Re: two EXPLORER.EXEs. Virus ?

From: Too_Much_Coffee ® (looking@the.grrls)
Date: 03/09/03 

From: "Too_Much_Coffee ®" <looking@the.grrls>
Date: Sat, 8 Mar 2003 22:54:28 -0800

"B.Y." <ecxzDELETETHIS@yahoo.com> wrote in message
news:uf20VEg5CHA.1576@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I'm running Windows 2000 SP3, and my Windows root directory is "C:\W2K".
By
> chance I noticed in task manager that there're 2 explorer.exe's running,
> looking into it further, I found out that there're 2 files named
> explorer.exe in my windows folder.
>
> The first file is "c:\w2k\explorer.exe", it's 242960 bytes long and it
looks
> like it's the shell explorer.exe.
>
> The second file is "c:\w2k\system32\explorer.exe", but I don't know what
it
> is. It's 245,760 bytes long, has no version info, and has no resource in
it
> (opening it as resource, VC returned error "cannot enumerate resources in
> the executable"). Furthermore, in
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run, there's an entry to it
> so it's run at system start. Renaming this file and deleting the registry
> entry don't seem to affect the system at all.
>
> So my question is, is this explorer.exe part of OS or some kind of virus ?

The Explorer.exe in C:\WINNT is the one you want to keep; it's the shell.
Its size is 242,960. The one in C:\WINNT\System32 is the Aplore virus;
delete it. You've already cleared the registry entry so you're done.

The Aplore virus effects Yahoo Messenger.

Too_Much_Coffee ®
>
> If anyone wants to take a look at this file, please email me at yahoo.com,
> email name is ecxz.
>
> Thanks, By
>
>

Relevant Pages

  • Re: Is it possible to have temporary memory files?
    ... Stephane Chazelas wrote: ... > Could you please clarify your question. ... You want the shell to be able ... You say the temporary here document has an entry for a short time. ...
    (comp.unix.shell)
  • Re: msconfig - startup question
    ... But I went one level (folder) deeper into the "Shell" folder, ... the Registry to go pear-shaped. ... > I'm betting you find the disabled entry in the last key. ...
    (microsoft.public.windowsxp.general)
  • Re: Could alias include the condition structure?
    ... I want to use the alias as the macro in the function. ... "entry", it was working fine. ... Aliases are not expanded when the shell is not interactive, ... test1; ...
    (comp.unix.shell)
  • Re: Could alias include the condition structure?
    ... entry for debug usage. ... The function was used to echo the Function Name, ... I want to use the alias as the macro in the function. ... Aliases are not expanded when the shell is not interactive, ...
    (comp.unix.shell)
  • Re: IE Browser redirection
    ... > I'm having a problem with IE6. ... > There is a registry entry which I think directs all of Internet ... > If I delete the registry entry above it gets written back the next time I ... > If I delete the entry above and immediately rescan with hijackthis a few new ...
    (microsoft.public.windows.inetexplorer.ie6.browser)