Help - Search - Members
Full Version: [Merged] False Positive...explorer.exe?
Kaspersky Lab Forum > English User Forum > Virus-related issues
Pages: 1, 2, 3, 4, 5
Guru63
Please read this: http://support.kaspersky.com/viruses/computers?qid=208279581 on recovering from this false positive.
silentuser
QUOTE(Guru63 @ 19.12.2007 21:40) *
Update database =>




..... same problem....

cant find any support in the internet
Lucian Bara
send it for analysis: http://forum.kaspersky.com/index.php?showtopic=13881
Malucarp
Hi,

Running KIS 7.0.0.125. I just turned on my wife's PC and the automatic start-up scan produced a red popup saying that explorer.exe is infected with Worm.Win32.Huhk.c.

I did a full, routine scan on this PC yesterday and KIS said all was okay - and no Internet or email access since then.

I then did a manual startup scan on my PC, which was scanned yesterday and on all day, today, and I get the same error.

Has anyone seen this, today? Our PCs are not networked together and have not traded data in ages. I can only think that it's a false positive.

Dataase release date= 12/19/2007 19:57:55 (GMT)

Deleting through Kaspersky does not stop the error on the next scan.

Thanks,

Mike
ichtyp
hey guys

i got the same message, but on c:\windows\explorer.exe
my main computer sais nothing, but here on the laptop kaspersky alterts !

hope this is not a virus .. deleting explorer.exe caused a 30 minute rescue for this laptop -.- ( my fault )
alanrew
QUOTE(Malucarp @ 19.12.2007 21:08) *
Hi,

Running KIS 7.0.0.125. I just turned on my wife's PC and the automatic start-up scan produced a red popup saying that explorer.exe is infected with Worm.Win32.Huhk.c.

I did a full, routine scan on this PC yesterday and KIS said all was okay - and no Internet or email access since then.

I then did a manual startup scan on my PC, which was scanned yesterday and on all day, today, and I get the same error.

Has anyone seen this, today? Our PCs are not networked together and have not traded data in ages. I can only think that it's a false positive.

Dataase release date= 12/19/2007 19:57:55 (GMT)

Deleting through Kaspersky does not stop the error on the next scan.

Thanks,

Mike


Yes, I've just had the same issue when turning on my PC.

detected: virus Worm.Win32.Huhk.c Running module: explorer.exe\Explorer.EXE

Product version 6.0.2.614, signatures published 19/12/2007 19:57:55

I've tried allowing Kaspersky to remove the infection, but when Windows restarts I get the same problem.

Is this a false positive???????????????

TIA

Alan (UK, Win XP SP2)
__d_mode__
i have same warning also i thought its false positive, are all explorer.exe s md5 hash same?if its ,my explorer.exe s md5 hash is: 16c9974928b0159bb2c4c4041426a49b
deadlock32
I dunno man, 51 guests (edit: and rising) are reading this topic, I have the same problem, we all have problems on the same day....

I hope its a false positive. unsure.gif

Win XP, chicago, IL
Kaspersky 6.0.0.308
moonshine
I was trying to enter a web site and all of a sudden I received the "screech" and the following in a box

Running module contains virus and cannot be disinfected.

Virus:
Worm.Win32.Huhkc.

Running module
explorer.exe\Explorer.EXE

Delete

Skip

Apply to all

I AM TOTALLY FREAKED BY THESE TYPE OF MESSAGES AND DON'T KNOW WHAT TO DO. THE OTHER DAY I DENIED ONE AND IT HAD TO DO WITH THE DLL FILE AND MESSED UP MY COMPUTER. SO JUST DON'T KNOW WHAT TO TRUST AND WHAT NOT TO TRUST, OR WHAT TO DENY, SKIP OR ALLOW. THIS ONE IF I SKIP IT JUST KEEPS COMING UP.

SOMEONE PLEASE HELP.
ichtyp
hope so too
i'm from germany, but i think this little thing doesn't matter where we're from biggrin.gif
alanrew
QUOTE(__d_mode__ @ 19.12.2007 21:29) *
i have same warning also i thought its false positive, are all explorer.exe s md5 hash same?if its ,my explorer.exe s md5 hash is: 16c9974928b0159bb2c4c4041426a49b


What's the easiest way to get this? Is there a built-in MD5 hash program in Windows, or Kaspersky? If not, where do I get the utility?

TIA

Alan
Baz^^
Hi guys,

Will raise this with viruslab as a matter of urgency.... it would help if someone could grab a copy of explorer.exe, and send it to newvirus@kaspersky.com with "false positive" in the title.

Try to update, because my defs are not flagging.
wtom
I am getting the same thing on a brand-new dell laptop I took out of the box literally 45 minutes or so ago. I installed Office 2007, MS streets and trips 07, and connected to my encrypted wireless network. I installed Kaspersky for workstations 6.x, ran the updates, and then worm.win32.huhk.c was detected when I tried opening the browser for the first time (to msn.com).

This is almost certainly a false positive.
commanderjbond
got the same problem. i sent the file for analysis and it said "you are clean".

so does my kaspersky see a ghost?? mad.gif
Baz^^
Update now, the detection has been fixed.


Restore it from the kaspersky "backup" tab.
alanrew
QUOTE(MAPKOBKA^^ @ 19.12.2007 21:37) *
Hi guys,

Will raise this with viruslab as a matter of urgency.... it would help if someone could grab a copy of explorer.exe, and send it to newvirus@kaspersky.com with "false positive" in the title.

Try to update, because my defs are not flagging.


I've just emailed a winzip file containing explorer.exe to you...

looking forward to your reply!!!!!

Alan
Computer Redicare
Same thing on a newly formatted and installed XP machine. It has to be a false positive. I am sending the explorer.exe file in now.
Fator Brasil
And now? I delete..... unsure.gif

New Exloprer.exe in what folder??? dash1.gif dash1.gif
Heathcliff Huxtable
I got hit with it too. Following Kaspersky's orders to restart (I wasn't paying close attention and thought it said the virus was in Internet Explorer, which I don't use), I now don't have Explorer running. I'm still trying to figure out how to get that back. If anybody knows how to do that quickly, I'd appreciate a pointer.

Thanks
Baz^^
Its a false positive. Roll back the databases until it is fixed.


QUOTE
Hello, it is a false alarm. Will be fixed in the next update.


--
Best regards, Shvetsov Dmitry
Virus analyst, Kaspersky Lab.

e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/
Baz^^
Word back from viruslab:

QUOTE
Hello, it is a false alarm. Will be fixed in the next update.


--
Best regards, Shvetsov Dmitry
Virus analyst, Kaspersky Lab.

e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/



__d_mode__
QUOTE(alanrew @ 20.12.2007 01:35) *
What's the easiest way to get this? Is there a built-in MD5 hash program in Windows, or Kaspersky? If not, where do I get the utility?

TIA

Alan


u can send explorer.exe to virustotal.com for scan,also it says md5 and sh1 hash like that:
http://www.virustotal.com/tr/resultado.htm...28c590feeea87bb

just kaspersky says infected worm
Baz^^
If you still have use of the pc, you can restore the explorer.exe from the Kaspersky backup:

http://support.kaspersky.com/faq/?qid=198984858 -Version 6

http://support.kaspersky.com/faq/?qid=208279413 - Version 7

GAtkinson
QUOTE(__d_mode__ @ 19.12.2007 21:48) *
u can send explorer.exe to virustotal.com for scan,also it says md5 and sh1 hash like that:
http://www.virustotal.com/tr/resultado.htm...28c590feeea87bb

just kaspersky says infected worm



===========================================================================

1st post here so apologies if I get the format, appropriacy wrong, etc.

