I was checking my startup programs using Windows Defender. I found explorer.exe starting. I checked the Staartup database and found that it was not supposed to start on startup of the computer, but Windows Defender would not let me stop it from starting. I read deaper into one of the forums and foun d a program you offered called Autoruns and installed it and was able to remove explorer from startup. It was starting in the registry with the entry Software\Microsoft\WindowsNT\CurrentVersion\winlogon\shell\explorer.exe. I am still concerned though as to how it got there if it wasn't supposed to start automatically. I've run anti-virus and nothing comes up but I'm still worried. At one time since I bought this new computer McAfee AntiVirus blocked a Trojan. Even though I've stopped explorer from starting automatically, could it be a worm or trojan hiding as the explorer file. Please advise.

Valerie

Explorer.exe is your actual desktop. It is a perfectly valid program and is supposed to start automatically. If it didn't start you would not get your desktop at all. Leave that entry alone otherwise your computer will not operate correctly.

Explorer.exe, with Windows Explorer listed with it, is also in my my list of start-up programs, so I decided to check it out in the start-up data base. What came up was a slew of possibly malicious programs. I didn't panic (per the advice given), and carefully checked the name of the file, the address, etc.. to determine whether my file was legit.. I am very confused about how to tell. One of the entries for explorer.exe with Windows Explorer written next to it was described as malicious-- i.e., added by w32/Poebot-J Worm/IRC backdoor. My explorer.exe file was listed under HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\Winlogon|Shell.

How do I know whether this is the legit file or the malicious one?? Unlike similar entries identifying malicious versions of explorer.exe, this description did not say "don't mistake this for the legit file."

Where is the explorer.exe in your startup located?

Anything outside of C:\Windows\explorer.exe is not legit.

I ran a search and explorer.exe showed up where it should be, but it also showed up in blue letters-- however, then the data execution program closed windows down to protect the computer-- not a good sign. Since writing this, I downloaded SpyDoctor v4.1, but didn't purchase it. I downloaded that version because, except for PC Magazine giving it the highest ratings, I read several negative reviews of the new version. So, I guess that what I ran was the trial version. The Trojan Downloader:Ruins was found. So, I assume I am infected. What now? Ideally, I would like to do Hijack This, so I can be sure I have a clean machine. However, when I looked there, it was suggested that other things be done first. What would you recommend? Thank you.

Please go through the preperation guide found in the hijackthis forum. This will a variety of scans which ultimately leaves you with a log. Please be patient as it may be upwards to a week before someone can look at your log.

I printed out all the necessary info.. Do you think that I can continue to use my computer to do things like browse, pay bills on-line, etc. while I wait for the someone to look at my log? I imagine that any damage that could be done has probably been done already. What do you think?

Hard to say. I agree that the damage has probably been already done. One option is download process explorer from sysinternals and double-click on each explorer.exe process. if you see one running that is not in C:\Windows, then it should be removed.

I downloaded the program you suggested, and the path was C:\Windows\Explorer.EXE, so I guess all is well there. Thank you. It is reassuring to know that.

Do you happen to know where I can find the references to reliable software review companies in Bleeping? I left a message elsewhere and didn't get a reply. I came across it once and meant to bookmark it, but didn't. It would be a very useful reference.

Unfortunately, I cant help you on the software reviews. In the near future we do hope to be doing our own reviews.

That would be wonderful!