possible infected explorer.exe?

recently like 2 to 3 times in the last 2 days Avast randomly popped up and told me:
“Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection.”
C:\windows\system32\explorer.exe

i ignored it because this was part of my operating system i think. well i scanned the file and no threat, full system scan no threat, scanned my system with malwarebytes no threat, i saw a similar post on here so i downloaded the aswmbr and ran a scan. last i ran adwcleaner that found 2 things in the registry. what else should i do run tdss killer or eset scanner?

I attached the text files i hope

Upload the file to https://www.virustotal.com/ and post the link to the result here.
Also run Farbar and attach the two logs to your next post. (FRST.txt and Addition.txt)

ok i uploaded to virustotal here is the link to the page results

https://www.virustotal.com/en/file/df86df00e397605deb038c07db45acb241e07b0241366153f23dedc5eb237e6c/analysis/1464034436/

also here are the attached farbar logs

in the comment section of virustotal one user mentioned File is created by #known #malware #neshta #explorer.exe
i’m not sure if thats what i have i’m unsure

It is rarely explorer that is infected it is another programme using it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKU\S-1-5-21-231989761-46154965-1395514480-1001 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - No File Toolbar: HKU\S-1-5-21-231989761-46154965-1395514480-1001 -> No Name - {E120ACB6-21BA-45ED-9E79-32079107C103} - No File S3 AppObserver; \??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys [X] C:\Program Files (x86)\NetRatingsNetSight Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

ok i opened the farbar tool and pressed fix i didnt press scan i hope thats what you meant. it looked like it deleted a few things that are known i hope they were not important things. here is the log posted and attached.

Fix result of Farbar Recovery Scan Tool (x64) Version:25-05-2016
Ran by kenneth cooper (2016-05-25 12:09:19) Run:1
Running from C:\Users\kenneth cooper\Downloads
Loaded Profiles: kenneth cooper (Available Profiles: kenneth cooper)
Boot Mode: Normal

fixlist content:


CreateRestorePoint:
Toolbar: HKU\S-1-5-21-231989761-46154965-1395514480-1001 → No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - No File
Toolbar: HKU\S-1-5-21-231989761-46154965-1395514480-1001 → No Name - {E120ACB6-21BA-45ED-9E79-32079107C103} - No File
S3 AppObserver; ??\C:\Program Files (x86)\NetRatingsNetSight\NetSight\meter1\appobserver64.sys
C:\Program Files (x86)\NetRatingsNetSight
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Restore point was successfully created.
HKU\S-1-5-21-231989761-46154965-1395514480-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{A13C2648-91D4-4BF3-BC6D-0079707C4389} => value removed successfully
“HKCR\CLSID{A13C2648-91D4-4BF3-BC6D-0079707C4389}” => key removed successfully
HKU\S-1-5-21-231989761-46154965-1395514480-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{E120ACB6-21BA-45ED-9E79-32079107C103} => value removed successfully
HKCR\CLSID{E120ACB6-21BA-45ED-9E79-32079107C103} => key not found.
AppObserver => service removed successfully
“C:\Program Files (x86)\NetRatingsNetSight” => not found.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

“HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer” => key removed successfully
“HKU.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer” => key removed successfully
“HKU\S-1-5-21-231989761-46154965-1395514480-1001\SOFTWARE\Policies\Microsoft\Internet Explorer” => key removed successfully
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-231989761-46154965-1395514480-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-231989761-46154965-1395514480-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 4.7 GB temporary data Removed.

Now we just wait and see if the alerts no longer appear

All the item removed were safe to do so and you did not want them anyway :slight_smile: