[How-to-fix-it] Webroot deleting explorer.exe

  • 24 June 2013
  • 5 replies
  • 156 views

Userlevel 1
I re-installed Webroot after using another program and Webroot almost killed my PC. After the installation it started the auto scan which showed up infected files (all false positive by the way). One of the infected files was explorer.exe. I changed my Windows Seven theme a long time ago, so I had to replace the explorer.exe with a modified explorer.exe. 
 
Webroot Secure Anywhere version 8.0.2.155 didn't care and started the automated cleanup engine without even asking me and *tada* removed c:windowsexplorer.exe because of a wrong MD5 hash. Immediately the taskbar was gone as well as my desktop. Some moments later the whole system crashed with a blue screen. Since I use Windows 7 I cannot remember that I ever saw a blue screen. 
 
 
I had to restart the PC and after the Windows login the whole screen was just black and a lovely "explorer.exe Class not registered" error message appeared. So no start button, no file manager... nothing.
 
The first thing which came to my mind was to check the quarantine but as I mentioned, the taskbar was gone. No way to manually open Webroot. In task manager it was running but no way to open the UI. 
 
The second thing I tried was a system restore. Thanks god I did one the day before and thanks god I knew the file name of the system restore program. So not much was lost. It worked. Webroot of course was gone. I re-installed Webroot... and exactly the same problem again. explorer.exe deleted, and desktop as well as taskbar gone. 
 
How to fix it:
 
 
Run the System File Checker from Microsoft Windows which allows users to scan for and restore corrupted system files. sfc.exe would be file name. SFC must be run as admin.  So in Windows Task Manager -> Applications -> New Task -> cmd. After the command line appears type runas /u:XXX cmd.exe (XXX = username of admin account) and then sfc /scannow and it should recover the explorer.exe. 
 
The bad thing: The modified explorer.exe is gone and the original one is back. So one gets back the ugly Windows theme without any customization. 
 
 Seems it is new that Webroot "complains"well deletes would be better) about modified explorer.exe files. When I used Webroot last time, it did not complain at all.
 
Anyway, dear Webroot team: Please do NOT auto delete files. Please ASK the user first. Auto-deleting files is a no-go for me. Thanks god I remembered the important file names like sfc.exe etc. 
 
 

5 replies

Userlevel 1
Seems the forum software did cut out some sentences and created colored words... i am too tired to re-write it again, sorry. 😞
Userlevel 7
Using a modified Explorer.exe is not normal behaviour and modifing Explorer.exe is ususually something that you will see an infection do. Webroot will flag system files but it will generally try to repair and not remove them as we dont want to comprimise system stability. It may have been the heurstic engine that blocked the file but I am guessing since I dont have any log files.
 
We do see this the odd time when a user manually adds a system process (SVCHost.exe etc). We wont automatically remove an infection we will give you the option to untick during the removal process .You can allow or monitor the file if you know its good but be careful when using this feature.
 
If you do get to the situation where explorer is broken you can still use most of the features using taskmanager and cmd prompt. There are a number of 3rd party programs that you can use to graphically explorer your hard disk if your really stuck

 
I would be interested in the MD5 of that modified explorer.exe, if you can reply with that it would be great.
Userlevel 1
Hope this helps:
 
 
Starting Routine> Removing c:windowsexplorer.exe...#(PX5: 3EAE21DD00AB9BDB765324453FB9AA00411E0CCE - MD5: 665380B17F2842E7A9AEF4F5EF366947)

Deleting File> c:windowsexplorer.exe

Terminating Process> 2984 - C:Windowsexplorer.exe
 
I don't have the modified explorer.exe anymore, so I cannot manually check the md5 hash.
Userlevel 7
That file is good in our database which would backup my claim that it was the heuristics engine that caught this. By any chance did you modify or chance any of the default settings?
Userlevel 1
Interesting. No modification. I installed Webroot and it started scanning  (and deleting). I remember I had a choice for an auto setup and manual setup during installation. I have selected the auto setup.
 
If I find some time I maybe try to patch my explorer.exe on a virtual machine and save and send you the complete log file as well as the patched explorer.exe. 

Reply