EXPLORER.EXE - Dangerous

What you should do about EXPLORER.EXE:

Check Your PC Now
Your PC is infected. The file called EXPLORER.EXE is considered unsafe and there may be other infections on your PC.


You should urgently check your PC and remove any malicious software including EXPLORER.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't take the risk, check your PC now by clicking the green button.

Download Prevx CSI Now

Who Uses Prevx CSI?

Prevx has been detecting the threats that others miss since 2004.

More than 2,051,202 people have scanned with Prevx CSI and between them have checked 29.2 billion files. 65% of the PCs scanned had malware present.

What we know about EXPLORER.EXE:

The filename EXPLORER.EXE was first seen on Jul 10 2007 in PHILIPPINES. It has also been seen in the following geographical regions of the Prevx community:

  • BELGIUM on Sep 24 2007
  • CANADA on Sep 24 2007
  • SINGAPORE on Sep 24 2007
  • SPAIN on Sep 24 2007
  • The UNITED KINGDOM on Feb 6 2008
  • INDIA on May 9 2008
  • The UNITED STATES on Jul 10 2007
The filename EXPLORER.EXE is used by multiple object types including executable programs,objects.

The most common file size is 43,072 bytes. But the following file sizes have also been seen:

  • 51,712 bytes
  • 114,688 bytes
  • 26,224 bytes
  • 1,167,360 bytes

The filename is associated with the malware group TROJAN.VB.AQX.Some files using the name EXPLORER.EXE are also associated with the malware groups:
  • MSNLive-Image:Worm-a
  • Trojan.SystemPoser
  • Generic9.AZBQ
  • Generic10.NOP
 These files have no vendor, product or version information specified in the file header.

EXPLORER.EXE has been seen to perform the following behavior(s):

  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Executes Processes stored in Temporary Folders
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • This Process Deletes Other Processes From Disk
  • Executes a Process
  • This Process Creates Other Processes On Disk
  • Can communicate with other computer systems using HTTP protocols
  • Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • Registers a Dynamic Link Library File
  • The Process is packed and/or encrypted using a software packing process
  • Modifies System Runtime Policies to limit system usability
  • Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
  • Creates a TCP port which listens and is available for communication initiated by other computers
  • The Process can record information submitted over the Internet
  • This Process Contains User Mode Rootkit Functionality
  • Accesses web sites while hidden from the user
  • Changes system components
  • Triggers security alerts from firewall and other security products
  • Sometimes generates firewall alerts as it tries to connect to the internet
  • Deletes Links in the Start Menu
  • Adds a Link in the Start Menu
  • The Process is polymorphic and can change its structure
  • Opens pop up browser windows

EXPLORER.EXE has been the subject of the following behavior(s):

  • Created as a process on disk
  • Deleted as a process from disk
  • Executed from Temporary Folders
  • Added as a Registry auto start to load Program on Boot up
  • Has code inserted into its Virtual Memory space by other programs
  • Executed as a Process
  • Copied to multiple locations on the system
  • Registered as a Dynamic Link Library File
  • Deleted as a Link in the Start Menu
  • Added as a Link in the Start Menu

EXPLORER.EXE can also use the following file names:

  • 05.EXE
  • NET-3[1].EXE
  • IMAGE006.JPEG-WWW.FACEBOOK.COM
  • 75052904.COM
  • 12464086.COM
  • 46026223.COM
  • 19239592.COM
  • 85261101.EXE
  • 65757883.COM
  • IMAGE0011.JPEG-WWW.FACEBOOK.COM
  • 87.EXE
  • 41.EXE
  • 30.EXE
  • 72.EXE
  • 03385482.COM
  • 02.EXE
  • 21946039.COM
  • 20276836.INF
  • 98504764.EXE
  • EXPLORER.EXE.QUAR00
  • 67454012.EXE
  • 26907807.EXE
  • 10329413.EXE
  • 62234678.EXE
  • 47698382.DAT
  • TL.EXE
  • R[1].EXE
  • 78794571.SVD
  • SERVICE.EXE
  • 05779417.SVD
  • VGS.EXE
  • LSASS.EXE
  • WINDOWS.PIF
  • EMPTY.PIF