Not sure I should mess with these

C:\Users\computer_name\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\1da18ddf-7bc87e22

C:\Users\computer_name\AppData\Roaming\Microsoft\Templates\explorer.exe

So my main concern is ‘explorer.exe’, I don’t want to delete it because I’m pretty sure it’s important. The scan says it’s a Win32:Trojan-gen, should I really be messing with it? I don’t have any issues with it right now and I don’t want to create an issue if I don’t have to.

‘1da18ddf-7bc87e22’ doesn’t really mean anything to me, I don’t want to remove because it seems important for Java, but I will if you think it’s a good idea. It also says it’s a Win32:Trojan-gen.

hi S_U__O__M_I,

The latest version of java is 1.7.0.7 Looks as if you have a version 6.0? that is obsolete and out-of-date.

http://www.oracle.com/technetwork/java/javase/downloads/index.html

Earlier versions have known exploits and are actively attacked by malicious software programs on the Web. You should heed the avast warning and uninstall the older version (if correct, as no info on java version is present) and rescan with avast to see if the W32:Trojan-gen detection is still there. Java exploits can result in remote control of your system in the worst case.

Please read the Oracle statement beginning with “Java Platform, Standard Edition” “Java SE 7u7” about the strong recommendation to upgrade to the latest version, in the link provided above.

(This is assuming you are running a version 1.6.. JRE)

Unless you need java to run programs on your system, you may choose to do without. Otherwise, make it a point to get the latest version when it becomes available.

Please post back your scan results after uninstall. Are you clean now?

EDIT: Under no circumstances do you ever delete explorer.exe. Doing so will make your system unusable. It is a necessary system file; windows will not run without it.

TIP: Antivirus programs (Avast included) offer delete and quarantine options for detected malicious files. Strongly suggest to always quarantine a detected file first, and then choose ignore if the file cannot be quarantined. You can then investigate this file to see if it is reported elsewhere. A good site to use is Virus Total (dot) com. You upload your file and scan it with 40+ virus scanners. https://www.virustotal.com/ Scan both files and report back the results.

Reason is, delete is a permanent option, once used, the file is gone forever. You have no options left. Quarantine will at least give you the option to restore that file should a later virus database update show it to be clean.

Never delete unless you are 100% sure you can do without that file.

never delet…you move to chest, then you have the option to restore if something goes wrong

the first one is in java cache so no problem clear that…and get latest java

How do I clear the Java cache?
http://www.java.com/en/download/help/plugin_cache.xml

Uninstalled Java 6 and cleared the cache, that removed the first one. Moved explorer.exe to the chest and nothing bad happened. I also did a re-scan and nothing was found, assuming it’s fixed now.

I used virtustotal for the first file, but I couldn’t actually locate the explorer.exe (it was hidden I guess). Not sure if you want the results for that.

SHA256: 178870b60d01279740c9a52859bc67a18138d40bf1b22a423befafd5663c599e SHA1: 7f4621f626bb41de3b3f163d3f0e8c59b3bfd074 MD5: 01a51bad2d1f6cc736194ebd105a73cb File size: 441.5 KB ( 452096 bytes ) File name: 1da18ddf-7bc87e22 File type: Win32 EXE Detection ratio: 12 / 43 Analysis date: 2012-10-06 08:35:42 UTC ( 0 minutes ago )

@ S_U__O__M_I,

As we are looking for the explorer.exe file, using Search in XP (no Win 7 here) with the parameters of “More Advanced Options”: tick Search System Files, tick Search Hidden Files, tick Search Subfolders. The reason for the last is you want to see if there are any more instances of explorer.exe on your system. I am certain on Win 7 this specialised search is similar in categories.

(See my sig below for info on the os I am now running.)

Do a search for “explorer.exe” (without the quotes) exactly as typed here and click Search. This should produce more than one instance, but the main one you want to test is in the C:\WINDOWS folder. If you see one elsewhere, you can upload and test that version also. You can also have have Avast check it out by right-clicking that file and selecting the “Scan” option; also the same “Scan” option within the virus chest is available. Selecting scan with Avast is your easiest option, and you can go on from there.

On a side note, a 12 / 43 result is definitely malicious.

To post the scan results of VT, copy and paste the end of scan url here in your reply. Hopefully all will turn out well.

To do that, first click the globe icon upper left of the text box. It should paste a link similar to this (actual link is not displayable in this box, so this one is modified a little bit) {url][/url}. Click in between the …][… and select paste after highlighting and copying the VT url. This will create a live link for Pondus and I to view.

This is safe to do and for us to view.

This is a necessary part of your investigation in determining if you are clean or not.

@ S_U__O__M_I
The avast virus chest is a protected area, so when you send a file there it is encrypted and searching from outside it will find nothing as to the outside world the file names have been changed. This prevents malware finding a file that has been sent to the chest and trying to run it.

The location of explorer.exe was very suspect in the first place (C:\Users\computer_name\AppData\Roaming\Microsoft\Templates\explorer.exe) why would it be in a templates folder. The fact you were able to send it to the chest without any issues pretty much confirms that suspicion.

The whole point of using virustotal (VT) is it uses multiple scanners (over 40) so the detection can be confirmed, if only one AV detects it then there is a possibility of the detection being incorrect, a false positive. Files in the chest can’t be sent to VT as they are protected.

Checking the offending/suspect file at: [url=https://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here, post the URL in the Address bar of the VT results page[/b]. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select '[b]Extract[/b]' it to a temporary (not original) location first, see below.

Create a folder called [b]Suspect[/b] in the [b]C:\[/b] drive. Now exclude that folder in the [b]File System Shield, Expert Settings, Exclusions, Add[/b], type (or copy and paste) [b]C:\Suspect\*[/b] 
That will stop the File System Shield scanning any file you put in that folder.