After commiting the Kaspersky delete action against the explorer.exe, I get a blank desktop

Here's how I recovered:

From a blank desktop
Bring up task manager
Select file and run
CMD to the dos prompt
with a usb drive with a good copy of explorer from another machine plugged in
use DOS commands to copy to C:\Windows where it should live
Got my PC back
Will now need to disable Kaspersky until this is fixed

Any timescale on 'the next release' from Kaspersky - this is pretty much a show stopper.




alanrew
QUOTE(__d_mode__ @ 19.12.2007 21:48) *
u can send explorer.exe to virustotal.com for scan,also it says md5 and sh1 hash like that:
http://www.virustotal.com/tr/resultado.htm...28c590feeea87bb

just kaspersky says infected worm



OK, my copy of explorer.exe has the MD5 hash
97bd6515465659ff8f3b7be375b2ea87

Win XP SP2, C:\windows\explorer.exe

Regards

Alan
Anthony1uk
QUOTE(Heathcliff Huxtable @ 19.12.2007 21:45) *
I now don't have Explorer running. I'm still trying to figure out how to get that back. If anybody knows how to do that quickly, I'd appreciate a pointer.

Just hold down Control + Alt + Deleate. (This should bring up task manager)

Go to File in the top left then click run.

Type in Explorer.exe

Then click OK.

_______________

I was using the internet all day without worries, turned my PC off for about an hour at 8.45pm. Came back now at 9.45 and got this trojan warning on Explorer.exe too.

I immediately assumed it was a FP but came here to be sure.
bbk7
Hello,

I'm having the same problem as Malucarp. The Kaspersky error message shows up on the start up screen. Delete/skip does not work and the computer boots again automatically. Can you please tell me what to do?

Thank you,
Heathcliff Huxtable
QUOTE(MAPKOBKA^^ @ 19.12.2007 13:55) *
If you still have use of the pc, you can restore the explorer.exe from the Kaspersky backup:

http://support.kaspersky.com/faq/?qid=198984858 -Version 6

http://support.kaspersky.com/faq/?qid=208279413 - Version 7


Thank you
Malucarp
QUOTE(MAPKOBKA^^ @ 19.12.2007 15:47) *
Word back from viruslab:



Thanks very much.

Mike
kaboro
After i ran the Kaspersky update today, i got this popping on my screen:

Running module contains virus and cannot be disinfected
Virus:
Worm.Win32.Huhk.c
Running module:
explorer.exe\Explorer.exe

I selected "delete" and a second warning popped up about same virus, selected delete again, after the second delete the PC restarted by itself.
When windows XP restarted, i had no desktop icons and no bottom taskbar anymore, tried restarting in safe mode and got only a black screen.
I accessed kaspersky from the ctrl-alt-del file menu and restored explorer.exe, that made my PC operative again.
Now the scan shows six instances of this Huhk.c worm, here are the locations:

1: detected: virus Worm.Win32.Huhk.c Running module: explorer.exe\Explorer.EXE

2: detected: virus Worm.Win32.Huhk.c File: C:\WINDOWS\Explorer.EXE

3: detected: virus Worm.Win32.Huhk.c File: C:\System Volume Information\_restore{79B739DD-F9C6-4DE4-9E6F-57736A2DF999}\RP62\A0011393.exe

4: detected: virus Worm.Win32.Huhk.c File: C:\System Volume Information\_restore{79B739DD-F9C6-4DE4-9E6F-57736A2DF999}\RP62\A0011394.exe

5: detected: virus Worm.Win32.Huhk.c File: C:\System Volume Information\_restore{79B739DD-F9C6-4DE4-9E6F-57736A2DF999}\RP62\A0011405.exe

6: detected: virus Worm.Win32.Huhk.c File: C:\windows\system32\dllcache\explorer.exe


Baz^^
Hi, yes, they will carry on to show until the fix is rolled out via the updater. This will be very soon.
Baz^^
If you have no icons/taskbar/menus/etc, you can try to restore explorer as follows:


Open task manager (CTRL+SHIFT+ESC)


click on file- New task (run)

Click to view attachment

In the box that pops up, type in the path to your kaspersky installation and avp.exe,

Click to view attachment

so for example, mine is located at

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

Replace the \Kaspersky Anti-Virus 7.0\ with whatever version you are runnning, so for example, it could be
\Kaspersky Anti-Virus 6.0\
\Kaspersky Internet Security 6.0\
\Kaspersky Internet Security 7.0\


Click OK (you will have to repeat this process once more if you have disabled Kaspersky from starting up with Windows, to bring up the Kaspersky interface)


Kaspersky main window should pop open

Now, restore from the Kaspersky "backup" which can be accessed via "reports and data files" tab - backup

Click to view attachment




Explanation of the backup tab:

Version 6- http://support.kaspersky.com/faq/?qid=198984858
Version 7- http://support.kaspersky.com/faq/?qid=208279413
Baz^^
If you have lost taskbar/startmenu etc, try this method to get it back from the backup of Kaspersky:

http://forum.kaspersky.com/index.php?showt...st&p=503423
Timodinho
Is this a real or a false virus ?
Baz^^
If it is in C:\WINDOWS\Explorer.EXE,

Then at the moment it is a false alarm. It will be fixed shortly.
Fred
Hi Guys,
Virus Doctors informed about this, it should be solved in the next minutes if false-positive. wink.gif

Bye Fred
Fred
Ok Guys,
Reply from Virus Doctors :
"It is false alarm. It will be fixed as soon as possible. Thank you for your help"

Don't delete the Explorer.exe and do NOT format your system smile.gif

Bye Fred
Baz^^
Fred, you missed the train by about 5 mins laugh.gif


http://forum.kaspersky.com/index.php?showt...st&p=503379
Timodinho
QUOTE(MAPKOBKA^^ @ 19.12.2007 23:35) *
If it is in C:\WINDOWS\Explorer.EXE,

Then at the moment it is a false alarm. It will be fixed shortly.

Yeah its in that map, but it delete's my 'taakbalk'
taakbalk is dutch, I don't know the english word for it sorry...
and my computer is closing down by himself if I don't close my kaspersky virusscanner
Timodinho
The word that I mean is Task beam or something
Baz^^
Follow these instructions: http://forum.kaspersky.com/index.php?showt...st&p=503423

Then reboot, and you should have your explorer.exe and taskbar back.
ahassiotis
QUOTE(MAPKOBKA^^ @ 19.12.2007 22:12) *
If you have no icons/taskbar/menus/etc, you can try to restore explorer as follows:
Open task manager (CTRL+SHIFT+ESC)
click on file- New task (run)

Click to view attachment

In the box that pops up, type in the path to your kaspersky installation and avp.exe,

Click to view attachment

so for example, mine is located at

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

Replace the \Kaspersky Anti-Virus 7.0\ with whatever version you are runnning, so for example, it could be
\Kaspersky Anti-Virus 6.0\
\Kaspersky Internet Security 6.0\
\Kaspersky Internet Security 7.0\


Click OK (you will have to repeat this process once more if you have disabled Kaspersky from starting up with Windows, to bring up the Kaspersky interface)
Kaspersky main window should pop open

Now, restore from the Kaspersky "backup" which can be accessed via "reports and data files" tab - backup

Click to view attachment


Explanation of the backup tab:

Version 6- http://support.kaspersky.com/faq/?qid=198984858
Version 7- http://support.kaspersky.com/faq/?qid=208279413



Hi,

During the above procedure I try to run avp.exe, which has already been running anyway since my computer booted and I don't get the Kaspersky interface!! I am stuck!!
Fred
Hi MAPKOBKA^^,
A train ? where ? wink.gif
Ok, I return to my bed.

Bye Fred
Timodinho
Nothing happens if I press CTRL + ALT + DEL
Even that false virus got that stuck
Whizard
Are you sure you have the right path?
Baz^^
If it is windows vista use CTRL+SHIFT+ESC
Timodinho
its xp, I know the CTRL+ALT+DEL thing but now it wont work :S
lol already spending 2hours on this
Whizard
QUOTE(Timodinho @ 19.12.2007 17:56) *
its xp, I know the CTRL+ALT+DEL thing but now it wont work :S
lol already spending 2hours on this

Its CTRL+SHIFT+ESC
Curb
Thanks, I had this same warning. Nice to here it was a false positive. If there is a way maybe try to get this post googlized, because I was looking for this forever until I thought maybe i should check my virus vendors forums.
Timodinho
QUOTE(Whizard @ 19.12.2007 23:58) *
Its CTRL+SHIFT+ESC

I have windows XP...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.