how to repair a nexplorer.exe infected with Vundo trojan?

Posted on 2007-12-04
Last Modified: 2013-12-09
Hello Experts.

I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcafee keeps on popping up again.
the anti virus itself can't do it by himself and only erases file that suddenly appear in my temporary internet files folder. also my explorer.exe process takes 77MB of ram so this also indicates of a malware presence.
what should I do?

Thanks in advance,
Question by:No_problem
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
LVL 20

Expert Comment

ID: 20405818
Download and Run ComboFix (by sUBs)

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a  HijackThis log (see below).

Please upload the log at
Use the link below and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

If you are having problems uploading it you can use the "Attach Code Snippet"

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.


Also post a HijackThis log so we can see what is going on.


Author Comment

ID: 20406132
LVL 20

Expert Comment

ID: 20406462
Better but a Combofix script is needed here. I can put it together but not until later this evening. One of the other experts may look in and give you something. If not I'll get back to this later.

Can you also run HijackThis and post that log.
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

LVL 20

Expert Comment

ID: 20407984
Here is the script...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:



C:\Documents and Settings\All Users\Application Data\Trymedia

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}]      
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1D7759-C8FE-4824-B396-79AF2D625627}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbby]


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-A new HijackThis log

Author Comment

ID: 20409186
the combofix log:

ComboFix 07-12-02.6 - Burdinov 12/05/2007  7:17:11.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1255.1.1033.18.241 [GMT 2:00]
Running from: C:\Documents and Settings\Burdinov\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Burdinov\Desktop\CFScript.txt
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{091B6D34-FED1-358F-AE4C-0940A89D71E2}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{116E82C8-3DDC-BBF4-0EBF-333A35423A97}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{2C4A779D-CEB1-DF8F-34A2-2358799F8C48}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B0197011-66DD-932B-0A26-2FF9D6DE1B35}

(((((((((((((((((((((((((   Files Created from 2007-11-05 to 2007-12-05  )))))))))))))))))))))))))))))))

No new files created in this timespan

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-12-01 22:22      ---------      d-----w      C:\Program Files\ICQ
2007-11-30 07:59      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\OpenOffice.org2
2007-11-29 08:50      ---------      d-----w      C:\Program Files\DeMule2007
2007-11-26 22:55      ---------      d-----w      C:\Program Files\DOSBox-0.72
2007-11-26 12:53      ---------      d-----w      C:\Program Files\Ad-Aware 2007
2007-11-23 09:40      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-21 14:58      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Copy of POPWWPROFILES
2007-11-20 23:14      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
2007-11-20 23:11      ---------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 18:00      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 17:59      ---------      d-----w      C:\Program Files\Comic Life 1.3.4
2007-11-11 09:34      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-11-10 11:04      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\bang
2007-11-05 16:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\Skype
2007-11-05 15:00      ---------      d-----w      C:\Program Files\Ubisoft
2007-11-03 20:34      639,224      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys
2007-11-03 06:22      ---------      d-----w      C:\Program Files\BitLord
2007-11-03 00:54      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\uTorrent
2007-10-30 12:11      ---------      d--h--r      C:\Documents and Settings\Burdinov\Application Data\SecuROM
2007-10-30 11:21      ---------      d-----w      C:\Program Files\RocketDock
2007-10-29 14:08      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-28 22:33      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-10-28 22:31      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2007-10-28 10:03      ---------      d-----w      C:\Program Files\ffdshow
2007-10-28 00:28      ---------      d-----w      C:\Program Files\MagicISO
2007-10-17 20:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\mIRC
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-10-17 07:10      ---------      d-----w      C:\Program Files\uTorrent
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Skype
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Common Files\Skype
2007-10-15 14:56      ---------      d-----w      C:\Program Files\Winamp
2007-10-15 08:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 09:23      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\
2007-10-14 09:21      ---------      d-----w      C:\Program Files\
2007-10-10 15:19      ---------      d-----w      C:\Program Files\DVDlabPro2
2007-03-27 21:14      32      -c--a-r      C:\Documents and Settings\All Users\hash.dat

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM]

"ShStatEXE"="C:\Program Files\McAfee VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]

"NoRecentDocsMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Burdinov^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Burdinov\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
08/30/2007 01:19 PM      87392      --a------      C:\Program Files\Ad-Aware 2007\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
10/10/2007 07:51 PM      39792      --a------      C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
                  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
                  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
02/07/2007 04:21 PM      54832      --a------      C:\Program Files\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
10/14/2003 06:36 PM      38984      --a--c---      C:\PROGRA~1\ICQ\ICQNet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
                  C:\Program Files\Messenger\msmsgs.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
                  C:\Program Files\MSN Messenger\msnmsgr.exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
07/09/2001 10:50 AM      155648      --a------      C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
10/07/2003 09:48 AM      147514      --a------      C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
06/16/2007 01:15 AM      366400      --a--c---      C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                  C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
02/07/2007 04:24 PM      71216      ---------      C:\Program Files\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
11/10/2006 12:35 PM      90112      --a------      C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
07/12/2007 03:00 AM      132496      --a--c---      C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\PowerDVD\[u]0[/u]00.fcl
R3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb2.sys);C:\WINDOWS\system32\Drivers\ezusb2.sys
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

\Shell\AutoRun\command - F:\LaunchU3.exe -a

\Shell\AutoRun\command - F:\LaunchU3.exe -a


catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2007-12-05 07:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 12/05/2007  7:26:28 - machine was rebooted
      --- E O F ---

since uploading didn't made it possible to see the hijackthis log ill upload it all here:

im adding with "attach code snippet"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:58, on 05/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\Program Files\McAfee VirusScan\SHSTAT.EXE
C:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\McAfee VirusScan\Mcshield.exe
C:\Program Files\McAfee VirusScan\VsTskMgr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\VsTskMgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
End of file - 5489 bytes

Open in new window

LVL 20

Expert Comment

ID: 20409691
Looks is it running? Watch out when using the torrents and P2P, it's where many people get infected and if I had to guess that's how you did too here.

Good luck,
LVL 66

Expert Comment

ID: 20411038
I see a few things I would suggest looking into these. A few bad Rootkits out lately have been known to modify the tcpip.sys file, and since yours is from October I would be curious... (might have just been a MS KB update though...)

2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS

Verify this is from Daemon Tools
2007-11-03 20:34      639,224      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys

Might try opening this in notepad, and see if you can identify it that way...
2007-11-20 23:14      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl0.dat

Other than that, looks good....

Author Comment

ID: 20412989
C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
is empty aside from two square chars.

might be associated with Alcohol 120% which is Daemon tools equivalent.

now after all this cleaning explorer.exe is still in his 50+ MB.
Also McAfee has detected Vundo in svchost.exe now...
this is spreading...
LVL 20

Accepted Solution

IndiGenus earned 193 total points
ID: 20413062
Like johnb mentioned, you may be looking at a rootkit here.

Download Rootkit Revealer here (bottom of page):

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log in a Code Snippet window.

Also, rename HijackThis to something else, anything like findvundo.exe. Re-run it and give the log.
LVL 66

Assisted Solution

johnb6767 earned 192 total points
ID: 20413518
Also,  I like the Sophos AR scanner.....

Sophos Anti-Rootkit - Find and remove any rootkit that is hidden ...

Need to find out what module UNDER explorer.exe is using the CPU....

Process Explorer for Windows v10.21

Double click explorer.exe. Then Select the Threads tab, and see what .exe or .dll is using the CPU, and then select it by double clicking it....and copying/pasting the call stack here.....

Author Comment

ID: 20414167
Ok, here's the results:
the rootkit log is in the code snippet.
I'v tried Sophos and he didn't detect anything. SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out. mcafee didnt post more infections for this few hours but I suspect the trojan is still in the system because of the bloated explorer.exe.

the main two CPU threads in explorer.exe by Process Explorer are posted here




I can't make anything of this so good luck :-)
HKU\.DEFAULT\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*	10/30/2007 2:11 PM	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Adobe\SubInstall\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\SubProductList	10/29/2007 12:32 AM	37 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName	3/23/2007 8:50 AM	26 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName	3/23/2007 8:52 AM	26 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned	12/5/2007 8:39 PM	4 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned	12/5/2007 8:39 PM	102 bytes	Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg	11/3/2007 10:29 PM	0 bytes	Access is denied.

Open in new window


Author Comment

ID: 20414186
correction: the first thread in Explorer.exe is this one (I accidently posted two same threads in the message above):

LVL 20

Expert Comment

ID: 20417037
>""SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out.""<

Where was it found? Could be in restore points or one of the quarantine folders like combofix's qoobox.

I would recommend you do this.

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Author Comment

ID: 20419692
No, they  were in the C:\windows\system32 folder

I uninstalled combofix.
now windows runs fine by my opinion and McAfee isn't shooting warrnings but the explorer.exe is still big. it might not be the problem but as a last resort: is it advisable to kill the explorer process, delete the file and copy an alternative explorer.exe from a friend?

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question