I recommend you to download. this tool
Burn it on a cd and put in the cd player and restart. I don’t think you need to press anything;
Follow this recommendation only if you haven’t downloaded malwarebytes
Merry Christmas!
Regards,
Valentin N
Hi Heffed and all…
may i remind you guys that NO, this explorer.exe is just flagged but it’s not running… and it’s not there… it’s like comodo is flagging an invisible file … so there’s no way i can investigate this file coz it’s just not in my system and it’s not running, but it’s getting flaggd every day…
No it’s not in the Defense - Unrecognized files because it’s not running (or maybe ran for a split second only) (see edited update below)
Yes my system is set to SHOW ALL FILES and even SHOW SYSTEM FILES as this has always been 1 of my top rules whenever i lecture on safe computing… along with always show file extension settings…
and yes i searched all my drives w/ total of 6TB , no such explorer.exe except the legit one that is in Windows/ folder only…
My take on this is that, if this isnt a bug of some sort, there’s an active malware in my system that’s creating this explorer.exe file at random intervals and deleting it also… for what purpose i dont know…
now if there is such a threat in my system, this would most cerainly have a process or service running that’s doing this… but i’ve manually checked all processess and services, as well as autorun registries, there’s really nothing there…
Googling for this threat “explorer.exe” returns soooo many unrelated threats… so i can’t pinpoint exactly what threat this is…
(EDIT/UPDATE)
For the first time i saw this explorer file in the defense>unrecognized files area of comodo, i click PURGE and that file was offered to be purged from the list, i was gona take a screen shot of it, but it was gone nxt time i looked …
and as expected, it appeared in the block threats list again:
http://cl.ly/3kCL/Screen_shot_2010-12-24_at_1.50.05_PM.png
another thing i noticed (but will verify)… this thing doesnt seem to activate if im not doing anything… like i left my PC Running over 20 hours i believe coz i was out and came back to see no new blocked entry for this file… then around an hour of me doing stuff in my pc again (just browsing and watching videos via KMP player), there it is again another blocked log for this…
Again, because you don’t seem to believe me, looking at your running processes isn’t a good way to ensure your system is clean. There is malware that can run as a hidden process.
I personally think you have a rootkit.
Focus particularly on this part of Chiron’s guide. What You Need To Know About Removing Infections and Securing Your Computer
i ran malwarebytes and all it returned was this:
http://cl.ly/3kLW/Screen_shot_2010-12-24_at_1.57.58_PM.png
w/c isnt really a threat but a setting flagged as a threat (i tink)… but this i did as a personaly choice as i dont like Windows system restore …
[at]Heffed, umm notr that i dont beleive you, i really do, i’ve read about root kits back when they started coming out… but in my experience fixing thousands of computers already i rarely see an actual rootkit infection (i fix pc’s from personal users to public access computers)… so i guess this is the stubborn side of me doubting if i have a rootkit infection specially since this is still a FRESHLY setup system w/ few installed stuffs…
anywho, i took your advise and ran a rootkit scan (sophos) and the only stuffs flagged were the quarantined items in comodo folder, and these two:
http://cl.ly/3kbt/Screen_shot_2010-12-24_at_2.11.00_PM.png
soo what now? 
I guess wait for the beta of Comodo Cleaning Essentials to come out?
can’t … i cant sleep thinking there’s something funny goin on in my pc… i was just hoping someone recognizes this and confirms it’s a known bug or something… or atleast it’s a threat that we can put a face on… so i know what it is…
anyway , here’s what i’ll be doing
- determine how this thing is triggerred (random or activity based) by clean reboot and leaving it alone for hours, then use my pC 1 software at a time to get a clue w/c app causes this threat to launch… and repeating it to make sure that’s what it is…
if this thing turns out to be RANDOM, then im ■■■■■■■ further… i will then have to create a small program to watch for this file every 100 milisecond and make a copy of it as soon as it appears (if ever it appears )
pls keep posting your thoughts on this too
Regards to all and merrry xmas!!!
Download tdsskilers and postback here the result, do not cure/delete or quarantined (:
if the explorer.exe do not exist in /system32, check with autoruns and delete the key.
done… scan completed in 11 seconds, processed 298 objects, ZERO threats detected…
Will u do something. Migrate to System32 folder and try to place a file with name explorer and extension .exe, that is explorer.exe is the name of the file… Please inform us if there’s an error in doing so.
The beta of CCE has been released. Give it a try. 
Still I very much recommend to do an off line scan with one of the various rescue CD’s around.
Or start Windows in Safe Mode and use Autoruns to look up and delete the start key for the explorer.exe in the system32 folder. In safe mode you may also be able to actually find the explorer.exe in the system32 folder. See if that does the trick or not.
