Author Topic: explorer.exe rundll32  (Read 5218 times)

0 Members and 1 Guest are viewing this topic.

Reply #15December 18, 2022, 01:15:48 AM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #15 on: December 18, 2022, 01:15:48 AM »
Please, can you review these screenshots and tell me if it's a good idea to have those blocked. And do you have recommended files to add to that list?
https://ufile.io/m9aon98l

Reply #16December 18, 2022, 07:03:03 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #16 on: December 18, 2022, 07:03:03 PM »
Hi HelpIsNeeded,

I meant that live access to the system is usually needed by an expert to detect exactly what is doing the injection.
Sorry for the misunderstanding.

Blocking applications can have unintented consequences. I would be very careful with that.

Regards.
« Last Edit: December 18, 2022, 07:06:26 PM by Curson »

Reply #17December 18, 2022, 10:16:04 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #17 on: December 18, 2022, 10:16:04 PM »
Hi again. I downloaded EICAR test file and did as they said but my antivirus dont find it as a malware! so it seems my antivirus dont work as it should, im afraid someone has managed to do this to remain undetected. I mean why does it not find it as a virus, it just scans and say everything is ok. it should say something is wrong because its a test file not a real threat but it should still make it go "Alert!" but it does not hence why something is wrong. I did as they said and right-clicked the file and chose norton to scan it but it came out ok no detection. Please see my screenshot and see if i did it the right way.

https://imgur.com/a/zQ0vlDd

https://kcm.trellix.com/corporate/index?page=content&id=KB59742
« Last Edit: December 18, 2022, 10:19:34 PM by HelpIsNeeded »

Reply #18December 18, 2022, 11:15:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #18 on: December 18, 2022, 11:15:25 PM »
Hi HelpIsNeeded,

It seems some AV engines does not detect it anymore.
Quote
The developers of one anti-virus software, Malwarebytes, have said that they did not add the EICAR test file to their database, because "adding fake malware and test files like EICAR to the database takes time away from malware research, and proves nothing in the long run"

Regards.
« Last Edit: December 18, 2022, 11:39:05 PM by Curson »

Reply #19December 18, 2022, 11:42:48 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #19 on: December 18, 2022, 11:42:48 PM »
Hi HelpIsNeeded,

It seems most AV engines does not detect it anymore.

Please see the results of VirusTotal :
https://www.virustotal.com/gui/file/a29fbf9bbef6c3bbb204dd7bb9f5a6619529a6fb6371985a73242092133de227/detection

So, no wonder Norton and MalwareBytes didn't detect it.

Regards.

Ok thanks. I saw this article https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ (not directly related but i have something to say)

And in this screenshot i point out that its a file internet shortcut, and thats exactly what i had in my pc for no reason at all, it was also a internet shortcut .ink that had your website name and EICAR in its name, now i cant find that file, but have it saved in my usb just in case needed as proof. i dont remember if i deleted it. I found it via searching the pc for EICAR when we spoke in the beginning.

https://imgur.com/a/KeFmzDG

is it a internet shortcut or is it "INFO ON .INK FILES

The INK file type is primarily associated with 'Tablet PC' " that can be seen in my screenshot?

https://imgur.com/a/m9Ozcn8

https://imgur.com/a/SHxva69

Reply #20December 19, 2022, 09:01:24 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #20 on: December 19, 2022, 09:01:24 PM »
Hi HelpIsNeeded,

Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.

Regards.

Reply #21December 19, 2022, 09:46:44 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #21 on: December 19, 2022, 09:46:44 PM »
Hi HelpIsNeeded,

Shortcuts (LNK files) are not malicious.
Can you please update and do a complete system scan with RogueKiller ? We made some adjustements to the engine.

Regards.

Oh! That's why I don't get librewolf or explorer to be flagged anymore, been scanning over and over for hours on end. I guess i can stop that now, lmao. Thanks for your help

Reply #22December 19, 2022, 10:21:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #22 on: December 19, 2022, 10:21:59 PM »
Hi HelpIsNeeded,

You are welcome.
Thanks for your feedback.

Regards.

Reply #23December 20, 2022, 06:04:20 AM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #23 on: December 20, 2022, 06:04:20 AM »
Hi again. Just a question. You said it was not a false positive, did you change RogueKiller so that it flagged what was found from my part as false positive? Regards

Reply #24December 20, 2022, 09:55:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #24 on: December 20, 2022, 09:55:02 PM »
Hi HelpIsNeeded,

It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.

There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.

In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.

Regards.

Reply #25December 22, 2022, 05:25:08 PM

HelpIsNeeded

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: explorer.exe rundll32
« Reply #25 on: December 22, 2022, 05:25:08 PM »
Hi HelpIsNeeded,

It is a little more complicated than that.
Explorer.exe is the file explorer of Windows NT-based system and part of the Windows GUI (desktop, Start Menu, Taskbar), the Windows Shell.

There is a caching mechanism implemented in explorer.exe to display already viewed files faster (you can test this with large images). There is no source code available, so it's speculation at this point but, after asking some colleagues, we came to the conclusion that there is a file on your computer that contains the EICAR test string and that its content is cached in explorer.exe memory, hence triggering the detection.

In conclusion, the EICAR test is really present, but it's not the result of an injection, but some caching mechanisms.
We refined RogueKiller engine to detect that difference. That's why the detection is now gone.

Regards.

"content is cached in explorer.exe memory"
Is that of any concern? Regards

Reply #26December 22, 2022, 08:17:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: explorer.exe rundll32
« Reply #26 on: December 22, 2022, 08:17:01 PM »
Hi HelpIsNeeded,

No, it's no concern at all.
Like I said the EICAR string is completely harmless.

Regards.