what's this false detect ?

I got a notice from avast when explorer gets virus

I try to check for
https://www.virustotal.com/id/file/0975be3b57e7923695e377f111c9bf83093086bb9941dca0f3205089f6e5e07c/analysis/1395551163/

only avast detect virus

Please attach the logs to your next post: http://forum.avast.com/index.php?topic=53253.0

hello

send the file to virus@avast.com, put “False positive” to email subject,compressed in ZIP or RAR.

What’s its sha256 or md5 or sha1 checksum?

SHA256: 0975be3b57e7923695e377f111c9bf83093086bb9941dca0f3205089f6e5e07c

Can be found in his Virustotal link.

also MD5 and SHA1 :wink:

report scan

up

No need to bump.

Your File explorer has been modified for the looks of it. My clean copy and your copy don’t match up.

Yours:
MD5 e141cc4d801d0b98ffe217427a9df8c5
SHA1 6fe43a832bd3a63664cd54cf067fbfb59c5ade2d
SHA256 0975be3b57e7923695e377f111c9bf83093086bb9941dca0f3205089f6e5e07c

Mine:
MD5 332feab1435662fc6c672e25beb37be3
SHA1 5a49d7390ee87519b9d69d3e4aa66ca066cc8255
SHA256 6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0

I didn’t use cached results. So, I’d say if you were using Win 8, using a classic Menu Button that’d be the issue. You use Win 7 Ultimate.

It’s also, unusual I see these in an OTL log scan. PRC - [2010/11/21 04:29:20 | 002,133,504 | ---- | M] (Microsoft Corporation) – C:\Windows\explorer.exe
PRC - [2010/11/21 04:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) – C:\Windows\System32\taskhost.exe
PRC - [2010/11/21 04:29:10 | 000,271,360 | ---- | M] (Microsoft Corporation) – C:\Windows\System32\conhost.exe
PRC - [2010/11/21 04:29:07 | 000,100,864 | ---- | M] (Microsoft Corporation) – C:\Windows\System32\audiodg.exe

Just out of curiosty. Why the proxy program?
PRC - [2001/01/27 00:36:12 | 000,278,016 | ---- | M] (MishkinSoft, hXXp://www.multiproxy.org) – C:\Program Files\MultiProxy\MProxy.exe

I see you have IOBit on your system. YOu might read this article.
http://blogs.computerworld.com/15026/iobit_accused_of_stealing_from_malwarebytes

Adware?
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hXXp://www.trovigo.com/?

I see you have at least 2 Anti-Viruses. Not recommended.
-Avast! Priemer
-Kompas Anti-Virus

Article Here: https://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

[Edit]: Been fixing all 10 billion typo’s and breaking links that aren’t from trusted sources.

so what its core contains a virus Explorer?

Hi lets locate all copies of explorer

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

We haven’t received such sample.

Thanks Milos.

report combofix please solved :cry:

Windows 7 and IE 8 ?
Looks like several updates are missing/not downloaded/installed.

There is also the conduit infection.

Uh,

is this Milos or Jefferson?

OK explorer has been patched and it looks as though the malware has removed all other copies

So I will need to do a further search for a copy using OTL

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
explorer.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open one notepad window.

I have to put the paste to scan again?

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
explorer.*
/md5stop
CREATERESTOREPOINT

Paste that in thw box below.

please cek new OTL :slight_smile:

I am getting conflicting reports here as to what is or isn’t infected. So it is time for an outside opinion

Create an emergency repair USB drive:
Download Dr Web Live USB to your desktop

[]Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
[
]Launch drwebliveusb.exe.
[*]The program will detect available USB-devices automatically and prompt you to choose the one you?d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).

https://dl.dropbox.com/u/73555776/liveusb_ru.jpg

[]To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
[
]Files will be copied automatically.
[]Once the copying process is completed, press the Exit button to close the application.
[
]Reboot the infected computer with the USB in the drive
[]Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
[
]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

https://dl.dropboxusercontent.com/u/73555776/Live%20boot%20screen.png

[*]Use arrow keys to select DrWeb-LiveCD (Default)

https://dl.dropboxusercontent.com/u/73555776/drwebselect.JPG

[*]Press select objects for scanning

https://dl.dropboxusercontent.com/u/73555776/drwebfolders.JPG

[*]When the system is loaded, check the disks or folders you want to scan, and click on Start.

[*]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so

https://dl.dropboxusercontent.com/u/73555776/drwebscan.JPG

[*]When it has completed

https://dl.dropboxusercontent.com/u/73555776/drwebscancomplete.JPG

[]Select Open Report and copy to the USB
[
]Once completed reboot to normal windows, and attach the report here