Posible virus...

Hi my comodo defense+ has blocked some actions of this file “C:\Windows\system32\explorer.exe” Sandboxed As Partially Limited. When i search this file on this directory it doesn’t even exist, i have it only in C:\Windows and C:\Windows\SysWOW64 , it doesn’t figure as an process running in the task manager. This detection has started for a week and every day comodo it’s trying to block it, thanks in advance.

anyone please… i searched and found some old threads that this file might be some trojan or malware.

Hello! Not sure what might be a problem here but are you using full CIS version or just Comodo firewall? If you are using Comodo AV do a full scan and let me know if it finds anything. Also use Comodo Killswitch to see if explorer.exe is infected if it will say: ‘safe process’ prob you have an issue with Def+ and you are not infected.

P.S If you don’t use Comodo AV do a scan with Malwarebytes Anti-Malware and Hitman Pro and get back to me.

Plus what system are you using and what is your version of Comodo?

hello… im using CIS Premium 5.10 outdated (not Pro version) i have Comodo AV scheduled scan every day, also virus database updates before every scan. The explorer.exe is not detected as infected but defense+ keeps blocking his actions like it was triying to make some strange execution, i have Windows 7 Ultimate Service Pack 1 64-bit. Thanks :-TU

I see. Is the scheduled scan full scan of the system or the critical area one? It could be that Def+ still find some traces of malware (auto-run) on the system but it got rid of it. Did you have any AV alert before Def+? Check your sandbox to see if you have any files in it if so delete them. It could be IE issue as some say. It could be some conflict on your system. But the path of C:\Windows\system32\explorer.exe itself is not normal. Do what I told you full scan with Comodo AV, Malwarebytes Anti-Malware and Hitman Pro (plus Comodo autorun) if it finds nothing you are safe and I suggest to contact Comodo support for this issue to sort out Def+ alerts.

Do you have only one explorer.exe running in the RAM? Can you use IE itself at all?

The official Windows Explorer (explorer.exe) is installed in x:\Windows\ folder and not in x:\Windows\system32\ or x:\Windows\SysWOW64 folders. A file with name in the system 32 or SysWOW64 folder is suspect especially when unknown (it runs sandboxed).

Please upload explorer.exe from the system32/SysWOW64 folder to Virus Total and leave the url to the report here. Please let Virus Total rescan it.

Does it help to add the file to the Blocked Files? Do you see a start up key for the rogue explorer.exe in Autoruns or Comodo Autoruns?

thanks for reply guys… i always run full scan of the system, i have only one HDD and this strange detection started like 2 weeks ago. Sandbox is empty and yes only one explorer.exe (C:\Windows) running on task, i read in some random thread that on 64-bit versions has some mirrored executable files for 32-bit apps and that’s why SysWOW64 has most of the same files System32 have. I made an re-scan to explorer.exe from SysWOW64 folder in Virus Total and found nothing also added the file to the blocked files but nothing happend, how can i tell if the file has been blocked? The file doesn’s execute itself on startup there is no entry key, i don’t have Comodo Autoruns installed i should make a system check with it? Thanks for your help :-TU

I see. For 64-Bit system yes but not sure about Def+ alerts here. Try to check Def+ and AV logs for the info.

I want to make one thing clear let’s not confuse explorer.exe. I just wanted to rule out possibilities here but according to this source (taskmgr - explorer.exe - Program Information) C:\Windows\System32\explorer.exe should not be confused with the legitimate explorer.exe. Check your taskmgr as well just in case (Use Comodo KillSwitch and VT). Also the file itself might be hidden not sure if Comodo AV scan for the hidden files. (Note: I’m talking in case of a possible malware infection here. I just give my opinion here). Yes I would advise to run a check with Comodo Autoruns just in case. If you still have an issue contact Comodo support here: http://support.comodo.com/ or use Geek Buddy free for 30 days I think.

I checked my Vista 64 bits installation and noticed it also has an explorer.exe in the SysWOW64 folder. It is not signed. There is no explorer.exe in the system 32 folder.

WoW… I have just discovered which was causing Comodo Defense+ blocking actions from C:\Windows\system32\explorer.exe in fact he was only detecting his actions. Today i was using my computer and found another Defense+ detection from C:\Windows\system32\explorer.exe and i started a tracing for what i have done the last 5 minutes, then i realized that i was using JDownloader. Thats when i enter to the download directory through the program interface and BAM! Defense+ events detected this action but not block it because the folder has opened. Well i think this case is closed guys, thank you all at least i was introduced to another great utility Comodo Cleaning Essentials. :■■■■

Glad to hear that! You are welcome! ;D :-TU