Curious About Warning On Windows.exe

This just doesn't seem right...I got the attached warning on "explorer.EXE" !? There is an explorer.EXE in the C:\windows directory...2805kb...dated created 6/2/11 and modified 2/24/11 ? Is this a valid warning...and what , if anything, should I do ?

TiminAz

Find more posts tagged with

Comments

coolcool1227

What your AVC settings? I think its a AVC false +ve.

rootkit

Hello

I think something is injected in that file.

In order to be able to further investigate the reported situation we need a bit more information from your computer as follows:

. A BDSYS log;

[how to GENERATE A BDSYS LOG]

. Save and extract the BDSYS tool to a location of your choice:

http://www.bitdefender.com/files/Knowledge.../BDSysLog_i.exe

. Make sure you close all active applications and then run "BDSysLog_i.exe"; If you receive a firewall

alert,select to Allow the application to connect;

. Click the "Create log" button to start generating the

log; A progress bar is indicating that the tool is creating the report;

. When the small window appears with the message "Log

saved" then the report is complete and a new file named "bdsyslog.zip" has appeared on your Desktop;

. Send me via PM the generated log file.

. If the file is to big for send it over PM, upload the results to one of the online file hosting servers mentioned below or use one of your own and send via PM the download link.

http://www.sendspace.com

http://www.mediafire.com

IMPORTANT:

.During this process the Real Time Protection in Bitdefender must be temporarily disabled;

.If you receive a Bitdefender Firewall alert to inform you that BDSysLog_i.exe tries to connect to the internet,then you need to select Allow;

[how to DISABLE THE ANTIVIRUS PROTECTION in Bitdefender 2013]

In order to disable the antivirus protection, please open Bitdefender and click the "Settings" button in the upper side part of the interface"; In the new window go to "Antivirus" > "Shield" tab and click on "ON" under On-access scanning. Select the time interval that suites your troubleshooting needs and click "OK". The On-access scanning should be enabled back after finishing the troubleshooting procedure.

We will get back to you as soon as the analysis is complete.

Have a nice day.

rootkit

Hello

The file was sent to our Labs and I will get back to you ASAP with the results.

Take care.

rootkit

Hello

Please run the tool - password "tool" without quotes from this link:

http://www.mediafire.com/file/b93lut4jh8eilct/tool.rar

1 unpack the archive

2 inside the folder tool, run "tool.bat"

3 wait for it to finish ( can take a few minutes )

4 send us all the files it creates ( also with subfolders )

Pack them in an archive with the password infected and upload it on

http://www.sendspace.com

http://www.mediafire.com

and send me a PM with the download link.

We will analyze the information you sent and then reply with a possible solution in the shortest time.

Have a nice day.

trinaz

Hello

Please run the tool - password "tool" without quotes from this link:

http://www.mediafire.com/file/b93lut4jh8eilct/tool.rar

1 unpack the archive

2 inside the folder tool, run "tool.bat"

3 wait for it to finish ( can take a few minutes )

4 send us all the files it creates ( also with subfolders )

Have run the bat file numerous times but same result...nothing is created in the 'tool' folder as in the attached jpg. Ran for 10 minutes and still nothing created ?

TiminAz

trinaz

Have run the bat file numerous times but same result...nothing is created in the 'tool' folder as in the attached jpg. Ran for 10 minutes and still nothing created ?

TiminAz

This PC is Win 7 Pro 64bit.....?...does it matter re the tool.rar file extracted or the files (tool.bat) that is extracted ?

trinaz

Have run the bat file numerous times but same result...nothing is created in the 'tool' folder as in the attached jpg. Ran for 10 minutes and still nothing created ?

TiminAz

Error opening file when running from Internet:

rootkit

Hello

Please save the file first, on your desktop and extract both files in the same location.

Right click on tool.bat and choose Run as administrator. Let it run for several minutes, the tool will dump all explorer.exe injections. It will create several files and folders in the same location. Pack those files in an archive and send me a PM with it.

