[Merged] False Positive...explorer.exe?, Worm.Win32.Huhk.c Options

[sammyiii]

1. Check if explorer.exe is present in c:\windows

2. The update will stop the file being detected in future, you should restore those "deleted" files from the backup tab of the kaspersky interface

3. It will update as per automatic schedule, but you can peform a manual update now.

Thanks for your help and patience. I did what you said (except restoring deleted files) and I'm up and running now.

One more question (well, 2 more actually):
Regarding the instruction to "restore those deleted files from the backup tab": what happens if I don't do that...seems like my computer is working now and I am reluctant to mess with it further. What exactly would I be restoring, since explorer.exe seems to be not deleted, even though it is in my BackUp tab as
Object: "explorer.exe\EXPLORER>EXE"

This post has been edited by sammyiii: 20.12.2007 23:14

[Lucian Bara]

they added a signature that also detected the bits of code from explorer too (by mistake)

[lalo]

It is incredible...

How can be possible that one of the best Antivirus had made this big error!


Are you conscious of the people who have been forced to delete explorer.exe and convert their Operating System to an unbootable operating system?

Oh my god...

[Lucian Bara]

1)ok, how exactly is a system unbootable if you delete explorer.exe? it still boots and it still works (most of your applications still run).
2)it's human to make mistakes, these don't happen on a regular basis.

[dawgg]

Are you conscious of the people who have been forced to delete explorer.exe and convert their Operating System to an unbootable operating system?

Yes. False-positives are an unfortunate event for all antiviruses and all antiviruses have them. Kaspersky has very few false positives compared to many others and this time, it was unlucky explore.exe was detected

[topov]

Did as recommended with update & Detected Tab.
Have also run a full system scan with Zero found.

Excellent forum & super fast response

[lalo]

2)it's human to make mistakes, these don't happen on a regular basis.

Maybe... if the update files were been tested correctly... before sending them to the world... i think it could have been avoided...

[death.by.huhk.c.]

windows xp pro/home sp2 english? if so i can send you my explorer.exe (in a zip archive), it should work (not that you have anything to loose), just unpack it in c:\windows.

[attachment=42704:explorer.zip]
the file>new task>browse dialog in task manager should allow you basic copy/paste actions.
or you could try to download and install this patch: http://www.microsoft.com/downloads/details...FE-0707F2A0534B i think it's the most up-to-date explorer.exe

Thanks for your help Lucian, but neither method works. I'd already tried the second: Task Manager was able to open the patch, but it failed to install.

I tried the first method and got an error message during boot up, too briefly to note down what it said. It was something about explorer.exe referencing something incorrectly. Now my computer won't do anything. Not even Windows is starting up!

[Baz^^]

I agree.


As I said, lessons will be learned from this so KL can stop this happening in the future.


Other security vendors have suffered similar problems, it happens to the best of them (Symantec, Avira etc)

[Don Pelotas]

Maybe... if the update files were been tested correctly... before sending them to the world... i think it could have been avoided...

In a perfect ..............yes everything can be avoided. In the real world where we live in............mistakes are made, it's called beeing human.

It happens to all anti-viruses at some..........as annoying as these are especially like this one, it does happen more than once a year. It doesn't mean that all FP's will be seen by all users, i'm online most of the time and haven't seen any problems/been hit.

[Lucian Bara]

what's the error you get when trying to install that patch and the exact error you get when booting up with a manual placing of explorer.exe

[JohnGA]

Yes. False-positives are an unfortunate event for all antiviruses and all antiviruses have them. Kaspersky has very few false positives compared to many others and this time, it was unlucky explore.exe was detected

I see that someone posted Zone Labs had the exact same false positive and pointed to Kaspersky for an explanation. I think we don't know everything about this!

http://www.pheistyblog.com/

-- John

[Baz^^]

@huhk

I will try to grab a copy of english explorer.exe for you from one of my xp home sp2 machines, is that what you are running...or pro?

This post has been edited by MAPKOBKA^^: 21.12.2007 00:14

[death.by.huhk.c.]

what's the error you get when trying to install that patch and the exact error you get when booting up with a manual placing of explorer.exe

When I try to install the patch, it loads and gets stuck at the first step: "Updating Your System, Please wait while setup inspects your current configuration and updates your files, Inspecting your current configuration, Details, Inspecting:" (all on the same window).

The error message when booting with a manual placement of explorer.exe: "The procedure entry point SHCreateThreadRef could not be located in the dynamic link library SHLWAP.dll".

[death.by.huhk.c.]

@huhk

I will try to grab a copy of english explorer.exe for you from one of my xp home sp2 machines, is that what you are running...or pro?

Yup, it's xp home sp2...thanks!

[Baz^^]

Check your PM inbox, sent.

[skivb]

back in the old days you could bootup to dos from floppy. then copy files. but explorer.exe is about 1MB. and you need to steal a copy of explorer.exe from another xp.

i think there such thing as booting from usb gizmos.

else, a linux livecd can boot then you can copy (explorer.exe from an otherwise empty floppy). but you'd need to burn the livecd if don't have one yet. and still need to saunter next door to borrow half a cup of explorer.exe from your friendly neighbor.

anyway, i am now waiting for another xp computer to restart after (yep) kis finishes the "special disinfection".

i wish i'd been slightly more skeptical since i've never had viruses (nok on wud)
_______________
some trivia, while whiling away some time in this meanwhile...
"death.by.huhk.c" reminds me of:
http://www.google.com/search?q=huks+rop+philippines
and
"hokkkk, pt'thuiey"

hmm, epiloque: the computer restarted normally. explorer.exe wasn't consumed by the quarantine qurew.

[skivb]

Maybe... if the update files were been tested correctly... before sending them to the world... i think it could have been avoided...

there'd be a lot more posts here if this were more common. possibly K replaced bad defs before most K users had received them (I'm guessing as to contributing reasons).

too many factors.
personal choices in K options.
obviously, other config and install on the computer (which version of windows xp, an app installed some dlls etc in system folders, etc)


the found label, "explorer.exe\explorer.exe" looked both suspiciously false and supiciously awry:
Win doesn't have an "explorer.exe" folder.
The alert label lacks a "root". IIRC, when mouse clicks the label in K alerts, it selects a full path (i know that during app installs, mouse click selects full reg path)

IOW, both a true pos, and a false pos will look screwy :-)

when i get a false pos, i try to scan with at least one other product of same type.

it's interesting that a specific scan product tends to recurrently produce the same false positives. (as it seems, from googling previous false pos, for various scanners.)

[JohnGA]

the found label, "explorer.exe\explorer.exe" looked both suspiciously false and supiciously awry:
Win doesn't have an "explorer.exe" folder.

I thought it was referring to the in-memory version that was running...

-- John

[Baz^^]

Thats correct.