asked on

how to repair a nexplorer.exe infected with Vundo trojan?

Hello Experts.

I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcafee keeps on popping up again.
the anti virus itself can't do it by himself and only erases file that suddenly appear in my temporary internet files folder. also my explorer.exe process takes 77MB of ram so this also indicates of a malware presence.
what should I do?

Thanks in advance,
No_Problem.

IndiGenus

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a HijackThis log (see below).

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

If you are having problems uploading it you can use the "Attach Code Snippet"

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

--------------------------------------------------------------------

Also post a HijackThis log so we can see what is going on.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

No_problem

ASKER

ok did everything and here's the logs:
https://filedb.experts-exchange.com/incoming/ee-stuff/5987-ComboFix.txt

IndiGenus

Better but a Combofix script is needed here. I can put it together but not until later this evening. One of the other experts may look in and give you something. If not I'll get back to this later.

Can you also run HijackThis and post that log.

IndiGenus

Here is the script...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\gebbbby.dll
C:\WINDOWS\system32\ddcyw.dll

Folder::
C:\Documents and Settings\All Users\Application Data\Trymedia

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E1D7759-C8FE-4824-B396-79AF2D625627}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebbbby]

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

No_problem

ASKER

the combofix log:

ComboFix 07-12-02.6 - Burdinov 12/05/2007 7:17:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.241 [GMT 2:00]
Running from: C:\Documents and Settings\Burdinov\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Burdinov\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\ddcyw.dll
C:\WINDOWS\system32\gebbbby.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{091B6D34-FED1-358F-AE4C-0940A89D71E2}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{116E82C8-3DDC-BBF4-0EBF-333A35423A97}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{2C4A779D-CEB1-DF8F-34A2-2358799F8C48}
C:\Documents and Settings\All Users\Application Data\Trymedia\data\{B0197011-66DD-932B-0A26-2FF9D6DE1B35}
C:\WINDOWS\system32\aajasjsp.dll
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\gebbbby.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 22:22      ---------      d-----w      C:\Program Files\ICQ
2007-11-30 07:59      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\OpenOffice.org2
2007-11-29 08:50      ---------      d-----w      C:\Program Files\DeMule2007
2007-11-26 22:55      ---------      d-----w      C:\Program Files\DOSBox-0.72
2007-11-26 12:53      ---------      d-----w      C:\Program Files\Ad-Aware 2007
2007-11-23 09:40      ---------      d--h--w      C:\Program Files\InstallShield Installation Information
2007-11-21 14:58      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Copy of POPWWPROFILES
2007-11-20 23:14      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
2007-11-20 23:11      ---------      d-----w      C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 18:00      4      --sh--r      C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2007-11-18 17:59      ---------      d-----w      C:\Program Files\Comic Life 1.3.4
2007-11-11 09:34      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-11-10 11:04      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\bang
2007-11-05 16:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\Skype
2007-11-05 15:00      ---------      d-----w      C:\Program Files\Ubisoft
2007-11-03 20:34      639,224      ----a-w      C:\WINDOWS\system32\drivers\sptd.sys
2007-11-03 06:22      ---------      d-----w      C:\Program Files\BitLord
2007-11-03 00:54      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\uTorrent
2007-10-30 12:11      ---------      d--h--r      C:\Documents and Settings\Burdinov\Application Data\SecuROM
2007-10-30 11:21      ---------      d-----w      C:\Program Files\RocketDock
2007-10-29 14:08      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-28 22:33      ---------      d-----w      C:\Program Files\Common Files\Adobe
2007-10-28 22:31      ---------      d-----w      C:\Program Files\Common Files\Macrovision Shared
2007-10-28 10:03      ---------      d-----w      C:\Program Files\ffdshow
2007-10-28 00:28      ---------      d-----w      C:\Program Files\MagicISO
2007-10-17 20:56      ---------      d-----w      C:\Documents and Settings\Burdinov\Application Data\mIRC
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20      359,808      ----a-w      C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-10-17 07:10      ---------      d-----w      C:\Program Files\uTorrent
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Skype
2007-10-16 20:52      ---------      d-----w      C:\Program Files\Common Files\Skype
2007-10-15 14:56      ---------      d-----w      C:\Program Files\Winamp
2007-10-15 08:02      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-14 09:23      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Last.fm
2007-10-14 09:21      ---------      d-----w      C:\Program Files\Last.fm
2007-10-10 15:19      ---------      d-----w      C:\Program Files\DVDlabPro2
2007-03-27 21:14      32      -c--a-r      C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [09/02/2007 01:58 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee VirusScan\SHSTAT.exe" [08/18/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UpdaterUI.exe" [08/06/2004 03:50 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Burdinov^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Burdinov\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
08/30/2007 01:19 PM      87392      --a------      C:\Program Files\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
10/10/2007 07:51 PM      39792      --a------      C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
                  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
                  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
02/07/2007 04:21 PM      54832      --a------      C:\Program Files\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
10/14/2003 06:36 PM      38984      --a--c---      C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
                  C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
                  C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
07/09/2001 10:50 AM      155648      --a------      C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
10/07/2003 09:48 AM      147514      --a------      C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
06/16/2007 01:15 AM      366400      --a--c---      C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
                  C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
02/07/2007 04:24 PM      71216      ---------      C:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
11/10/2006 12:35 PM      90112      --a------      C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
07/12/2007 03:00 AM      132496      --a--c---      C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\PowerDVD\[u]0[/u]00.fcl
R3 PAC207;SoC PC-Camer@;C:\WINDOWS\system32\DRIVERS\pfc027.sys
S1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
S2 EZUSBDEV;Cypress General Purpose USB Driver w/ Keil Monitor (ezusb2.sys);C:\WINDOWS\system32\Drivers\ezusb2.sys
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4388d267-95b1-11dc-8b6c-0019e08f9eb1}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 07:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/05/2007 7:26:28 - machine was rebooted
.
      --- E O F ---

