ow7iee

OA in 64-bit Win8 Pro --- false C:\Windows\System32\explorer.exe detection!

Recommended Posts

Why does online armor re-add these entries after every windows startup???

 

l1iv.png

 

Also in autoruns section it detects:

 

explorer.exe, 0.0.0.0, (0.0.0.0)
C:\Windows\System32\explorer.exe
Hash(MD5): 219E677B3CC4BDE37251CD3F6FA2702A
 
 
There is no explorer.exe in system32. If I understand correctly from what I've read on several tech forums 64-bit windows automatically redirects a call from a 32-bit binary for explorer.exe at the C:\Windows\System32\ location to C:\Windows\sysWOW64\Explorer.exe .. since that is the 32-bit version and the 64-bit version of Explorer.exe is in C:\windows\

The reason I'm posting this is because I spent almost a whole day with several security apps and inspecting hijackthis logs over and over again like a maniac, trying to figure out if my computer had been infected with malware... I can't understand why online armor doesn't recognise the correct path, it would've saved me from a lot of headache...

 

 

 

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Yes.. But why doesn't OA detect the real path instead of  /system32 ... It's well known that many trojans places a false explorer.exe in system32. If I didn't know that I wouldn't have spent a whole day inspecting my computers files and registry entries...

Share this post


Link to post
Share on other sites

32-bit applications can't see the contents of C:\Windows\System32, and are instead shown the contents of C:\Windows\SysWOW64.

Share this post


Link to post
Share on other sites

Would it be possible for you to upload that copy of explorer.exe to VirusTotal, and post the link to the analysis?

 

I would be happy to do that, the only problem is that it doesn't exist  :) No explorer.exe in system32 at all, no autostart entries in the registry points to that either! But if I delete the entry in OA.... Online Armor ads the system32/exlorer.exe entry again after reboot... I think this is not a virus or anything, maybe OA just registers the explorer.exe in 64-bit windows wrongly?

Share this post


Link to post
Share on other sites

Try the copy that's in SysWOW64. I think that's what OA is seeing as being in System32, as that's how WoW64 works.

Share this post


Link to post
Share on other sites

Just an FYI, I have been helping another user who has been having issues with OA showing incorrect information for files in C:\Windows\System32, and I posted some screenshots showing why. Online Armor's GUI is redirected to C:\Windows\SysWOW64 when it attempts to read C:\Windows\System32, and it cannot actually see the contents of C:\Windows\System32.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.