C:\windows\system32\explorer.exe VT link

#6416 by Every1is=
Thu May 19, 2011 2:47 pm

http://www.virustotal.com/file-scan/rep ... 1305815260

I was trying the "new" Google Chrome BitDefender Quickscan extension and it found 1 infected file. Assuming it was a false positive, but wanting to know for sure, I ran it through VT, almost a 10% hitrate as you can see in the link. So at this moment I am unsure what to think about it.

Bitdefender quickscan reports:
C:\Windows\system32\explorer.exe --> Worm.Generic.324167 --> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell"

The explorer.exe file in System32 MD5: 8b88ebbb05a0e56b7dcc708498c02b3e C:\Windows\system32\explorer.exe
And the C:\windows\explorer.exe MD5: 332feab1435662fc6c672e25beb37be3 C:\Windows\Explorer.exe

Running on Windows 7 x64 Pro, SuperAntiSpyware and Eset Smart Security installed on the system.

False positive? Or new beasty?

Attachments

explorer.zip

not password protected
(1.21 MiB) Downloaded 25 times

Username

Every1is=

Posts

36

Joined

Tue Aug 03, 2010 11:27 am

Re: C:\windows\system32\explorer.exe VT link

#6417 by EP_X0FF
Thu May 19, 2011 3:19 pm

Every1is= wrote:False positive? Or new beasty?

This is 32 bit version of Explorer. It is inside SysWow64 folder, not in System32.
Yes, this is false positive. Probably it's because scanner is 32 bit.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: C:\windows\system32\explorer.exe VT link

#6425 by Every1is=
Thu May 19, 2011 6:14 pm

Ok. Thanks!

But... how does it work then? The file really is in that location. (?)

Username

Every1is=

Posts

36

Joined

Tue Aug 03, 2010 11:27 am

Re: C:\windows\system32\explorer.exe VT link

#6430 by EP_X0FF
Fri May 20, 2011 2:27 am

File System Redirector

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: C:\windows\system32\explorer.exe VT link

#6436 by Every1is=
Fri May 20, 2011 12:47 pm

LOL, I love you

I did know about the symbolic links, but not about this. (yep, I understand these are 2 totally different things)

Username

Every1is=

Posts

36

Joined

Tue Aug 03, 2010 11:27 am

Re: C:\windows\system32\explorer.exe VT link

#6629 by zico_guru
Thu Jun 02, 2011 8:26 am

Is default kenrel path is (C:\windows\system32\) in windows 7? or is redirected?....plz help

Username

zico_guru

Posts

15

Joined

Thu Oct 21, 2010 1:16 pm

Re: C:\windows\system32\explorer.exe VT link

#6632 by EP_X0FF
Thu Jun 02, 2011 10:16 am

zico_guru wrote:Is default kenrel path is (C:\windows\system32\) in windows 7? or is redirected?....plz help

What does the following mean?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: C:\windows\system32\explorer.exe VT link

#6646 by zico_guru
Thu Jun 02, 2011 4:09 pm

is system file like winload.exe,kdcomm.dll,windows kernel, is redirected to another place in harddisk?i mean where is the path of those file ? is it "C:\windows\system32"?
i am getting problem in reversing those file in ida pro....plz help

Username

zico_guru

Posts

15

Joined

Thu Oct 21, 2010 1:16 pm

Re: C:\windows\system32\explorer.exe VT link

#6656 by EP_X0FF
Fri Jun 03, 2011 3:36 am

zico_guru wrote:is system file like winload.exe,kdcomm.dll,windows kernel, is redirected to another place in harddisk?i mean where is the path of those file ? is it "C:\windows\system32"?
i am getting problem in reversing those file in ida pro....plz help

I answered on this question few posts before.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact