Hi,

I assume you already have read this thread: http://forum.kaspersky.com/index.php?showtopic=55669


It was unfortunately a false positive

Yes I understand that, as I wrote, KIS was succesful in restoring the first file to c:\windows

But the second file is not from i directory.. it follows an exe-file
explorer.exe\Explorer.EXE

To my knowledge there should not be a file named "Explorer.EXE" with capital letters from a Windows XP install.
I dont understand where this file came from?

Hi, thats fine, no need to restore it.


the explorer.exe\Explorer.exe, is the same file as C:\windows\explorer.exe, but it was a running module at the time, which is why Kaspersky has not specified a location. As long as you have restored the one in C:\Windows, you should be fine.

Oh yes and I'm okey dokey now.

I currently have a systen running as I copied another explorer.exe to the C:\windows directory on my damaged system
Needless to say I want the original back.

Unfortuneately Kaspersky/Backup/Restore does not complete the restore and gives me an access denied message for the file when I do try to restore it.

Please confirm this is going to be fixed with the imminent fix or how I can get hold of that original explorer.exe/get kaspersky to release it by other means....

Hi,


I think that is because windows will not allow you to replace the explorer.exe already in place there on top of another explorer.exe.

You can try to rename the explorer.exe in place now, or move it to another location and then use the method i discribed to get the original back in place.

Animated FAQ of my fix, now available on Kaspersky Website:

http://support.kaspersky.com/viruses/computers?qid=208279581

Hi!

Had the same problem. See the post #147 adn download the explorer.exe from there. Now the system is up and running again with toolbars and everything.

Thanks for your help! I solved the problem.

Well I'm glad everyone is happy that everything has been fixed
Last night my laptop reported the Worm32.Huxxx infection with a popup warning me that my PC was infected and prompting me to delete ... it then went on to delete my desktop and corrupt my Acronis Backups on the laptop and associated external USB drive.
My laptop was unuseable and I was unable to restore my backup!
By good fortune I had upgraded my drive a few days ago so I had a 'backup', albeit a few days old, so I am able to continue - without the old drive I would be stuffed.
These events could have been disasterous for me and I would like to know what I can do in order to prevent something like this happening again - I bought and trusted Kaspersky to protect my PC, in fact this week it's probably done more to cause me problems than a virus would have done!

Running KIS 7.0.1.321 on XP/SP2 laptop. I had this false positive problem but did NOT delete explorer.exe as KIS wanted me to, guessing that it was a false positive. Consequently my desktop & taskbar are intact. I have updated KIS twice since then & re-booted but I still get threat warning. To remove this "Worm.Win32.Huhk.c in module explorer.exe" threat should I select "delete" or "add to trusted zone" (or someting else?)

Also getting update issue. Updater initially runs ok & after downloading, local files are updated, but updater window stays open shows less than 100% complete (it's happened three times now with progress frozen between 23% & 94%). Consequently update window remains open, tray icon shows updater still running & stop does not work - it displays stopping but then hangs. I have to exit Kaspersky & re-enable at which point it usually shows latest update time stamp. I reported this in 7.0.1.321 bugthread but wonder if anyone else is getting this.

Richard

Kaspersky makes a backup of the deleted file.

The fix to get your computer running again takes about 30 seconds to do

http://support.kaspersky.com/viruses/computers?qid=208279581

Discard the threats from your detected list, and it will no longer flag those files.

well it's not a good idea to have the bkup you're depending on to save your azz connected to your computer... except when doin' bkups/restores/etc of course...

i have several ext HDD's and i only connect with the one that holds my bkup when saving or restoring, otherwise it's disconnectd and turned off - no way anything can get to it...

a true bkup/recovery system must be totally isolated and secure from the 'puters its protecting...

even my externals that i use for other purposes i only connect when needed... i want as little exposure as possible...


Kas did nothin' to harm you... you messed up (just like all of us) so take responsiblity and and learn from your experiences....

always assume that anything can cause you problems - HDD crash, viruses, physical destruction of your bkup, progam malfuction, OS screwin' up... anything can mess up your data so always CYA...

That's complete nonsense - I had no way of learning about the above 'fix' until I was able to get back onto the Internet and access this thread, before that happened my hdd was wiped.
I didn't create the false positive, KIS did - you buy such software to protect you from system problems not to create them.
I didn't mess up KIS messed up, I'm just left to clear up the mess!