Thank you!

trinaz

Hello

Please save the file first, on your desktop and extract both files in the same location.

Right click on tool.bat and choose Run as administrator. Let it run for several minutes.....Thank you!

Right clicked and ran above as Administror

Above ran for 12 minutes...nothing created ?

trinaz

Update Note...same files when copied and/or extracted to my Windows XP Pro SP3 and Windows 7 32 bit Pro SP1 run successfully and create a dozen or so files. Win 7 64bit Pro SP1 will NOT execute the command in the tool.bat file

TiminAz

trinaz

Importance of this may have just escalated on this end....got the following warning similar to the one that started this tread...as follows:

Please run the tool - password "tool" without quotes from this link:

http://www.mediafire.com/file/b93lut4jh8eilct/tool.rar

1 unpack the archive

2 inside the folder tool, run "tool.bat"

3 wait for it to finish ( can take a few minutes )

4 send us all the files it creates ( also with subfolders )

My above separate reply to this thread indicates the tool will not work on 64bit systems...?

Oct 7 2012, 02:29 PM & Oct 7 2012, 02:53 PM

Christain...Is there a 64bit version of the system dump tool you requested previously ??

rootkit

Hello

I will talk to my colleagues from the Labs and get back to you on this ASAP.

Also I will need one more thing:

Navigate to this key

HKEY_LOCAL_MACHINE\SOFTWARE\AVC3\UserID

and export the value.

How to:

http://www.pc1news.com/videos/export-registry-key-15.html

Send me a PM with it.

Thank you!

trinaz

Key sent via PM...Thanks

rootkit

Hello

I have replied to your PM, I need the exported key, not the text from the file.

Thank you!

rootkit

Hello

My colleagues launched an update for Active Virus Control. Do you still get those Events related to that process?

Thank you!

trinaz

Hello

My colleagues launched an update for Active Virus Control. Do you still get those Events related to that process?

Thank you!

Are you talking about the tool.rar files from mediafire ??

rootkit

Hello

I am talking about Explorer.exe, the initial reported issue.

Thank you!

trinaz

Hello

I am talking about Explorer.exe, the initial reported issue.

Thank you!

Have only got 2 warnings on explorer.exe...the 1st when this thread was started in September and the second in my post of Oct 17 2012, 09:32 AM

Will let you know if any additional warnings appear...

Thanks...TiminAz

trinaz

Have only got 2 warnings on explorer.exe...the 1st when this thread was started in September and the second in my post of Oct 17 2012, 09:32 AM

Will let you know if any additional warnings appear...

Thanks...TiminAz

Had to recover this PC to a system image of 9/24 due to a HDD issue...while updating system including BDIS2013...I did get the warnings again on explorer.exe. I think it said something like "watch and monitor" the file (explorer.exe) but I don't know what that means and/or if I can check the status somewhere in the BDIS2013 control panel ?

No additional warnings after all system/BD updates so far

TiminAz

rootkit

Please make sure that you have the latest product update installed:

http://forum.bitdefender.com/index.php?sho...st&p=164968

Detection was removed from Active Virus Control, the injected element is legit.

Thank you!

trinaz

Hi

Please make sure that you have the latest product update installed:

http://forum.bitdefender.com/index.php?sho...st&p=164968

Detection was removed from Active Virus Control, the injected element is legit.

Thank you!

Thanks Christain...but a little clearer please...so there is/was something "injected" in explorer.exe...but whatever it is/was is ok...and now BDIS2013 will not monitor/scan/check my explorer.exe file in further scans ?

Was the previous explorer.exe warning therefore a "false positive" when I selected to "watch & monitor" the file ?

rootkit

Hello

Yes, it was a False Positive from the Active Virus Control module, my colleagues removed detection from the product. Your system is not infected.

Please let me know if you have other questions.

Thank you!