A dropper trojan has been detected in explorer.exe - please help!

[Abengoshis]

When I logged in a few days ago, there was no desktop and the screen was entirely black, with just the cursor visible. I opened task manager and no applications were running, so I tried to run explorer.exe and got the error message:

C:\Windows\explorer.exe

Operation did not complete successfully because the file contains a virus.

After this I did a boot scan and it informed me that explorer.exe was infected with Win32:dropper-gen [Drp]

I've tried several different antivirus software to try to fix this problem. I've also done a system restore to a point earlier in the week (before I had this problem), but ultimately I've had to come here as my efforts have had no effect.

The odd thing about this message is that it doesn't always appear. When the message appears (and the desktop does not show up), restarting the computer seems to magically fix the symptoms.

Please help!

[essexboy]

Hi what is the VPS version of Avast ?   It should be 140310-0, also do you use windows7 button software or something similar

[Abengoshis]

The version is 140310-0 .
What do you mean by button software?

[Pondus]

I've tried several different antivirus software to try to fix this problem.     

Does this mean you have more then one AV installed?

[essexboy]

Theme software that changes the start button on windows.  As there was a false positive on this a few days ago....  Is it still alerting 

[Abengoshis]

@Pondus: By this I mean I've run mbam, tdsskiller, emsisoft emergency kit etc.

@essexboy: Yes - I changed the start button a very long time ago! Is it safe to assume this is the cause, then?

[essexboy]

It is possible could you let me know what file Avast has put in the virus chest.  Also right click that file and select scan, does it still report it as infected

[Abengoshis]

Since I did a system restore to a point before I got the message (and therefore before I did the boot scan), I'm not certain that the virus chest would still contain the item. I'll do another boot scan right now to make sure, so my next reply may take a while.

The items currently in the chest are:
cleanup.bat   (BV:KillAV-EC [Trj])
FileSYstem_Steam.dll   (no virus)
Unconfirmed 962796.crdownload   (Win32:InstalleRex-BH [PUP])
vtex.exe   (no virus)

[Abengoshis]

Ok, I have finally completed the boot scan. No items were moved to the chest, however the detailed report of the boot scan reports the following items with Win32:Dropper-gen [Drp]:

C:\Windows\explorer.exe
C:\Windows\explorer_backup.exe
C:\Windows\explorer_backup_w7sba.exe
C:\Windows\explorer_edit_w7sba.exe

EDIT: Just now, while on my PC, Avast stopped explorer.exe and claimed that explorer.exe in winlogon.exe was infected with the dropper virus.

[essexboy]

Hmm I thought that was fixed

Could you right click those files in the virus chest and send them to the virus labs as a false positive

[Abengoshis]

I don't think any of these are to do with the explorer.exe trojan report. The only one that could be linked to it by date would be cleanup.bat:

cleanup.bat was transferred on 08/03/2014
FileSystem_Steam.dll was transferred on 05/08/2012
Unconfirmed 962796.crdownload was transferred on 14/02/2014
vtex.exe was transferred on 10/01/2014

[essexboy]

Those files appear to be related to chrome and steam .. Do you use both programmes

[Abengoshis]

I do.
The files which were to do with steam are apparently clean now.
I have no idea what the chrome download was, but it claims to be infected.
I don't know where cleanup.bat came from.

[essexboy]

Cleanup bat could in reality be used by any programme to tidy up after updating etc... 

Is Avast still alerting on explorer ?

[Abengoshis]

Just this morning I had the same black screen symptoms with explorer not running because it "contains a virus".