since uploading didn't made it possible to see the hijackthis log ill upload it all here:

im adding with "attach code snippet"

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:58, on 05/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee VirusScan\SHSTAT.EXE
C:\Program Files\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\McAfee VirusScan\Mcshield.exe
C:\Program Files\McAfee VirusScan\VsTskMgr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174239232889
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee VirusScan\VsTskMgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
 
--
End of file - 5489 bytes

Open in new window

IndiGenus

Looks better...how is it running? Watch out when using the torrents and P2P, it's where many people get infected and if I had to guess that's how you did too here.

Good luck,
Dave

johnb6767

I see a few things I would suggest looking into these. A few bad Rootkits out lately have been known to modify the tcpip.sys file, and since yours is from October I would be curious... (might have just been a MS KB update though...)

2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-10-17 07:20 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS

Verify this is from Daemon Tools
2007-11-03 20:34 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

Might try opening this in notepad, and see if you can identify it that way...
2007-11-20 23:14 4 --sh--r C:\Documents and Settings\All Users\Application Data\sysqcl0.dat

Other than that, looks good....

No_problem

ASKER

C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
is empty aside from two square chars.

C:\WINDOWS\system32\drivers\sptd.sys
might be associated with Alcohol 120% which is Daemon tools equivalent.

UPDATE:
now after all this cleaning explorer.exe is still in his 50+ MB.
Also McAfee has detected Vundo in svchost.exe now...
this is spreading...

ASKER CERTIFIED SOLUTION

IndiGenus

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

johnb6767

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

No_problem

ASKER

Ok, here's the results:
the rootkit log is in the code snippet.
I'v tried Sophos and he didn't detect anything. SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out. mcafee didnt post more infections for this few hours but I suspect the trojan is still in the system because of the bloated explorer.exe.

the main two CPU threads in explorer.exe by Process Explorer are posted here

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerformanceCounter+0x5af
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
stobject.dll+0x1513
stobject.dll!DllCanUnloadNow+0x1fa4
kernel32.dll!GetModuleFileNameA+0x1b4

-------------------------------------------------------------------------------

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x1b50
win32k.sys!EngQueryPerformanceCounter+0x5af
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
stobject.dll+0x1513
stobject.dll!DllCanUnloadNow+0x1fa4
kernel32.dll!GetModuleFileNameA+0x1b4
---------------------------------------------------------------------------------

I can't make anything of this so good luck :-)

HKU\.DEFAULT\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-21-1606980848-823518204-839522115-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY*	10/30/2007 2:11 PM	0 bytes	Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo	12/5/2007 7:26 AM	0 bytes	Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*	3/18/2007 7:01 PM	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Adobe\SubInstall\{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}\SubProductList	10/29/2007 12:32 AM	37 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName	3/23/2007 8:50 AM	26 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName	3/23/2007 8:52 AM	26 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned	12/5/2007 8:39 PM	4 bytes	Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned	12/5/2007 8:39 PM	102 bytes	Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg	11/3/2007 10:29 PM	0 bytes	Access is denied.

Open in new window

No_problem

ASKER

correction: the first thread in Explorer.exe is this one (I accidently posted two same threads in the message above):

ntoskrnl.exe!ExReleaseResourceLite+0x206
win32k.sys+0x2f70
win32k.sys+0x3776
win32k.sys+0x3793
ntdll.dll!KiFastSystemCallRet
Explorer.EXE+0xff89
SHLWAPI.dll!Ordinal505+0x3e9
kernel32.dll!GetModuleFileNameA+0x1b4

IndiGenus

>""SUPERAntiSpyware on the other hand did find Vundo but apparently didn't clean everything out.""<

Where was it found? Could be in restore points or one of the quarantine folders like combofix's qoobox.

I would recommend you do this.

Click START then Run...
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

No_problem

ASKER

No, they were in the C:\windows\system32 folder

I uninstalled combofix.
now windows runs fine by my opinion and McAfee isn't shooting warrnings but the explorer.exe is still big. it might not be the problem but as a last resort: is it advisable to kill the explorer process, delete the file and copy an alternative explorer.exe from a friend?