Two Explorer.exe running

EzioAuditore · Dec 21, 2010

Hi, I'm kinda confused now. Here's the story.
Yesterday, MBAM detected a infection named- Heuristics.Reserved.Word.Exploit. The file which was flagged was- C: \Windows\Installer\Explorer.exe
It always came back after reboot. Upon googling, i found that the threat name refers to the usage of microsoft reserved name outside it's default location.
So, I booted in safe mode, terminated Explorer.exe (original one), and deleted that duplicate Explorer.exe via cmd (it wont unless i terminate original explorer process).
Everything is fine now. There's one thing about which i'm concerned.
I've two Explorer.exe running sometimes, not often. Attached is the screen below.
Both are running from original default location.
Any ideas why 2 explorer.exe are running?

PS: Command line also included in the pic. Maybe if that could reveal something. And I don't have 'Launch folder windows in a separate process' checked. One more thing worth noting that the original explorer.exe and duplicate explorer.exe have same creation date and checksums.

brady · Dec 21, 2010

pid 956 looks like an infection to me... are you sure the machine is clean?

EzioAuditore · Dec 21, 2010

Whoa! That was lightning fast reply.

Ive done full scan with MBAM and KIS 2011. Machine came up clean.

brady · Dec 21, 2010

How's your msconfig /startup sheet looking? The explorer.exe /* doesn't usually equal good things.

Jacee · Dec 21, 2010

Download FREE PC Profile, Audit, and Diagnostic Report Utility then look at both files

brady · Dec 21, 2010

ahh nvm... disregard... the 2nd is a 32bit explorer

EzioAuditore · Dec 21, 2010

Msconfig looks ok. I made another snip now. And both processes seems to change their pid's everytime when they're run. See the pic. Ending explorer.exe/* doesn't closes my desktop.

@Jacee, thanks. Going to run that after this post.

brady · Dec 21, 2010

the 2 explorers are bit defined. 1 for 64bit and 1 for 32bit processes

EzioAuditore · Dec 21, 2010

Jacee said:
Download FREE PC Profile, Audit, and Diagnostic Report Utility then look at both files

Jacee, you want me to generate and attach the report here?

EzioAuditore · Dec 21, 2010

brady said:
the 2 explorers are bit defined. 1 for 64bit and 1 for 32bit processes

How? It doesn't say explorer*32 in task manager? And what program would need their own separate explorer.exe?

brady · Dec 21, 2010

not 100% sure but my main 32bit system runs 1 explorer.exe and my secure 64bit machine always lists 2 (and it's verified clean)

EzioAuditore · Dec 21, 2010

As far as the cleanliness of other duplicate explorer.exe is concerned, i uploaded it to virustotal and it came clean. :huh:

Jacee · Dec 21, 2010

EzioAuditore said:
Jacee said:

Download FREE PC Profile, Audit, and Diagnostic Report Utility then look at both files

Click to expand...

Jacee, you want me to generate and attach the report here?

No, you can analyze it yourself by the report. I'm pretty sure that brady has supplied the answer.

EzioAuditore · Dec 21, 2010

So, should i assume that it's normal for x64 windows to run 2 Explorer.exe simultaneously? And what about the string in the command line of another explorer.exe with the -embedding switch? What does that mean? And why it's pid changes with it's each instance?

Jacee · Dec 21, 2010

This tells you how to remove it How to Remove a Switch From Windows Explorer | eHow.com

I don't know what the embedded is about, tho'

EzioAuditore · Dec 21, 2010

Ok, will check that out tomorrow. It's already quarter past 2 morning here...

EzioAuditore · Dec 22, 2010

Jacee said:
This tells you how to remove it How to Remove a Switch From Windows Explorer | eHow.com

I don't know what the embedded is about, tho'

In the "Target" text box, delete everything after "explorer.exe." Using the previous example, the final command after deletion would look like this:

%SystemRoot%\explorer.exe

Click "OK" to apply the changes and close the "Properties" window

According to it, my explorer is already 'switch-less'.

dranfu · Dec 22, 2010

What they've said is correct. If you kill the 64 bit version (one with the /factory switch) and then run this command here:

%windir%\syswow64\explorer.exe /separate

You will see the same thing, the factory switch and the GUID. Doesn't appear to be a virus.

EzioAuditore · Dec 22, 2010

@Dranfu
Oh thanks. That cleared 75% of my confusion. Just few questions which are still concerning me..
1. What could have create a duplicate explorer.exe in c:\windows\installer folder?
2. When i already have one explorer.exe running, why does the another 64bit explorer kicks in for no reason?

dranfu · Dec 22, 2010

EzioAuditore said:
@Dranfu
Oh thanks. That cleared 75% of my confusion. Just few questions which are still concerning me..
1. What could have create a duplicate explorer.exe in c:\windows\installer folder?
2. When i already have one explorer.exe running, why does the another 64bit explorer kicks in for no reason?

Concerning the first point, explorer.exe should normally be located in C:\Windows\explorer.exe, your own screenshot confirms this. Therefore, whatever created explorer.exe in c:\windows\installer was likely not legitimate.

Concerning the second point, IDK. It may be a bug. See here: Has the implementation of the 32-bit Windows Explorer changed in the RC?

Two Explorer.exe running

Assassin

Attachments

My Computer

Secured

My Computer

Assassin

My Computer

Secured

My Computer

Consumer Security

My Computer

Secured

My Computer

Assassin

Attachments

My Computer

Secured

My Computer

Assassin

My Computer

Assassin

My Computer

Secured

My Computer

Assassin

My Computer

Consumer Security

My Computer

Assassin

My Computer

Consumer Security

My Computer

Assassin

My Computer

Assassin

My Computer

White Hat Coder

My Computer

Assassin

My Computer

White Hat Coder

My Computer

Similar threads