explorer.exe rundll32

[HelpIsNeeded]

Hi there. Roguekiller free found explorer and librewolf and rundll32 as malware. I had it remove them all, but librewolf malware keeps coming back as soon as i restart librewolf. Is this false positives? What was weird is that before i removed them the first time it found them as malware, i re-scanned, and it found nothing, and then i had to re-scan over and over until it finally found those files as malware again. And then randomly it found rundll32 as a malware. It only had found explorer librewolf before.

Please see screenshot

https://imgur.com/a/DLAqEJt

https://imgur.com/a/dWdOKRB

https://imgur.com/a/UHzahVb

[Curson]

Hi HelpIsNeeded,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller scan report with your next reply ?

Regards.

[HelpIsNeeded]

Thank you. Here it is.

Were you able to see my screenshots in my post? I can't see them! Weird.

EDIT: I updated it, so you can now click the links to see screenshots

[Curson]

Hi HelpIsNeeded,

We need to retrieve more information.
Please make sure to restart your system.

Please follow the following process :

• Download Process Explorer (x64) and save it to your desktop.
  
• Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
• Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
• Save the dump on your desktop and compress it.
• Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.

Regards.

[HelpIsNeeded]

Here is it
https://ufile.io/qsel450i

[Curson]

Hi HelpIsNeeded,

This is not a false positive.
Something is injecting the EICAR string into explorer.exe at runtime.

Which security tools do you use ?

EDIT : Do you have an EICAR test file somewhere on your HDD ?

Regards.

[HelpIsNeeded]

Wow, I have been believing something is going on for a long time. That someone is doing it in a way to not be caught, but fortunately Rouge is the ONLY one that found this, and I had to re-scan multiple times for it to find it, sometimes it finds it sometime it does not, and when I delete it, it comes back. But I need to re-scan over and over and hope I'm lucky. I guess It's because they inject at the right time, I'm hitting scan getting lucky.

Im using malwarebytes (finds nothing) and norton 360. i have scanned with multiply scanners, nothing! Only rouge found it, and only when lucky when hitting scan.

[Curson]

Hi HelpIsNeeded,

Do you have an EICAR test file somewhere on your HDD ?

Regards.

[HelpIsNeeded]

I dont even know what that is, and how do i find it? How do i check if i have that?

I read "Some security software might put this file on your PC to test that it's working correctly."

Hmm. i wonder if its because of that? like maybe norton has that or malwarebytes or any other malware tool i have used? i hope there is a way for me to check.

[HelpIsNeeded]

Apparently it's not so harmless! You can make it harmful, i guess, to hide the real attack. "How to Create a Malicious Test File (EICAR) - VMware Carbon Black"

[HelpIsNeeded]

I found this when i searched, is it this causing it?

https://imgur.com/a/d63TqL5

https://imgur.com/a/GweDPdM

[Curson]

Hi HelpIsNeeded,

No, that's not it. The EICAR test signature is more complicated than that.

"How to Create a Malicious Test File (EICAR) - VMware Carbon Black" is a misleading title, it's a stantard EICAR file, completely harmless.
It will be quite complicated to find what is injecting the string, hence I advise you to ignore it.

For information purpose, you will find a memory map attached, listing all DLL loaded into explorer.exe with READ and WRITE permissions.
Maybe you will find some clue within it.

Regards.

[HelpIsNeeded]

Thanks, but im not an expert, so i dont understand it to check it. Dont you guys have experts that can do it for me?

[Curson]

Hi HelpIsNeeded,

Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.

Regards.

[HelpIsNeeded]

Hi HelpIsNeeded,

Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.

Regards.

Do you mean that process injection require live access to the system? Like someone would have to have physical access to my PC to do inject it? Or do you mean one needs physical access to PC to sit and detect the source?

Regards