A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #6416  by Every1is=
 Thu May 19, 2011 2:47 pm
http://www.virustotal.com/file-scan/rep ... 1305815260

I was trying the "new" Google Chrome BitDefender Quickscan extension and it found 1 infected file. Assuming it was a false positive, but wanting to know for sure, I ran it through VT, almost a 10% hitrate as you can see in the link. So at this moment I am unsure what to think about it.

Bitdefender quickscan reports:
C:\Windows\system32\explorer.exe --> Worm.Generic.324167 --> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell"

The explorer.exe file in System32 MD5: 8b88ebbb05a0e56b7dcc708498c02b3e C:\Windows\system32\explorer.exe
And the C:\windows\explorer.exe MD5: 332feab1435662fc6c672e25beb37be3 C:\Windows\Explorer.exe

Running on Windows 7 x64 Pro, SuperAntiSpyware and Eset Smart Security installed on the system.

False positive? Or new beasty?
Attachments
not password protected
(1.21 MiB) Downloaded 26 times
 #6417  by EP_X0FF
 Thu May 19, 2011 3:19 pm
Every1is= wrote:False positive? Or new beasty?
This is 32 bit version of Explorer. It is inside SysWow64 folder, not in System32.
Yes, this is false positive. Probably it's because scanner is 32 bit.
 #6632  by EP_X0FF
 Thu Jun 02, 2011 10:16 am
zico_guru wrote:Is default kenrel path is (C:\windows\system32\) in windows 7? or is redirected?....plz help
What does the following mean?
 #6646  by zico_guru
 Thu Jun 02, 2011 4:09 pm
is system file like winload.exe,kdcomm.dll,windows kernel, is redirected to another place in harddisk?i mean where is the path of those file ? is it "C:\windows\system32"?
i am getting problem in reversing those file in ida pro....plz help
 #6656  by EP_X0FF
 Fri Jun 03, 2011 3:36 am
zico_guru wrote:is system file like winload.exe,kdcomm.dll,windows kernel, is redirected to another place in harddisk?i mean where is the path of those file ? is it "C:\windows\system32"?
i am getting problem in reversing those file in ida pro....plz help
I answered on this question few posts before.