Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan. My colleague thinks this is a false positive because the file is not being picked up by real time scanning. I disagree and think this is an infection.
Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe. Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A
We are using Kaspersky Anti Virus as our AV software. Could someone provide additional information on our debate? Attached is a screenshot of Process Explorer