how to remove virus win32 explore-DU (trojan)

my computers infected this virus today… when I download a video files from internet…
I scanned it with avast but won’t work, when I was take action delete and quarantine… :frowning:
when I scanned with avast antivir, 3 files are infected, 2 files can heal, and 1 files is hard to remove…

but since my computer infected, I can starting windows normally, I played the game normally, and no error found in windows,

ok I will send report, please help me to resolve this master, thx in advance :slight_smile:

AdwCleaner v2.100 - Logfile created 12/13/2012 at 14:26:41

Updated 09/12/2012 by Xplode

Operating system : Windows 7 Professional (32 bits)

User : wahid - WAHID-PC

Boot Mode : Normal

Running from : C:\Users\wahid\Downloads\Programs\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js
File Deleted : C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\BrowserMngr_extensions.sqlite
File Deleted : C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\browsermngr_prefs.js
File Deleted : C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\searchplugins\BabylonMngr.xml
Folder Deleted : C:\Program Files\DAEMON Tools Toolbar
Folder Deleted : C:\Program Files\yourfiledownloader
Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\wahid\AppData\Roaming\Babylon
Folder Deleted : C:\Users\wahid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
Folder Deleted : C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\extensions\DTToolbar@toolbarnet.com
Folder Deleted : C:\Users\wahid\AppData\Roaming\yourfiledownloader

***** [Registry] *****

Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\Software\BrowserMngr
Key Deleted : HKLM\SOFTWARE\Classes\AppID{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{96BD48DD-741B-41AE-AC4A-AFF96BA00F7E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{2EECD738-5844-4A99-B4B6-146BF802613B}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Main [BrowserMngr Start Page]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [BrowserMngrDefaultScope]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.7600.16385

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls - Tabs] = hxxp://search.babylon.com/?affID=112555&tt=120912_ccp_3912_8&babsrc=NT_ss&mntrId=40311335000000000000000000000000 → hxxp://www.google.com

-\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\prefs.js

C:\Users\wahid\AppData\Roaming\Mozilla\Firefox\Profiles\ovi8uwaz.default\user.js … Deleted !

