection

So, no wonder Norton and MalwareBytes didn't detect it.

Regards.

Ok thanks. I saw this article https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ (not directly related but i have something to say)

And in this screenshot i point out that its a file internet shortcut, and thats exactly what i had in my pc for no reason at all, it was also a internet shortcut .ink that had your website name and EICAR in its name, now i cant find that file, but have it saved in my usb just in case needed as proof. i dont remember if i deleted it. I found it via searching the pc for EICAR when we spoke in the beginning.

https://imgur.com/a/KeFmzDG

is it a internet shortcut or is it "INFO ON .INK FILES

The INK file type is primarily associated with 'Tablet PC' " that can be seen in my screenshot?

https://imgur.com/a/m9Ozcn8

https://imgur.com/a/SHxva69

5

Malware removal help / Re: explorer.exe rundll32

« on: December 18, 2022, 10:16:04 PM »

Hi again. I downloaded EICAR test file and did as they said but my antivirus dont find it as a malware! so it seems my antivirus dont work as it should, im afraid someone has managed to do this to remain undetected. I mean why does it not find it as a virus, it just scans and say everything is ok. it should say something is wrong because its a test file not a real threat but it should still make it go "Alert!" but it does not hence why something is wrong. I did as they said and right-clicked the file and chose norton to scan it but it came out ok no detection. Please see my screenshot and see if i did it the right way.

https://imgur.com/a/zQ0vlDd

https://kcm.trellix.com/corporate/index?page=content&id=KB59742

6

Malware removal help / Re: explorer.exe rundll32

« on: December 18, 2022, 01:15:48 AM »

Please, can you review these screenshots and tell me if it's a good idea to have those blocked. And do you have recommended files to add to that list?
https://ufile.io/m9aon98l

7

Malware removal help / Re: explorer.exe rundll32

« on: December 18, 2022, 01:09:39 AM »

Hi HelpIsNeeded,

Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.

Regards.

Do you mean that process injection require live access to the system? Like someone would have to have physical access to my PC to do inject it? Or do you mean one needs physical access to PC to sit and detect the source?

Regards

8

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 11:19:07 PM »

Thanks, but im not an expert, so i dont understand it to check it. Dont you guys have experts that can do it for me?

9

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 11:03:05 PM »

I found this when i searched, is it this causing it?

https://imgur.com/a/d63TqL5

https://imgur.com/a/GweDPdM

10

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 10:18:34 PM »

Apparently it's not so harmless! You can make it harmful, i guess, to hide the real attack. "How to Create a Malicious Test File (EICAR) - VMware Carbon Black"

11

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 10:13:35 PM »

I dont even know what that is, and how do i find it? How do i check if i have that?

I read "Some security software might put this file on your PC to test that it's working correctly."

Hmm. i wonder if its because of that? like maybe norton has that or malwarebytes or any other malware tool i have used? i hope there is a way for me to check.

12

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 10:06:47 PM »

Wow, I have been believing something is going on for a long time. That someone is doing it in a way to not be caught, but fortunately Rouge is the ONLY one that found this, and I had to re-scan multiple times for it to find it, sometimes it finds it sometime it does not, and when I delete it, it comes back. But I need to re-scan over and over and hope I'm lucky. I guess It's because they inject at the right time, I'm hitting scan getting lucky.

Im using malwarebytes (finds nothing) and norton 360. i have scanned with multiply scanners, nothing! Only rouge found it, and only when lucky when hitting scan.

13

Malware removal help / Re: explorer.exe rundll32

« on: December 17, 2022, 01:46:10 PM »

Here is it
https://ufile.io/qsel450i

14

Malware removal help / Re: explorer.exe rundll32

« on: December 15, 2022, 09:43:12 PM »

Thank you. Here it is.

Were you able to see my screenshots in my post? I can't see them! Weird.

EDIT: I updated it, so you can now click the links to see screenshots

15

Malware removal help / explorer.exe rundll32

« on: December 15, 2022, 05:15:39 PM »

Hi there. Roguekiller free found explorer and librewolf and rundll32 as malware. I had it remove them all, but librewolf malware keeps coming back as soon as i restart librewolf. Is this false positives? What was weird is that before i removed them the first time it found them as malware, i re-scanned, and it found nothing, and then i had to re-scan over and over until it finally found those files as malware again. And then randomly it found rundll32 as a malware. It only had found explorer librewolf before.

Please see screenshot

https://imgur.com/a/DLAqEJt

https://imgur.com/a/dWdOKRB

https://imgur.com/a/UHzahVb