Explorer.exe infected, not infected, infected, not infected

Hi all. I am in the last stages of cleaning a nasty version of that virut and only seem to have one thing left. (maybe).

Using virustotal.com i uploaded explorer.exe and got the following results.

Yet when using avast’s online scanner, or kapersky or online malware scan (and the avast installed on my machine), nothing shows explorer.exe being infected.

SO is this a false positive from virustotal.com?

can i replace explorer.exe with the one from my windows cd? (I had to do that with user32.dll at the beginning of this virus hunt in order to be able to boot.)

virustotal.com scan file attached (too many characters to post)

Indeed, seems a false positive.
Can you check the MD5 property of the explorer.exe in the Windows folder and in the CD?
You can use HashTab for that (http://www.softpedia.com/get/System/File-Management/HashTab.shtml).

Hey tech, do you know if any service packs modify the explorer.exe file?

If so, if he checks his folder’s explorer.exe and it happens to be a SP3 version, and then checks his (SP2 or SP1) CD, wouldn’t it be a different hash?

I’m not quite sure, that’s why I’m asking.

I don’t know if they use one value for all versions, or a different value for each.

Yes i do have windows sp3 on my computer i believe my cd is sp2

MD5 My computer: 12896823FB95BFB3DC9B46BCAEDC9923

MD5 Windows CD: 4F061B12F3D5457315A0314954E7EF46

Now the windows cd file is explorer.ex_ all the files are like that. I had to change user32.dl_ to .dll when i copied to my computer.

By the way, I ran f-secure online scan last nite and got this report…

Scanning Report
Wednesday, April 22, 2009 00:06:44 - 01:02:28

Computer name: HOME
Scanning type: Scan system for malware, rootkits
Target: F:
Result: 4 malware found
Virus.Win32.Virut (virus)

* System 

Virus.Win32.Virut.ce (virus)

* F:\WINDOWS\$NTSERVICEPACKUNINSTALL$\IPXROUTE.EXE (Disinfected & Submitted)
* F:\PROGRAM FILES\ELECTRONIC ARTS\SPORE\SPOREBIN\SPOREAPP.EXE 

W32/Horst.gen32 (virus)

* F:\PROGRAM FILES\COMMON FILES\AKAMAI\ADMINTOOL.EXE (Submitted) 

Statistics
Scanned:

* Files: 26345
* System: 3134
* Not scanned: 7 

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 2 

Files not scanned:

* F:\PAGEFILE.SYS
* F:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* F:\WINDOWS\SYSTEM32\CONFIG\SAM
* F:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* F:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* F:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* F:\DOCUMENTS AND SETTINGS\ADMINSTRATOR\MY DOCUMENTS\RMU_CNNANT2009.EXE 

then i ran it again this morning and got this report…

Scanning Report
Wednesday, April 22, 2009 11:51:05 - 12:07:45

Computer name: HOME
Scanning type: Scan system for malware, rootkits
Target: F:
Result: 0 malware found
Statistics
Scanned:

* Files: 26658
* System: 3157
* Not scanned: 7 

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0 

Files not scanned:

* F:\PAGEFILE.SYS
* F:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* F:\WINDOWS\SYSTEM32\CONFIG\SAM
* F:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* F:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* F:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* F:\DOCUMENTS AND SETTINGS\ADMINSTRATOR\MY DOCUMENTS\RMU_CNNANT2009.EXE 

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.8.9080, 2009-04-22
* F-Secure AVP: 7.0.171, 2009-04-22
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0 

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics 

thanks for the help…

Hi, DeathsDesign
I have also been infected with virut.ce yesterday.
It has patched more than 800 *.exe files on my Win SP3 before I fell that smth wrong with my PC and scanned system with Kaspersky Virus Removal tool.
I used Kaspersky to remove it, it also is capable to cure infected files - that is extremly important when 800 exe files are infected. Files that are running - won’t be cured, you should boot from some other source (CD, flash drive…) and cure it.
Avast don’t detect it now.

If Avast! dont detect it and you know where the virus can be at then send the file to the chest and email it to ALWIL either option can be to get MBAM and SAS Free for on demand scanner only ! If you wanna cure then use Dr.Web CureIt !

I have already sent it to virus@avast.com but don’t wait for a quick reaction from them. The virus I send them a month ago is still absent in their databases.

DrWeb as well don’t see it - it is really fresh.

I guess i started this thread without letting y’all know the beginning. A few days ago I got the virut.56 virus. It did infect every single .dll and every single .exe file on my computer. I was fortunate in that I disconn from the internet relatively quickly so I was able to clean this up. The only thing left is the virusscan.com report still says my explorer.exe is infected. But my computer is running fine with no glitches. During the cleaning I added jl.chura.pl to my router and that allowed me to finish the cleaning without reinfection. Look forward to your reply Tech.

Then if they didnt added to their virus data base then there maybe a reason for this and i think virustotal would be cool too.

That is the same MD5 as my XP Pro SP3 for c:\windows\explorer.exe, see image and I’n not getting any alert on it.

It only comes up when i upload it to virustotal.com. It does not show up anywhere else…I don’t get it.

What do you mean it only shows up when you upload to VT, are you talking about the MD5 or the detection on explorer.exe ?

If the detection then does the VT Version Last Date match that for avast VPS version date ?

If it relates to MD5 you need a conversion tool to display them.

No, I don’t know.

Anything else I can do Tech?

Sorry, saw that ya just posted 5 min ago. my apologies. Prob looking at my stuff right now :slight_smile:

For sure, a clean explorer.exe file won’t be detected as it is a necessary system file and I doubt that avast is false detecting it.
Maybe you should run avast at boot time and take note (do not move to Chest yet) of any infected file, specially system ones.

Avast detects nolthing at all, the only detection i get is when i upload explorer.exe to virustotal.com. Ill do another boot time scan(have already done a few with no detections) and ill let ya know if anything comes up, in the mean time, anything else i should do or try? Does not make sense that only virustotal.com identifies two different infections on the same file. No other scanner that i have tried finds anything wrong with that file. I posted the MD5 results of explorer.exe above

Did a boot time scan, nothing was found.

what is recommended I do with virustotal.com still showing two infections in explorer.exe?

eSafe 7.0.17.0 2009.04.21 Win32.Banker

McAfee-GW-Edition 6.7.6 2009.04.22 Worm.LooksLike.Otwycal

TIA

So 2 out of 40 scanners detect something and one of those uses the term lookslike, to me that implies that it isn’t a 100% certain detection.

The whole idea of the MD5 is that it confirms your file is identical to mine and I know mine is fine.
So assuming the reported MD5 of the file you uploaded is the same then it hasn’t been changed and this is more likely to be a false positive detection by those 2 scanners.

What about the title of the thread? Explorer.exe infected, not infected, infected, not infected ???

Sorry, did not mean avast, just meant that two of the 40 scanners found an infection but the others did not.

What i di was expanded explorer.exe from my winxp cd with sp2, the rebooted into safemode and reinstalled sp3. uploaded the virus again to virustotal.com and the same infections were there. So. I noice again used recovery console to expand explorer.exe from my cd and then DID NOT reinstall sp3 and uploaded explorer.exe to virustotal.com and it came back clean. finally.

Now i have found Ultimatebootcd i am using that right now, and i ran avira, found a couple backdoors in $ntuninstallspervicepacks$ got rid of the, ran another avira scan, came back clean, so now i am using a-aesquared (also on the UBCD) and it has found a couple but it i not done yet. This UBCD is really great, i am loving it.