explorer.exe

Discussion in 'other software & services' started by julio99, Sep 3, 2009.

Thread Status:
Not open for further replies.
  1. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    This has probably been beaten to death, but I can't seem to get a straightforward answer through my journeys with Google. For the last week or so I've opened Task Manager and have noticed there were two explorer.exe lines. One about half way up using about 5300k and the other one using 23,000k. I've always been told that a virus or worm can dress itself up with the explorer.exe tag. Now, I've scanned with KAV 2009, MBAM, and SuperAntiSpyware and have found nothing suspicious. My computer runs pretty quick,(4gb of RAM) and steady, so with all that said, Is it possible to have 2 legitimate explorer.exe to be running at the same time or do I need to look further? When I open file on each one they both take me to the same place. I killed the small one once and nothing that I could see or feel happened. What to do?? When I re-boot the smaller of the 2 seems to go away. I hope someone can put me at ease.
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I have one "explorer.exe" running in task manager at about 20,000k.
    That's with XP Home. I don't know if the OS can make a difference.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    XP - Tools - Folder Options - View tab - untick "Launch folder windows in a separate process" maybe?

    Vista - dunno?
     
  4. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    As Franklin said:

    1. Double-Click on "My Computer"
    2. Click "Tools" -- "Folder Options"
    3. Click the | View | tab
    4. Un-check [ ] Launch Folder Windows in a separate process
    5. Click [OK]

    http://ntcompatible.com/2_explorer.exe_runningor_morehi_apk_and_dosfreak_t25854.html

    Vista would be:
    1. Start, then control panel
    2. Make sure classic view selected, then go to 'folder options'
    3. Click on 'view' tab
    4. Make sure 'launch folder windows in a separate process' is unchecked.
    5. Click ok.
     
  5. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    That box in the folder options/view tab is un-checked. I had my fingers crossed for a minute, but no dice. This stupid process isn't there all the time. I can't bring it up at will if you know what I mean? I was looking at the Properties of it and it said it was created on June 1,09 and modified on April 11,09. I've had this computer for over 2 years, so what's up with that?
     
  6. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    any idea for windows 7?
     
  7. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
  8. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    Before I change anything there, explain how those changes in those 2 links will help me to get rid of that 2nd explorer.exe process. Enclosed is a screenshot of it in Process Explorer. 2nd explorer.jpg
     
  9. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Every search comes up with the same fix recommended by Franklin above.

    Have you run a scan with www.prevx.com and www.hitmanpro.com ?

    If PrevxHelp is lurking around, he might be able to help you.
     
  10. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
  11. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    I changed the folders box accordingly, even though the one box about launching folder windows in a separate process' is unchecked was already unchecked. As for Hitman Pro and Prevx, unless they have online scanners, I can't use them without having to download them. I use Kaspersky Antivirus 2009 and I use MBAM and SuperAntispyware for my on demand scanners and all 3 of those found nothing in their searches. If you have any more ideas, feel free to let me know and I'll keep my eye open on this Forum. Like I said, I changed the folder settings, so maybe I should give it a day to see what happened.:cool:

    Just finished scanning with ESET NOD32's Online scanner and that also came up clean, so if that explorer.exe is a virus or Worm, it's one of the most well embedded and undetectable as I'll ever see or not see, however you view it. I can't think of much more to do except to wait and see if it pops up again in Task Manager or Process Explorer.
     
    Last edited: Sep 4, 2009
  12. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Hello,

    I only have 1 explorer.exe running at about 20k on Windows XP. I only have 1 on my Vista machine as well. What's the user name for the other explorer.exe process (SYSTEM, LOCAL SERVICE, "YOUR NAME" etc.)? Is there anyway you can send the file to your antivirus vendor so they can analyze it?

    Regards,

    Mark.
     
    Last edited: Sep 5, 2009
  13. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    I can make 2 explorer.exe's appear by just opening Control Panel, and yes i have "Launch Folder Windows in a New Process" unticked.

    Having 2 explorer.exe's isn't abnormal, this is just guessing but they probably run control panel in it's own process to protect it from the other processes causing termination to it when altering critical system settings.

    I only freshly reformatted XP 3 or 4 days ago, ran all official updates and only have installed a handful of things like Office 07, NIS/Outpost, Firefox, Sandboxie and Acronis to take an image all downloaded from the official sites. So i know it's not malware.

    explorer.png

    So open/close Control Panel, does that start and stop the second instance?
     
  14. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    I downloaded Security Task Manager tonight and took a look at it from that point of view and it says that (the smaller of the 2) is a hidden program. I went to folder options and unchecked show hidden folders box and I'll see what happens through tomorrow. I'm not having any bad stuff with my computer, so I'm beginning to think this is not a problem. It doesn't open and close with the Control Panel. Of that I'm sure. I do think it has something to do with Firefox. I'll just have to wait and see if unchecking that box had anything to with it, but then again that's probably not going to solve the problem, it just means it'll stay hidden. If I had problems with my computer it would make it a lot easier, because I would know just what to do, but that's not the case. Everything is normal and running good. Baffled.o_O
     
  15. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Ok if it's not associated with Control Panel, silly question time but why don't you just check what it's associated with and what's causing it to run?

    I see you have Process Explorer, which will tell you but if you're not sure how to use it maybe give Process Hacker a try by wj32 who's a member here. It may be a little more intuitive.

    proc.png

    That's scaled down a little, but should be viewable. I right clicked the second Explorer.exe went properties which gives the middle window. These tabs give all the data, as you can see "Modules" shows the dlls it's loaded in orange.

    DockShellHook.dll was orange (like the one under it) until i right clicked it and went properties which bought up the right menu with the dll attributes.

    The reason it's active, on my Object Dock i have a tab to switch between currently opened windows so it's hooked explorer. Dopuslib is my replacement file manager which hooks explorer and so on.

    Just go through all the tabs (middle window) and you will be able to work out everything that's associated with it, and why it's running.
     
  16. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi julio99,

    Search this in Autostart menu: Process Hacker and Process Explorer OK., like good advice from 1boss1, but also:

    CCleaner/Tools/Startup
    RootRepeal/Processes
    SpyDllRemover
    VBA AntiRootkit/Tools/Autorun
    .. other antirootkits ...

    For the links: see my Signature, please.


    PROROOTECT
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2nd explorer.exe doesn,t seem a legit application. No details and no company name in process explorer!!

    Can you please check its location? Just hover your mouse over it and you will get its location.
     
  18. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    I dl'd Process Hacker and I think this is related to Acer eDataSecurity and this security package that Acer so gracefully tried to sell me from a company called "Egis Technology". It's all part of their (Acer) Empowering Technology suite. I don't think I got rid of everything when I uninstalled most of the Egis crud. Take a look and tell me what yo see.


    Hacker.JPG
     
  19. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    That sure does look like the cause, that would also explain it's hidden almost "malware" like properties. I done a quick Google of this "Acer eDataSecurity" program, and i found a lot of profanity along with cries of bloatware, crapware and a string of issues.

    You could try to reinstall it, then uninstall again and see if it goes away cleanly and fixes the second explorer instance. Or you could get out the toolbox, and pull out the broken cogs manually. A good starting point would probably be the free Starter (1/4 million downloads) it does an excellent job of showing all the startup items and lets you disable and/or delete them.

    A reinstall/uninstall is safest though if your not confident digging around your system.
     
  20. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    OK, Here goes. I used Your Uninstaller to get rid of eData Security, along with all of it's sub crud. Also used to Autoruns to make sure there was nothing leftover. It's ALL GONE!! eData I'm talking about. No explorer.exe double so far. I want to thank you and all the other posters for their help and suggestions. You (1Boss1) especially for sticking with this. If I was a betting man, I'd put a little on the wager that the second one is gone. I'll give it a day to see what happens just to be sure.

    I should have known better than to download that Egis crap when I was browsing my Acer back up utilities. I went to download 1 part of the trial and out jumps 4 other pieces of bloatware that you had to take with it. As I said, I should've known better. Thanks for the heads up on that Process Hacker download. I like it. It's even better than the paid for version of Security Task Manager. Hopefuly if I talk to you later it'll just be a quick success story and thanks.

    Spoke too fast. It's still there. It seems to open when I open Firefox. Or when I start a download.Here's a screenshot of Process Explorer. Note the Command line box about Firefox. I'm at wits end. Maybe this is all about nothing. You let me know if you feel like it, I'm lost now.
     
    Last edited: Sep 5, 2009
  21. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    Here's the screenshot from the above post.

    EXPLORER.JPG
     
  22. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    Here's the bigger explorer.exe of the 2. Maybe you can make some sense of this one.

    Lil?XE.JPG

    You notice in the process tree how explorer.exe comes out of the Firefox.exe. It's like a branch of Firefox coming down.
     
    Last edited: Sep 5, 2009
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... interseting. What if you uninstall FireFox for a while n see it again?
     
  24. julio99

    julio99 Registered Member

    Joined:
    Dec 23, 2008
    Posts:
    91
    Location:
    Ontario,Canada
    What do you mean uninstall it and see it again? You think it might have something to do with Firefox's Profile? What is the best way of going about an uninstall? Should I get rid of the add ons first or what.
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This behaviour is seen often. Explorer.exe is your shell. But other instances of explorer.exe can be started and will display in task manager even if you have use only one instance of explorer.

    As an example, boot computer, start task manager and examine explorer.exe. There will only be one normally.

    Now press windows key + E, another explorer window opens but you only see one process.

    Now double click my computer, yet again another explorer window but only one process.

    Now from task manager or using Run box, type RUN> explorer.exe. You will now see two instances of explorer, because it depends on how explorer.exe was spawned. When your shell starts it, it is added to the existing process. When an outside source starts it, like Run box or a browser, a new process is created.

    The correct question would likely be why is FF starting explorer?

    Sul.
     
Thread Status:
Not open for further replies.