Today I decided to run Avast Anti-rootkit just to do a normal check and it came up with File: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe INFECTED Win32:Explor-DU [Trj] I have looked up this virus and it looks like no laughing matter so now I’m here to see if it’s a real thing or a false positive. I have already done the scans as to speed up the process and will post the logs below.
Adware Cleaner
AdwCleaner v2.100 - Logfile created 12/14/2012 at 02:16:58
Updated 09/12/2012 by Xplode
Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
User : Ethan - FOXPC
Boot Mode : Normal
Running from : C:\Users\Ethan\Desktop\adwcleaner.exe
Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Users\Ethan\Documents\Save
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
***** [Internet Browsers] *****
-\ Internet Explorer v8.0.7601.17514
[OK] Registry is clean.
-\ Google Chrome v23.0.1271.97
File : C:\Users\Ethan\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
AdwCleaner[R1].txt - [1087 octets] - [14/12/2012 02:16:12]
AdwCleaner[S1].txt - [872 octets] - [14/12/2012 02:16:58]
########## EOF - C:\AdwCleaner[S1].txt - [931 octets] ##########
Avast Anti-Rootkit
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-10 01:51:53
01:51:53.433 OS Version: Windows x64 6.1.7601 Service Pack 1
01:51:53.433 Number of processors: 4 586 0x2505
01:51:53.433 ComputerName: FOXPC UserName: Ethan
01:51:54.073 Initialize success
01:51:54.151 AVAST engine defs: 12120901
01:51:57.053 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
01:51:57.053 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
01:51:57.084 Disk 0 MBR read successfully
01:51:57.084 Disk 0 MBR scan
01:51:57.084 Disk 0 unknown MBR code
01:51:57.099 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 184418 MB offset 63
01:51:57.099 Disk 0 Partition - 00 05 Extended 274807 MB offset 377688150
01:51:57.131 Disk 0 Partition 2 00 27 Hidden NTFS WinRE NTFS 17712 MB offset 940493295
01:51:57.177 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 274807 MB offset 377688213
01:51:57.209 Disk 0 scanning C:\Windows\system32\drivers
01:52:15.570 Service scanning
01:52:43.510 Modules scanning
01:52:43.525 Disk 0 trace - called modules:
01:52:44.071 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
01:52:44.071 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800476a060]
01:52:44.087 3 CLASSPNP.SYS[fffff88001a0143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa800447b050]
01:52:44.773 AVAST engine scan C:
04:19:34.908 Scan finished successfully
04:22:38.489 Disk 0 MBR has been saved successfully to “C:\Users\Ethan\Documents\MBR.dat”
04:22:38.489 The log file has been saved successfully to “C:\Users\Ethan\Documents\aswMBR.txt”
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-13 21:45:59
21:45:59.137 OS Version: Windows x64 6.1.7601 Service Pack 1
21:45:59.137 Number of processors: 4 586 0x2505
21:45:59.139 ComputerName: FOXPC UserName: Ethan
21:46:01.221 Initialize success
21:46:01.510 AVAST engine defs: 12121300
21:46:04.445 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
21:46:04.448 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3
21:46:04.471 Disk 0 MBR read successfully
21:46:04.473 Disk 0 MBR scan
21:46:04.477 Disk 0 unknown MBR code
21:46:04.485 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 184418 MB offset 63
21:46:04.491 Disk 0 Partition - 00 05 Extended 274807 MB offset 377688150
21:46:04.523 Disk 0 Partition 2 00 27 Hidden NTFS WinRE NTFS 17712 MB offset 940493295
21:46:04.550 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 274807 MB offset 377688213
21:46:04.595 Disk 0 scanning C:\Windows\system32\drivers
21:46:20.044 Service scanning
21:47:09.447 Modules scanning
21:47:09.456 Disk 0 trace - called modules:
21:47:09.820 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:47:09.829 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004771060]
21:47:09.836 3 CLASSPNP.SYS[fffff88001a5143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80044e2050]
21:47:10.327 AVAST engine scan C:
00:11:23.159 File: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe INFECTED Win32:Explor-DU [Trj]
00:17:32.802 Scan finished successfully
01:14:19.866 Disk 0 MBR has been saved successfully to “C:\Users\Ethan\Documents\MBR.dat”
01:14:19.991 The log file has been saved successfully to “C:\Users\Ethan\Documents\aswMBR.txt”
Malwarebytes
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.12.13.10
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Ethan :: FOXPC [administrator]
12/14/2012 3:01:09 AM
mbam-log-2012-12-14 (03-01-09).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282310
Time elapsed: 5 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
Also attached the needed file below hope this helps also if this thing can take passwords tell me immediately please.
Thanks Fox.
Extra info the PC is running smooth mind you the RAM is at 40% use all the time but that might be due to the fact I’m using Komodo Killswitch and Avast.