Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe On Startup Of Computer


  • Please log in to reply
13 replies to this topic

#1 Mrs Kruska

Mrs Kruska

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 05 July 2007 - 04:21 PM

I was checking my startup programs using Windows Defender. I found explorer.exe starting. I checked the Staartup database and found that it was not supposed to start on startup of the computer, but Windows Defender would not let me stop it from starting. I read deaper into one of the forums and foun d a program you offered called Autoruns and installed it and was able to remove explorer from startup. It was starting in the registry with the entry Software\Microsoft\WindowsNT\CurrentVersion\winlogon\shell\explorer.exe. I am still concerned though as to how it got there if it wasn't supposed to start automatically. I've run anti-virus and nothing comes up but I'm still worried. At one time since I bought this new computer McAfee AntiVirus blocked a Trojan. Even though I've stopped explorer from starting automatically, could it be a worm or trojan hiding as the explorer file. Please advise.

Valerie

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 06 July 2007 - 10:28 AM

Explorer.exe is your actual desktop. It is a perfectly valid program and is supposed to start automatically. If it didn't start you would not get your desktop at all. Leave that entry alone otherwise your computer will not operate correctly.

#3 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:08:25 PM

Posted 20 September 2007 - 03:54 PM

Explorer.exe, with Windows Explorer listed with it, is also in my my list of start-up programs, so I decided to check it out in the start-up data base. What came up was a slew of possibly malicious programs. I didn't panic (per the advice given), and carefully checked the name of the file, the address, etc.. to determine whether my file was legit.. I am very confused about how to tell. One of the entries for explorer.exe with Windows Explorer written next to it was described as malicious-- i.e., added by w32/Poebot-J Worm/IRC backdoor. My explorer.exe file was listed under HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\Winlogon|Shell.

How do I know whether this is the legit file or the malicious one?? Unlike similar entries identifying malicious versions of explorer.exe, this description did not say "don't mistake this for the legit file."

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 20 September 2007 - 07:31 PM

Where is the explorer.exe in your startup located?

Anything outside of C:\Windows\explorer.exe is not legit.

#5 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:08:25 PM

Posted 20 September 2007 - 08:24 PM

I ran a search and explorer.exe showed up where it should be, but it also showed up in blue letters-- however, then the data execution program closed windows down to protect the computer-- not a good sign. Since writing this, I downloaded SpyDoctor v4.1, but didn't purchase it. I downloaded that version because, except for PC Magazine giving it the highest ratings, I read several negative reviews of the new version. So, I guess that what I ran was the trial version. The Trojan Downloader:Ruins was found. So, I assume I am infected. What now? Ideally, I would like to do Hijack This, so I can be sure I have a clean machine. However, when I looked there, it was suggested that other things be done first. What would you recommend? Thank you.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 20 September 2007 - 10:23 PM

Please go through the preperation guide found in the hijackthis forum. This will a variety of scans which ultimately leaves you with a log. Please be patient as it may be upwards to a week before someone can look at your log.

#7 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:08:25 PM

Posted 20 September 2007 - 10:36 PM

I printed out all the necessary info.. Do you think that I can continue to use my computer to do things like browse, pay bills on-line, etc. while I wait for the someone to look at my log? I imagine that any damage that could be done has probably been done already. What do you think?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 22 September 2007 - 01:15 PM

Hard to say. I agree that the damage has probably been already done. One option is download process explorer from sysinternals and double-click on each explorer.exe process. if you see one running that is not in C:\Windows, then it should be removed.

#9 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:08:25 PM

Posted 25 September 2007 - 07:46 PM

I downloaded the program you suggested, and the path was C:\Windows\Explorer.EXE, so I guess all is well there. Thank you. It is reassuring to know that.

Do you happen to know where I can find the references to reliable software review companies in Bleeping? I left a message elsewhere and didn't get a reply. I came across it once and meant to bookmark it, but didn't. It would be a very useful reference.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 26 September 2007 - 09:52 AM

Unfortunately, I cant help you on the software reviews. In the near future we do hope to be doing our own reviews.

#11 lliztiz

lliztiz

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:08:25 PM

Posted 26 September 2007 - 01:31 PM

That would be wonderful!

#12 Terri13th

Terri13th

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:25 PM

Posted 14 March 2009 - 01:03 PM

Hello, I'm very confused by 2 seeming conflicting answers within your site. When I cked your start up database, it labeled one of my start ups--WINLOGON SHELL, as a threat I should remove, added by w32.kipis.M worm. When I clicked on the link provided, it sent me to removal instructions by Symantec. Problem #1, I don't use Sym, but use Avg. Free, which hasn't detected it in all these years, or apparently done anything about it. Also, when they say to run Symantec, I'm unsure if I should load that up since the worm apparently is from Feb. 2005, and I don't even know if their definition base wd still have that in it? Then, I decide to do more research, and come across this reference to it, saying it's a normal windows explorer component and necessary! If you do a search on winlogon shell on your start up database, you'll see where it's cited as w32.kipis.M worm. In addition to my virus checker problem of not using symantec, they reccommend changing registry, which I'm very hesitant to do, esp. now that further research in this formum seems to contradict what database checker said. Please help me clarify...I'm using xp, service pack 3, on older computer. Thanks!

#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:25 PM

Posted 14 March 2009 - 09:41 PM

I do not see any reference to Symantec in the removal instructions
http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/

Then, I decide to do more research, and come across this reference to it, saying it's a normal windows explorer component and necessary!


What reference would that be?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 Terri13th

Terri13th

  • Members
  • 256 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:25 PM

Posted 29 March 2009 - 12:12 AM

Ok, please allow me to start over. Is the entry, Winlogon Shell, with the command 'Explorer.exe,' compamy listed as Microsoft, and type is 'LOGON_SHELL, which is in my start-up, and cannot be disabled, a normal start-up, or something malicious in my system? I really appreciate your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users