Possible False Positive Win32:Explor-DU [Trj]

Today I decided to run Avast Anti-rootkit just to do a normal check and it came up with File: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe INFECTED Win32:Explor-DU [Trj] I have looked up this virus and it looks like no laughing matter so now I’m here to see if it’s a real thing or a false positive. I have already done the scans as to speed up the process and will post the logs below.

Adware Cleaner

AdwCleaner v2.100 - Logfile created 12/14/2012 at 02:16:58

Updated 09/12/2012 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Ethan - FOXPC

Boot Mode : Normal

Running from : C:\Users\Ethan\Desktop\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Users\Ethan\Documents\Save

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\ Google Chrome v23.0.1271.97

File : C:\Users\Ethan\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[R1].txt - [1087 octets] - [14/12/2012 02:16:12]
AdwCleaner[S1].txt - [872 octets] - [14/12/2012 02:16:58]

########## EOF - C:\AdwCleaner[S1].txt - [931 octets] ##########

Avast Anti-Rootkit

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-10 01:51:53

01:51:53.433 OS Version: Windows x64 6.1.7601 Service Pack 1
01:51:53.433 Number of processors: 4 586 0x2505
01:51:53.433 ComputerName: FOXPC UserName: Ethan
01:51:54.073 Initialize success
01:51:54.151 AVAST engine defs: 12120901
01:51:57.053 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
01:51:57.053 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
01:51:57.084 Disk 0 MBR read successfully
01:51:57.084 Disk 0 MBR scan
01:51:57.084 Disk 0 unknown MBR code
01:51:57.099 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 184418 MB offset 63
01:51:57.099 Disk 0 Partition - 00 05 Extended 274807 MB offset 377688150
01:51:57.131 Disk 0 Partition 2 00 27 Hidden NTFS WinRE NTFS 17712 MB offset 940493295
01:51:57.177 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 274807 MB offset 377688213
01:51:57.209 Disk 0 scanning C:\Windows\system32\drivers
01:52:15.570 Service scanning
01:52:43.510 Modules scanning
01:52:43.525 Disk 0 trace - called modules:
01:52:44.071 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
01:52:44.071 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800476a060]
01:52:44.087 3 CLASSPNP.SYS[fffff88001a0143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa800447b050]
01:52:44.773 AVAST engine scan C:
04:19:34.908 Scan finished successfully
04:22:38.489 Disk 0 MBR has been saved successfully to “C:\Users\Ethan\Documents\MBR.dat”
04:22:38.489 The log file has been saved successfully to “C:\Users\Ethan\Documents\aswMBR.txt”

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-13 21:45:59

21:45:59.137 OS Version: Windows x64 6.1.7601 Service Pack 1
21:45:59.137 Number of processors: 4 586 0x2505
21:45:59.139 ComputerName: FOXPC UserName: Ethan
21:46:01.221 Initialize success
21:46:01.510 AVAST engine defs: 12121300
21:46:04.445 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
21:46:04.448 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
21:46:04.471 Disk 0 MBR read successfully
21:46:04.473 Disk 0 MBR scan
21:46:04.477 Disk 0 unknown MBR code
21:46:04.485 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 184418 MB offset 63
21:46:04.491 Disk 0 Partition - 00 05 Extended 274807 MB offset 377688150
21:46:04.523 Disk 0 Partition 2 00 27 Hidden NTFS WinRE NTFS 17712 MB offset 940493295
21:46:04.550 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 274807 MB offset 377688213
21:46:04.595 Disk 0 scanning C:\Windows\system32\drivers
21:46:20.044 Service scanning
21:47:09.447 Modules scanning
21:47:09.456 Disk 0 trace - called modules:
21:47:09.820 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:47:09.829 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004771060]
21:47:09.836 3 CLASSPNP.SYS[fffff88001a5143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80044e2050]
21:47:10.327 AVAST engine scan C:
00:11:23.159 File: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe INFECTED Win32:Explor-DU [Trj]
00:17:32.802 Scan finished successfully
01:14:19.866 Disk 0 MBR has been saved successfully to “C:\Users\Ethan\Documents\MBR.dat”
01:14:19.991 The log file has been saved successfully to “C:\Users\Ethan\Documents\aswMBR.txt”

Malwarebytes
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.13.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Ethan :: FOXPC [administrator]

12/14/2012 3:01:09 AM
mbam-log-2012-12-14 (03-01-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282310
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0

Also attached the needed file below hope this helps also if this thing can take passwords tell me immediately please.

Thanks Fox.

