I am running Vista Home Basic x64. My system is running fine, however I like to do weekly spyware scans. For the past three weeks, both my AntiSpyware apps, Spy Cleaner Platinum and Spyware Doctor (an older version for x64) have turned up a trojan in C:\Windows\System32\explorer.exe.

Spyware Doctor says it deleted it, but i'm not so sure, because it seems to keep coming back. Spy Cleaner flat out said it couldn't delete it. So the first obvious thing I did was look in the System32 folder for it..nothing there, and my view was set at Show Hidden Files and Folders.

Then I changed Folder Options to also show Protected System Files...still couldn't see it! I also ran a HijackThis scan, however no trojan in that directory turned up. I should also mention that the two times Spyware Doctor alerted to it, it was named something different each time.

When I ran Spy Cleaner, it also had a different name, but still, in all three scans, it showed the trojan as being embeded in C:\Windows\System32\explorer.exe. But why can't I find it? By the way, I also run ESET Smart Security and it has not turned up anything in scans.

You probably have a separate reinfection agent responsible for reinstating the (the always intercepted) rogue 'explorer.exe'. Suggest you try several more tools. Unfortunately, such tools may not have complete functionality in even basic VISTA.


Malwarebytes' Anti-Malware
Using MBAM on 64 bit Windows - Malwarebytes Security Forums

Does MBAN run on 64 bit Windows computers?

MBAM will run on 64 bit but realtime protection will not work.

You may also find this short diagnostic scan useful and potentially revealing:

Prevx CSI Download





* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Full Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked , and click Remove Selected.
• When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
• A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
• Copy&Paste the entire report in your next reply along with a HijackThis log.
• Please post any current revised observations.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

VopThis,

Thanks for jumping in here to help me this. I'm glad to know that I'm not going crazy and there really is something to this "phantom" nasty! that sometimes never seems to go away! Let me also update you on everything. I've gone ahead and installed CounterSpy and ran a scan with that. It showed everything as clean.

Tommorow I will install both MalwareBytes, and I'm also going to try another one of their products, Rogue Remover. Will send you scan results right after I do.

I did have a question about Prevx though. I've messed around with them a couple of times in the past but, at least from my past experience, all I remember that program doing is a scan, but once the results came up, if you wanted to disinfect, you had to buy the program. However, like I said, maybe things have changed since I first tried it.

I do know they have a new version out, and I might even buy it depending if I like what I see, but I just hate to have to install something, then run a scan, only to then have it tell me I have to buy it to clean my PC.

Oh well, I'll take one thing at a time and see what happens.

VopThis,

Got everything done...almost! Prevx would not run on x64.But here is everything else you wanted. First, the Malwarebytes log, and I also pasted my recent HijackThis log:

Malwarebytes' Anti-Malware 1.30
Database version: 1402
Windows 6.0.6001 Service Pack 1

11/16/2008 9:54:34 PM
mbam-log-2008-11-16 (21-54-34).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|H:\|)
Objects scanned: 122637
Time elapsed: 38 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:38 PM, on 11/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ClipCache\Pro\clipc.exe
C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = News, Travel, Weather, Entertainment, Sports, Technology, U.S. & World - USATODAY.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [WallpaperChanger] "C:\Program Files (x86)\Wallpaper Master\Wallpaper\Wallpaper.exe" -startup
O4 - Startup: ClipCache Pro.lnk = C:\Program Files (x86)\ClipCache\Pro\clipc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE~1\OFFICE11\REFIEBAR.DL L
O13 - Gopher Prefix:
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Indexing Service (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\Smart Security\x86\ekrn.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\Perfect Disk\PD91Engine.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files (x86)\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files (x86)\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Interactive Services Detection (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Virtual Disk (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5146 bytes

Just as prevx (scan only - minimal consequence) does not currently work in X64 Vista, I am also very hesitant to suggest many tools from my standard normal toolkit without a researched basis for suggesting it. That was once the case for plain VISTA. That is still presently the plight for early adopters of x64 platforms.

all I remember that program doing is a scan, but once the results came up, if you wanted to disinfect, you had to buy the program.

I run that program on all my PCs. It runs daily for several minutes. The good news is that it rarely reports any problems (pop up screen if it does). Any reported potential problems can most often be investigated (e.g.: submit file name to VirusTotal - Free Online Virus and Malware Scan ). I have one (ongoing false positive?) issue on my dual boot PC (XP and VISTA) - both files can be clearly determined to be related to 'sound blaster' and no other tool has ever raised those files as issues; so I leave them alone.

If people are having strange issues, it can be an important tool to consider (just for the free scan). If you seem to get infected on a more regular basis and no other tool is finding such items, then it might be cost effective to pay their modest fee to clean what it finds..