Deleted : user_pref(“avg.install.userHPSettings”, "hxxp://search.babylon.com/?affID=112555&tt=120912_ccp_3912_[…]
Deleted : user_pref(“avg.install.userSPSettings”, “Search the web (Babylon)”);
Deleted : user_pref(“browser.newtab.url”, "hxxp://search.babylon.com/?affID=112555&tt=120912_ccp_3912_8&babsrc[…]
Deleted : user_pref(“browser.search.defaultenginename”, “Search the web (Babylon)”);
Deleted : user_pref(“browser.search.order.1”, “Search the web (Babylon)”);
Deleted : user_pref(“extensions.BabylonToolbar.admin”, false);
Deleted : user_pref(“extensions.BabylonToolbar.aflt”, “babsst”);
Deleted : user_pref(“extensions.BabylonToolbar.appId”, “{BDB69379-802F-4eaf-B541-F8DE92DD98DB}”);
Deleted : user_pref(“extensions.BabylonToolbar.autoRvrt”, “false”);
Deleted : user_pref(“extensions.BabylonToolbar.babExt”, “”);
Deleted : user_pref(“extensions.BabylonToolbar.babTrack”, “affID=112555&tt=120912_ccp_3912_8”);
Deleted : user_pref(“extensions.BabylonToolbar.bbDpng”, “26”);
Deleted : user_pref(“extensions.BabylonToolbar.cntry”, “ID”);
Deleted : user_pref(“extensions.BabylonToolbar.dfltLng”, “en”);
Deleted : user_pref(“extensions.BabylonToolbar.envrmnt”, “production”);
Deleted : user_pref(“extensions.BabylonToolbar.excTlbr”, false);
Deleted : user_pref(“extensions.BabylonToolbar.hdrMd5”, “44564C0A42758D4EFEE45D3441360117”);
Deleted : user_pref(“extensions.BabylonToolbar.hmpg”, false);
Deleted : user_pref(“extensions.BabylonToolbar.id”, “40311335000000000000000000000000”);
Deleted : user_pref(“extensions.BabylonToolbar.instlDay”, “15608”);
Deleted : user_pref(“extensions.BabylonToolbar.instlRef”, “sst”);
Deleted : user_pref(“extensions.BabylonToolbar.lastVrsnTs”, “1.6.9.1211:20:27”);
Deleted : user_pref(“extensions.BabylonToolbar.mntrvrsn”, “1.3.1”);
Deleted : user_pref(“extensions.BabylonToolbar.newTab”, false);
Deleted : user_pref(“extensions.BabylonToolbar.pnu_base”, "{"newVrsn":"28","lastVrsn":"28","vrsnLoad[…]
Deleted : user_pref(“extensions.BabylonToolbar.prdct”, “BabylonToolbar”);
Deleted : user_pref(“extensions.BabylonToolbar.prtnrId”, “babylon”);
Deleted : user_pref(“extensions.BabylonToolbar.sg”, “czb”);
Deleted : user_pref(“extensions.BabylonToolbar.smplGrp”, “czb”);
Deleted : user_pref(“extensions.BabylonToolbar.srcExt”, “ss”);
Deleted : user_pref(“extensions.BabylonToolbar.tlbrId”, “base”);
Deleted : user_pref(“extensions.BabylonToolbar.tlbrSrchUrl”, "hxxp://search.babylon.com/?babsrc=TB_def&mntrId=[…]
Deleted : user_pref(“extensions.BabylonToolbar.vrsn”, “1.6.9.12”);
Deleted : user_pref(“extensions.BabylonToolbar.vrsnTs”, “1.6.9.1211:20:27”);
Deleted : user_pref(“extensions.BabylonToolbar.vrsni”, “1.6.9.12”);
Deleted : user_pref(“extensions.BabylonToolbar_i.babExt”, “”);
Deleted : user_pref(“extensions.BabylonToolbar_i.babTrack”, “affID=112555&tt=120912_ccp_3912_8”);
Deleted : user_pref(“extensions.BabylonToolbar_i.newTab”, false);
Deleted : user_pref(“extensions.BabylonToolbar_i.smplGrp”, “none”);
Deleted : user_pref(“extensions.BabylonToolbar_i.srcExt”, “ss”);
Deleted : user_pref(“extensions.BabylonToolbar_i.vrsnTs”, “1.6.9.1211:20:27”);
Deleted : user_pref(“sweetim.toolbar.previous.browser.search.defaultenginename”, “Search the web (Babylon)”);
Deleted : user_pref(“sweetim.toolbar.urls.homepage”, "hxxp://search.babylon.com/?affID=112555&tt=120912_ccp_39[…]

-\ Google Chrome v23.0.1271.97

File : C:\Users\wahid\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1265] : homepage = "hxxp://search.babylon.com/?affID=112555&tt=120912_ccp_3912_8&babsrc=HP_ss&mntrId=403[…]


AdwCleaner[R1].txt - [8384 octets] - [13/12/2012 14:25:42]
AdwCleaner[S1].txt - [7944 octets] - [13/12/2012 14:26:41]

########## EOF - C:\AdwCleaner[S1].txt - [8004 octets] ##########

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.13.02

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
wahid :: WAHID-PC [administrator]

12/13/2012 1:59:48 PM
mbam-log-2012-12-13 (13-59-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237733
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-13 14:51:37