Extra info the PC is running smooth mind you the RAM is at 40% use all the time but that might be due to the fact I’m using Komodo Killswitch and Avast.

Upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
Post the link to scan result here

Alternative jotti.org or metascan-online.com

SHA256: 6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0
File name: explorer.exe
Detection ratio: 0 / 46
Analysis date: 2012-12-13 23:24:09 UTC ( 0 minutes ago )

Well I just found the folder where Avast Anti-Rootkit said the problem was and indeed there is a explorer.exe there. However I doubt I can just simply delete it and need some help with what I should do.

Malware removers are notified. they usually arrive here after work time…european time zone. :wink:

Another thing to add, the file I found was last modified in 2009 the actual explorer.exe is always being modified.

Yes I believe that is a false positive, your system appears clean. Although the slowness may be due to Norton drivers running in addition to avast

Norton removal tool https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20080710133834EN&product=home&pvid=f-home&version=1&lg=en&ct=us

Thanks essex! I this little thing kept me up last night glad it was only a false positive.

A question though. The file in question is not in the root directory and has been inactive since 2009. I scanned my computer before and it never pinged it so all I’m wondering is if it’s ok to delete it.

It was probably an update that added a definition for explorer and appears to look at files where the MD5 is not the standard MS one.

So it’s safe?

Yes there is no problem there, if it alerts again then upload it to the Labs from the virus chest

This was found by the Avast Anti-Rootkit not the normal scan. I was doing a full /C scan and this came up it did not give me any option to delete it. To add to this the full system scan finds nothing and the quick scan in Anti Rootkit also finds nothing. This came up after the Avast anti-rootkit :C scan and as such made me wonder if it was a false identification. There was no Fix option in the Anti rootkit and all I could do was save the log.

[EDIT] Sent the file to the virus chest and submitted it.

Hi essexboy,

Shouldn’t the victim cleanse uninstall remnants of Norton’s from the OS? These could lead to conflicts with resident av software installed.
Just my 2 eurocents,

pol

This is the log of the quick scan in Antirootkit.

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-14 17:49:21

17:49:21.062 OS Version: Windows x64 6.1.7601 Service Pack 1
17:49:21.062 Number of processors: 4 586 0x2505
17:49:21.062 ComputerName: FOXPC UserName: Ethan
17:49:23.106 Initialize success
17:49:23.761 AVAST engine defs: 12121302
17:49:25.711 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
17:49:25.711 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
17:49:25.726 Disk 0 MBR read successfully
17:49:25.726 Disk 0 MBR scan
17:49:25.726 Disk 0 unknown MBR code
17:49:25.742 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 184418 MB offset 63
17:49:25.742 Disk 0 Partition - 00 05 Extended 274807 MB offset 377688150
17:49:25.773 Disk 0 Partition 2 00 27 Hidden NTFS WinRE NTFS 17712 MB offset 940493295
17:49:25.804 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 274807 MB offset 377688213
17:49:25.836 Disk 0 scanning C:\Windows\system32\drivers
17:49:34.899 Service scanning
17:50:02.605 Modules scanning
17:50:02.605 Disk 0 trace - called modules:
17:50:02.652 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:50:02.652 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004789060]
17:50:02.667 3 CLASSPNP.SYS[fffff88001d4943f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80044fe050]
17:50:03.494 AVAST engine scan C:\Windows
17:50:06.255 AVAST engine scan C:\Windows\system32
17:52:55.594 AVAST engine scan C:\Windows\system32\drivers
17:53:11.272 AVAST engine scan C:\Users\Ethan
18:02:10.842 AVAST engine scan C:\ProgramData
18:05:30.793 Scan finished successfully
18:06:17.474 Disk 0 MBR has been saved successfully to “C:\Users\Ethan\Documents\MBR.dat”
18:06:17.479 The log file has been saved successfully to “C:\Users\Ethan\Documents\aswMBR Quick Scan.txt”

Looks like it has already been fixed from that report

Decided to try a hunch and scanned the folder where all the files are located leave the computer for 10 minutes and I come back to find out it bluescreened. I’m tired of this laptop being the annoyance it’s been and will be taking it into the shop tomorrow. Another fact the computer only bluecreen’s when I’m running Avast anti-rootkit on anything but a quick scan.

Is that the aswMBR programme ? As that will sometimes cause a blue screen on some systems

Yes it was that program. The bluescreen code was 109 it has to do with Kernel Corruption. I looked it up and something in the (IDT) is messing it up.

aswMBR uses a totally different routine to Avast and is primarily aimed at the MBR. So it does dig deep

What other problems are you have as they may be easily resolved