I just installed Comodo suite last night and im enjoying the detailed logs it presents… it’s really nice…
however i noticed a strange log
screenshot here: http://d.pr/USRP
basically it shoes a blocked entry for:
C:\Windows\System32\explorer.exe
SandBoxed as Partially Limitted
Time: 12/17/2010 @ 9:54 AM
What’s strange is that
This is a freshly setup system, w/ applications installed already but each app i double cheked to be clean
during this time as logged, the whole morning infact, i wasnt doing anything but sorting pics via Picasa, synching my phone photos w/ Nokia OviSuite and uplodin files via windroplr … and scanning documents from my HP Scanner… background processes are all normal… startup entries are ok … i wasnt installing anything or doing anything new …
when i looked for this file it wasnt in the System32 folder (i know the legit explorer is supposed to be in C:/Windows , not in system32… but i cant find the file and comodo cant also… like it’s gone/deleted… I checked comodo quarantine, … nothign at all…
Could this be a bug or somethin of comodo? or could it be just a child processes of one of the other legit apps such as Nokia Ovi Suite, HP Scanning software perhaps?
Looking at your running processes isn’t a great way to judge if your system is infected.
If you feel you’re clean, then that’s fine. You were just asking for help and posted evidence of a possible infection, so I pointed you in the right direction. What you do from here is up to you.
i ran my PC through Cloud Scanner and though it raised around 5 Unknown software , i can confirm that all of em are fine as they are the software i developmed myself as well as software that came from the developers themselves like MyNotesKeeper and the likes… so no there arent any threats… but i just keep getting this System32/explorer.exe entry atleast 2 times /day… but there’s no traces of the exe file when i go look for it… im almost convinced this is a COmodo bug… perhaps?
It’s definitely on your system, or it wouldn’t keep getting blocked or sandboxed. Does it show up on your unrecognized files list? Defense+ → Unrecognized Files
And this may sound like a silly question, but I need to ask it just to make sure so please don’t take offense… When you say it’s not in your system32 folder, do you have your folder options set to show hidden files? And have you tried doing a drive search for explorer.exe to see if it turns up anywhere other than \Windows?
We aren’t talking about the valid explorer.exe that lives in C:\Windows\ though… This is something calling itself explorer.exe in the system32 folder. That is somewhere it should never be, and indicates an infection.
I’m an idiot,
explorer.exe is located in the winodws folder, NOT in SYSTEM32
It is infected, it’s not windows
C:\Windows\System32\explorer.exe
Luc[y] ,
Would you be able to put your scipt back on here
We aren't talking about the valid explorer.exe that lives in C:\Windows\ though... This is something calling itself explorer.exe in the system32 folder. That is somewhere it should never be, and indicates an infection.
Can you find the fake explorer.exe in the ‘View Active Process’ under Defense Plus tab? If u can just terminate and block it. Use ‘View full path’ to find the fake one.