Maybe I should have my backups in the safe but for my general use pc I don't judge that to be necessary - if my neglect caused a virus to screw my pc I would accept the blame but that was not the case KIS screwed it and I'm not happy about it.

lol whatever, blame whoever you want... yeah maybe (prolly) Kas made a mistake... how many things in this world are perfect? please name them, which you can't because nothin' is... fallibility is a part of everything...

gee software messed up! wow now that's a news flash lol

as i said b4, EXPECT ANYTHING/EVERYTHING TO MESS UP... that's the purpose of havin' bkups...

here's a new flash for you - YOU MESSED UP TOO... you should have had a bkup that was totally, in every sense of the word, isolated/protected from harm... act like an adult and accept the fact that you didn't follow that rule...

again, we all mess up, everything messes up... nothin' is perfect... so always assume the worst can happen... then if it does, you are covered...

use this as a learnin' experience instead of actin' like a child and lookin' for somewhere else to blame other than yourself...

you touched the stove and got burned... ok, so don't touch the stove again...

sometimes it takes some pain to learn but those can be the best lessons 'cause you're not likely to foreget 'em...

'course you can still blame others for your mistakes but i don't think it's gonna keep you protected in the future either...

Wow.. that was a fun morning.

Come on Kaspersky.. You'd think someone might be testing the pattern files so that windows executables wouldn't get clobbered. Luckily the damage was repairable (this time).

First it was regedit, now explorer.exe. Can we start being a little more cautious in the future?

Ok how about a new policy? No releasing pattern files at 3am, and lay off the vodka please.

I too have the worm.win32.Huhk.c. Everytime I start my computer it runs okay for a few minutes then the dreaded red screen comes up from Kaspersky. It says the worm is deleted and my computer restarts, but after a few minutes it does the same thing. It says something about explorer.EXE. I will try and get some screen shots and submit them. Could this be a false positive or something involved with a Kaspersky update? I have the 7.0 suite on 5 computers and hope it doesn't get on them.

Obviously there will be lessons learnt from this episode. Mistakes do happen, albeit very rarely.

I still can't use my computer. Kaspersky have been no help at all, not on this thread, nor via email, nor on the phone.

I can start up Windows XP Home Edition SP2, but then I can't get any further. When I try to start up Kaspersky Antivirus Version 6 from Windows Task Manager, I get this error message: "The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."

I can open My Computer by double clicking on it but can't do anything with it: I can copy a file but not paste it to a target location. None of the programs that should load automatically on startup are doing so. There is no Start Menu or Task Bar.

I'm at a loss as to what to do next.

Do you have a windows xp install cd?

You can try to run a "repair install" that will replace missing/corrupted windows files. It should leave your documents and everything else intact.

http://www.microsoft.com/windowsxp/using/h...ips/doug92.mspx


Make sure to perform a windows update after completing the procedure.

I've got an OEM machine and Kaspersky came bundled with it, but unfortunately no Windows disks.

Hi all,

Just a couple of questions if I may, to confirm my understanding of the solution:
forgive me if I have missed the answers in the thread, there is much I didn't understand.

-My KAV was set to delete if disinfection failed so deleted explorer and my desktop has vanished: I will restore files (C:\windows\explorer.EXE) as advised in this forum
The following deleted items are also showing:
C:\windows\system32\dllcache\explorer.exe and
explorer.exe\Explorer.EXE

SHould I restore these as well?

-when clicking restore, the (please specify file name to restore" window opens.
Am i right in assuming I can just click on SAVE without having to alter name or file type?

-I feel like removing the "delete if disinfection fails" setting... this ok?

Many thanks,
Z

windows xp pro/home sp2 english? if so i can send you my explorer.exe (in a zip archive), it should work (not that you have anything to loose), just unpack it in c:\windows.

the file>new task>browse dialog in task manager should allow you basic copy/paste actions.
or you could try to download and install this patch: http://www.microsoft.com/downloads/details...FE-0707F2A0534B i think it's the most up-to-date explorer.exe

zapofrog,
yes restore both, you only need to click restore and ok, kav should select the original file path by default


not a good idea, most malware today are not file infectors, but trojans, backdoors or other standlone malware, which can't be disinfected only deleted. instead you could set it to prompt for action for file anti-virus, that way you are asked what to do.

back in the old days you could bootup to dos from floppy. then copy files. but explorer.exe is about 1MB. and you need to steal a copy of explorer.exe from another xp.

i think there such thing as booting from usb gizmos.

else, a linux livecd can boot then you can copy (explorer.exe from an otherwise empty floppy). but you'd need to burn the livecd if don't have one yet. and still need to saunter next door to borrow half a cup of explorer.exe from your friendly neighbor.

anyway, i am now waiting for another xp computer to restart after (yep) kis finishes the "special disinfection".

i wish i'd been slightly more skeptical since i've never had viruses (nok on wud)
_______________
some trivia, while whiling away some time in this meanwhile...
"death.by.huhk.c" reminds me of:
http://www.google.com/search?q=huks+rop+philippines
and
"hokkkk, pt'thuiey"

Lucian, thks for reply
I restored the first item, then started to restore the C:\windows\system32\dllcache\explorer.exe item but was told it already exists, replace it yes or no?