14:51:37.932 OS Version: Windows 6.1.7600
14:51:37.932 Number of processors: 4 586 0xF0B
14:51:37.932 ComputerName: WAHID-PC UserName: wahid
14:51:38.745 Initialize success
14:51:38.963 AVAST engine defs: 12121300
14:51:51.401 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP3T0L0-3
14:51:51.401 Disk 0 Vendor: Hitachi_HDP725032GLA380 GM3OA57A Size: 305245MB BusType: 3
14:51:51.432 Disk 0 MBR read successfully
14:51:51.432 Disk 0 MBR scan
14:51:51.432 Disk 0 Windows 7 default MBR code
14:51:51.448 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:51:51.463 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 153646 MB offset 206848
14:51:51.479 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 151496 MB offset 314873856
14:51:51.526 Disk 0 scanning sectors +625137664
14:51:51.588 Disk 0 scanning C:\Windows\system32\drivers
14:51:56.588 Service scanning
14:52:13.651 Modules scanning
14:52:25.791 Disk 0 trace - called modules:
14:52:25.807 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys
14:52:25.823 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86c0d690]
14:52:25.823 3 CLASSPNP.SYS[8d67859e] → nt!IofCallDriver → [0x85d40918]
14:52:25.823 5 ACPI.sys[83e403b2] → nt!IofCallDriver → \Device\Ide\IdeDeviceP3T0L0-3[0x86702908]
14:52:26.370 AVAST engine scan C:\Windows
14:52:26.666 File: C:\Windows\explorer.exe INFECTED Win32:Explor-DU [Trj]
14:52:26.791 File: C:\Windows\explorer.exe.rogbak INFECTED Win32:Explor-DU [Trj]
14:52:27.635 AVAST engine scan C:\Windows\system32
14:54:02.198 AVAST engine scan C:\Windows\system32\drivers
14:54:08.776 AVAST engine scan C:\Users\wahid
14:56:06.253 Disk 0 MBR has been saved successfully to “C:\Users\wahid\Downloads\Programs\MBR.dat”
14:56:06.269 The log file has been saved successfully to “C:\Users\wahid\Downloads\Programs\aswMBR.txt”

end

malware removers are notified. it may take hours before one arrive so be patient

ok I’ll be waiting, I hope can resolved :slight_smile:
thx pondus :shakehand

Hi what file is Avast having problems with ?

Also this antivirus programme is also running Smadav http://abc123456785.blogspot.co.uk/2012/05/download-smadav-antivirus-2012-rev-90.html

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
SRV - File not found [On_Demand | Stopped] -- -- (Cscwfpxbs)
FF - HKLM\Software\MozillaPlugins\@thrixxx.com/WebLaunch: C:\Program Files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll ( )
FF - HKCU\Software\MozillaPlugins\@thrixxx.com/WebLaunch: C:\Program Files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll ( )
O3 - HKU\S-1-5-21-2394749033-1826158221-4224688557-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi. I have a similar issue here: http://forum.avast.com/index.php?topic=111207.0
I wonder if I should try this fix too. I got the same virus and explorer.exe malfunction.
Thank you for your help.

  • Jazz

@jazzenelya No each fix is specific to your machine only… I will look at your topic now

I don’t know, but before my computer infected, is running fine with it,
I combined avast with this antivirus… smadav for local protection :smiley:

thx essexboy for your reply, I will report soon :slight_smile:

=============================================================

heres the report after reboot :slight_smile:

All processes killed
========== OTL ==========
Service Cscwfpxbs stopped successfully!
Service Cscwfpxbs deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins@thrixxx.com/WebLaunch\ deleted successfully.
C:\Program Files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll moved successfully.
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins@thrixxx.com/WebLaunch\ deleted successfully.
File C:\Program Files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll not found.
Registry value HKEY_USERS\S-1-5-21-2394749033-1826158221-4224688557-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: wahid
->Temp folder emptied: 429165462 bytes
->Temporary Internet Files folder emptied: 632896 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 128716816 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 3193 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 557056 bytes
%systemroot%\System32 .tmp files removed: 3238112 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 170 bytes

Total Files Cleaned = 536.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 12142012_122920

Files\Folders moved on Reboot…
File\Folder C:\Windows\temp_avast_\Webshlock.txt not found!

PendingFileRenameOperations files…

Registry entries deleted on Reboot…

OTL has been attached ^^

edit:

yeah, win32 explore-DU(trojan) has removed from my computer :slight_smile:

thx for the help essexboy :smiley:

You are still using IE8 I would recommend that you upgrade to IE10

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

@essexboy “do not show hidden files and folders” Is already configured :slight_smile:

for java I update few minutes ago, by the following your instruction master hehehe

once again, thx for the help and suggest buddy, I’m very satisfied with this, so far so good I standby for hours, without any problems, for now I feel my system is health ;D

yeah, I will reported soon in here, when I got the any problem :slight_smile:

My pleasure