Author Topic: explorer.exe rundll32  (Read 5063 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2022, 05:15:39 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
explorer.exe rundll32
« on: December 15, 2022, 05:15:39 PM »
Hi there. Roguekiller free found explorer and librewolf and rundll32 as malware. I had it remove them all, but librewolf malware keeps coming back as soon as i restart librewolf. Is this false positives? What was weird is that before i removed them the first time it found them as malware, i re-scanned, and it found nothing, and then i had to re-scan over and over until it finally found those files as malware again. And then randomly it found rundll32 as a malware. It only had found explorer librewolf before.

Please see screenshot

https://imgur.com/a/DLAqEJt

https://imgur.com/a/dWdOKRB

https://imgur.com/a/UHzahVb
« Last Edit: December 15, 2022, 09:47:05 PM by HelpIsNeeded »

Reply #1December 15, 2022, 08:18:36 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #1 on: December 15, 2022, 08:18:36 PM »
Hi HelpIsNeeded,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller scan report with your next reply ?

Regards.

Reply #2December 15, 2022, 09:43:12 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #2 on: December 15, 2022, 09:43:12 PM »
Thank you. Here it is.

Were you able to see my screenshots in my post? I can't see them! Weird.

EDIT: I updated it, so you can now click the links to see screenshots
« Last Edit: December 15, 2022, 09:47:32 PM by HelpIsNeeded »

Reply #3December 16, 2022, 08:40:15 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #3 on: December 16, 2022, 08:40:15 PM »
Hi HelpIsNeeded,

We need to retrieve more information.
Please make sure to restart your system.

Please follow the following process :
  • Download Process Explorer (x64) and save it to your desktop.
  • Click on the setup file (procexp64.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Regards.

Reply #4December 17, 2022, 01:46:10 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #4 on: December 17, 2022, 01:46:10 PM »

Reply #5December 17, 2022, 09:49:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #5 on: December 17, 2022, 09:49:08 PM »
Hi HelpIsNeeded,

This is not a false positive.
Something is injecting the EICAR string into explorer.exe at runtime.

Which security tools do you use ?

EDIT : Do you have an EICAR test file somewhere on your HDD ?

Regards.
« Last Edit: December 17, 2022, 10:02:28 PM by Curson »

Reply #6December 17, 2022, 10:06:47 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #6 on: December 17, 2022, 10:06:47 PM »
Wow, I have been believing something is going on for a long time. That someone is doing it in a way to not be caught, but fortunately Rouge is the ONLY one that found this, and I had to re-scan multiple times for it to find it, sometimes it finds it sometime it does not, and when I delete it, it comes back. But I need to re-scan over and over and hope I'm lucky. I guess It's because they inject at the right time, I'm hitting scan getting lucky.

Im using malwarebytes (finds nothing) and norton 360. i have scanned with multiply scanners, nothing! Only rouge found it, and only when lucky when hitting scan.

Reply #7December 17, 2022, 10:07:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #7 on: December 17, 2022, 10:07:54 PM »
Hi HelpIsNeeded,

Do you have an EICAR test file somewhere on your HDD ?

Regards.

Reply #8December 17, 2022, 10:13:35 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #8 on: December 17, 2022, 10:13:35 PM »
I dont even know what that is, and how do i find it? How do i check if i have that?

I read "Some security software might put this file on your PC to test that it's working correctly."

Hmm. i wonder if its because of that? like maybe norton has that or malwarebytes or any other malware tool i have used? i hope there is a way for me to check.
« Last Edit: December 17, 2022, 10:15:54 PM by HelpIsNeeded »

Reply #9December 17, 2022, 10:18:34 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #9 on: December 17, 2022, 10:18:34 PM »
Apparently it's not so harmless! You can make it harmful, i guess, to hide the real attack. "How to Create a Malicious Test File (EICAR) - VMware Carbon Black"

Reply #10December 17, 2022, 11:03:05 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #10 on: December 17, 2022, 11:03:05 PM »
I found this when i searched, is it this causing it?

https://imgur.com/a/d63TqL5

https://imgur.com/a/GweDPdM
« Last Edit: December 17, 2022, 11:10:57 PM by HelpIsNeeded »

Reply #11December 17, 2022, 11:14:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #11 on: December 17, 2022, 11:14:31 PM »
Hi HelpIsNeeded,

No, that's not it. The EICAR test signature is more complicated than that.

"How to Create a Malicious Test File (EICAR) - VMware Carbon Black" is a misleading title, it's a stantard EICAR file, completely harmless.
It will be quite complicated to find what is injecting the string, hence I advise you to ignore it.

For information purpose, you will find a memory map attached, listing all DLL loaded into explorer.exe with READ and WRITE permissions.
Maybe you will find some clue within it.

Regards.

Reply #12December 17, 2022, 11:19:07 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #12 on: December 17, 2022, 11:19:07 PM »
Thanks, but im not an expert, so i dont understand it to check it. Dont you guys have experts that can do it for me?

Reply #13December 17, 2022, 11:58:45 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #13 on: December 17, 2022, 11:58:45 PM »
Hi HelpIsNeeded,

Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.

Regards.

Reply #14December 18, 2022, 01:09:39 AM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #14 on: December 18, 2022, 01:09:39 AM »
Hi HelpIsNeeded,

Frankly I think it's a loss of time searching for the culprit, since EICAR is harmless.
Process injection can be achieved using numerous ways and it usually require live access to the system and lot of time to detect the source.

Regards.

Do you mean that process injection require live access to the system? Like someone would have to have physical access to my PC to do inject it? Or do you mean one needs physical access to PC to sit and detect the source?

Regards