You replied so quickly that I didn't realise you actually were also talking to me... so I was waiting patiently for an answer, while it was there in front of me for ages... sigh

no, windows has a thing called system file protection that will try to recover microsoft files once they are also deleted, in your case it seems windows restored it on it's own. do a reboot, is everything back to normal?

Yeis! Beautiful! It does indeed all look normal.

Very educational, these false positives...

So tell me, when I try to restore the last item in my list of 3 backup items, explorer.exe\Explorer.EXE, the following message appears: file path does not exist, please verify the correct pat was given.

Should I just ignore this, now that the 1st restore was successful?

no, i think that's different, explorer.exe\explorer.exe is not a file path, it's a "memory path" (in this case it means the explorer.exe module under explorer.exe). since that's not a file path, it can't be restored (but the image for that process is c:\windows\explorer.exe which should aready be restored) - everything back to normal.

Yes, all back to normal.

Many many thanks to all who contributed to this thread.


(so where did this worm name appear from if not a true virus attack?)

Thanks for your help and patience. I did what you said (except restoring deleted files) and I'm up and running now.

One more question (well, 2 more actually):
Regarding the instruction to "restore those deleted files from the backup tab": what happens if I don't do that...seems like my computer is working now and I am reluctant to mess with it further. What exactly would I be restoring, since explorer.exe seems to be not deleted, even though it is in my BackUp tab as
Object: "explorer.exe\EXPLORER>EXE"

they added a signature that also detected the bits of code from explorer too (by mistake)

It is incredible...

How can be possible that one of the best Antivirus had made this big error!


Are you conscious of the people who have been forced to delete explorer.exe and convert their Operating System to an unbootable operating system?

Oh my god...

1)ok, how exactly is a system unbootable if you delete explorer.exe? it still boots and it still works (most of your applications still run).
2)it's human to make mistakes, these don't happen on a regular basis.

Yes. False-positives are an unfortunate event for all antiviruses and all antiviruses have them. Kaspersky has very few false positives compared to many others and this time, it was unlucky explore.exe was detected

Did as recommended with update & Detected Tab.
Have also run a full system scan with Zero found.

Excellent forum & super fast response

Maybe... if the update files were been tested correctly... before sending them to the world... i think it could have been avoided...

Thanks for your help Lucian, but neither method works. I'd already tried the second: Task Manager was able to open the patch, but it failed to install.

I tried the first method and got an error message during boot up, too briefly to note down what it said. It was something about explorer.exe referencing something incorrectly. Now my computer won't do anything. Not even Windows is starting up!

I agree.


As I said, lessons will be learned from this so KL can stop this happening in the future.


Other security vendors have suffered similar problems, it happens to the best of them (Symantec, Avira etc)

In a perfect ..............yes everything can be avoided. In the real world where we live in............mistakes are made, it's called beeing human.

It happens to all anti-viruses at some..........as annoying as these are especially like this one, it does happen more than once a year. It doesn't mean that all FP's will be seen by all users, i'm online most of the time and haven't seen any problems/been hit.

what's the error you get when trying to install that patch and the exact error you get when booting up with a manual placing of explorer.exe

I see that someone posted Zone Labs had the exact same false positive and pointed to Kaspersky for an explanation. I think we don't know everything about this!

http://www.pheistyblog.com/

-- John

@huhk

I will try to grab a copy of english explorer.exe for you from one of my xp home sp2 machines, is that what you are running...or pro?

When I try to install the patch, it loads and gets stuck at the first step: "Updating Your System, Please wait while setup inspects your current configuration and updates your files, Inspecting your current configuration, Details, Inspecting:" (all on the same window).

The error message when booting with a manual placement of explorer.exe: "The procedure entry point SHCreateThreadRef could not be located in the dynamic link library SHLWAP.dll".

Yup, it's xp home sp2...thanks!

Check your PM inbox, sent.

hmm, epiloque: the computer restarted normally. explorer.exe wasn't consumed by the quarantine qurew.

there'd be a lot more posts here if this were more common. possibly K replaced bad defs before most K users had received them (I'm guessing as to contributing reasons).

too many factors.
personal choices in K options.
obviously, other config and install on the computer (which version of windows xp, an app installed some dlls etc in system folders, etc)


the found label, "explorer.exe\explorer.exe" looked both suspiciously false and supiciously awry:
Win doesn't have an "explorer.exe" folder.
The alert label lacks a "root". IIRC, when mouse clicks the label in K alerts, it selects a full path (i know that during app installs, mouse click selects full reg path)

IOW, both a true pos, and a false pos will look screwy :-)

when i get a false pos, i try to scan with at least one other product of same type.

it's interesting that a specific scan product tends to recurrently produce the same false positives. (as it seems, from googling previous false pos, for various scanners.)

I thought it was referring to the in-memory version that was running...

-- John

Thats correct.