Hi…
now we’re getting somewhere… i did what you said, and boom there was an OVERWRITE prompt!
i created a 0 byte file w/ the name explorer.exe , and copy paste it into windows/system32/ folder, making sure that there is no explorer.exe file in that folder…
basically, i double checked hidden system files settings and it’s disabled… i also double checked if system files can be seen and yes … recycler, system volume information and a whole lot of system files are visible all over my PC… i have also made sure that the registry entry show supper hidden has the value of “1” …
but that darn explorer.exe is just not visible in the said folder…
but it’s definitely there as per above screenshot and file size etc
also, it’s worth to note that this suspicious explorer.exe file is almost identical to the original explorer.exe in terms of file size and date…
Windows/explorer.exe file @ 2870272 bytes | 10/31/2009 2:35:00 PM
Windows/System32/explorer.exe file @ 2614272 bytes | 10/31/2009 1:45:40 PM
Well did you overwrite it?
Did you get any error like access denied or something?
oh, i didnt overwrite it first… coz i wanted to know what it is really… i thought we were gona reveal it or something … but ok i’ll try…
EDIT:
ok i tried it and yes it returned an error:
http://cl.ly/3lc2/Screen_shot_2010-12-26_at_2.20.09_PM.png
but then i also noticed something… it tried to copy a renamed explorer_2.exe into the system32 folder, and it was successfull. but i cant find that newly copied file in the folder… i tried to copy text files into the system32 folder and copy was successful but the files arent in there (nov visible)… it seems any NON-MS file you put into the system32 folder is not visible … i didnt know this, perhaps it’s a WIndows 7 thing?
as a last test i copied a text file blah.txt into it and created a shortcut to it from the desktop… i get this error when setting the shortcut:
http://cl.ly/3lxN/Screen_shot_2010-12-26_at_2.25.48_PM.png
but i know the blah.txt is inthere because when i try to copy another blah.txt into it i get overwrite prompt, w/c can be successful to do so…
- You are not able to overwrite explorer.exe because its running in the memory( Thats why you got that error).
2.Did u get a Administrator permission required alert(Where you have to click ‘continue’ in order for successful creation of the file) while copying/overwrite any new files to system32 folder?
3.Any file created in system32 folder after you answer the alert mentioned above should be visible, which in your case is not happening.----->Possible malware infection? Probably, but still nothing caught it, which bugs me.
4.Did u try CCE? If not, give it a shot. After u have cce, please respond back!!!
here are my replies:
- You are not able to overwrite explorer.exe because its running in the memory( Thats why you got that error).
- well it didnt say it was being used or something it just said it “exists”
2.Did u get a Administrator permission required alert(Where you have to click ‘continue’ in order for successful creation of the file) while copying/overwrite any new files to system32 folder?
newp i turned off all admin alerts and defaulted to YES for me as adminstrtor… so copying to it doesnt prompt me for anything.
3.Any file created in system32 folder after you answer the alert mentioned above should be visible, which in your case is not happening.----->Possible malware infection? Probably, but still nothing caught it, which bugs me.
The default answer as per my settings is YES, so i have permitted that, but nope… new files copied onto the system32 folder ARE NOT VISIBLE but i can confirm they are there… because recopying them into it gives the overwrite prompts…
4.Did u try CCE? If not, give it a shot. After u have cce, please respond back!!!
i did already as previously posted… while my CCE scan stops [at] a certain HP’s DLL file (bug) , it does however pass the mem and startup scans already w/c doesnt reveal anything.
I’ve also ran other rootkit scann like Sophos antirootkit… w/c doesnt reveal anything
EDIT…
i tried something else… i copied the entire System32 folder to my desktop and boom! i see all the files im supposed to be seing including that rogue explorer.exe from within System32 folder…
here it is:
http://cl.ly/3m6s
i ran it thru Comodo AV, Cloud Scanner, it was clean…
I ran it thru virus total and it reported that it’s been scanned /uploaded before and it’s 100% clean…
http://www.virustotal.com/file-scan/reanalysis.html?id=c82149baca8d91b3ff1a189ca5dc814701e79bbb14798cd5766593b1206a1baa-1293353029
i ran reanlyze and still clean… so what the heck is this?
What i want u to do is to open kill switch. Go to options–>Hidden Processes–>Scan and post the findings.
Also go to view–>Hide Safe objects and post your findings
Also, Verify the signature of the fake explorer.exe using Tools–>Verify File Signature
hi dude…
done…
No hidden processes found…
hid all safe objects and all was left are just hp drivers and a few other software that I know of very very well…
lastly i tried to verify both explorer.exe from the C:/Windows/ folder and the one i copied from the system32 folder to my desktop… both are verified and signed w/ Microsoft…
It’s hard to remove something when it’s in memory, so it needs to be removed when the computer restarts
In malwarebytes, there’s a tool called “fileassassin”
Use fileassassin to delete the explorer.exe, it’ll tell you to restart the computer, do it
P.S. make sure you “enable” showing hidden and system files AND remove the check marks for hidding system files and such (there should be a couple of them that have hidden, just remove the check mark on those)
That’s so it will show every file that exists
I downloaded the explorer.exe as provided. It is digitally signed (used Sigcheck). We both use Windows 7 and the SHA1 hash is the same as explorer.exe here in my Windows folder.