Possible Malware

Malware Detection so Posting Here. Sorry if too much background info. Didn’t know if it would help! Thank you!
System Info: In Case You Need It
Operating System:Windows XP Home Edition Service Pack 3 (build 2600)
Sony Corporation VAIO Desktop PCV-RX650 (2001)
Background:
Tried to restore a 2 week old backup registry and computer crashed. Restored it to operational from Restore Console (with repair files) but desktop blank and can only get to task manager.This restored a bunch of junk like uninstalled program back to add/remove programs but cannot uninstall because they can’t find links. I previously had uninstalled all old Java and uninstalled entries all entries I could. BTW… Do not have Sony OEM recovery disk.
Symptomsut in explorer and explorer.exe from Run line and get a microsecond flash of bottom task bar. Unable to click start button real quick and get a response. Subsequently tried to replace explorer.exe from another PC renaming it also but didn’t take it seemed.
Ran the following within the last 48 hours:
Notice: Malware Bytes-2 Items as follows
Files Infected:
c:\WINDOWS\explorer1.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\explorer.com (Heuristics.Reserved.Word.Exploit) -> No action taken.
*Malware Bytes said it had fixed these but I see says no action taken.
Ran Autoruns last night and is showed catchme.sys. From reading that 2007 post I figured it was malware so I deleted it. Ran again today and didn’t see it. Also, These two showed up. After research, deleted both.
PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump
cpuz134 File not found: C:\DOCUME~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys
This file keeps coming back. Later found out it might be okay.

Also Ran several Registry Repair and Cleaner Programs including:
Trend Micro House Call AV scan-Nothing
CC Cleaner-Nothing major in registry
Spybot Search and Destroy-Nothing
Adaware-Nothing
Combofix- Shows Avira free AntiVirus. Ran their own removal tool for registry keys plus searched and deleted all found ones (Sysinternals autoruns and process explorer) but still said it was running the second time so proceeded.

Followed your guidelines. Could only get 3/5 tools to run.Logs posted for those. Had Root Repeal MB Tools crash:
Root Repeal-Start error msg: Error-invalid PE image found! hangs for 6 hours says :”Initializing, please wait”. Have to shut down computer manually as it is stuck Ran it twice with same result.
Shows 6 files which are the same:
C:/Documents and Settings\Local Settings\Apps\2.0\5Z9H66J9.G2B\GGBL…

MG Tools-Crashed with following error message (not found in your page):
ProcessDll.exe-Common Language Runtime Debugging Services
Application has generated an exception that could not be handled.
Process id:0xe38(3640), Thread id=0xe44(3652)
Click Ok to terminate the application
Click cancel to debug the application
**Clicked cancel-Received following error msg:
ProcessDll.exe-No debugger found.
Registered JIT debugger not available Attempt to launch returned error code:
Cordlog.exe !a 0xe38
**Clicked retry-Got Blinking cursor on next line but no response.
Logs attached. Thank you!

 

Thanks for info!

Okay.If you have any ideas about explorer.exe not starting in your evaluation, please let me know.Thanks for the help!

 

Done.Thanks!

 

Logs attached. BTW...drive 4 is my WD external drive. Strangely enough, I just got a virus on my laptop. Can I attach logs here or should I start another post? Thanks!

 

Hi mred1,

I will help you with your remaining malware problems on this PC while chaslang is away.

Do you have problems with this computer only when this external drive is attached to it?

Code:

   111 GB  \\.\PhysicalDrive4   RE: [B][COLOR="DarkGreen"]Unknown MBR code[/COLOR][/B]
            SHA1: 2BE9ACE700A45722604874D4A10E3B6A212931F3

Description	Disk drive	
Manufacturer	(Standard disk drives)	
Model	WD 1200BB External USB Device	
Bytes/Sector	512	
Media Loaded	Yes	
Media Type	Fixed	hard disk media

And to your answer your question, yes you should create a new thread if you are having malware problems on a different PC.

 

Hello,
No, I attached the drive after the crash where I lost explorer.exe which still won't start. Have tried everything for several weeks but nobody has any real concrete methods to fix it. This is an OEM computer without the recovery disk. Had to replace files after I tried to merge an older registry. Used the recovery console to get it to at least boot. I suspect I can only do a fresh install. Just had the one indication from malware bytes once about the explorer.exe file I tried to replace and a backup explorer1.exe. Thx.

 

I do not completely understand what your current PC status is.

Are you able to boot to Windows or not?

 

Yes, please see first post for backhround. I can only use task manager. Nothing on desktop and windows explorer won't start. When I typle explorer in start, the taskbar blips for a microsecond. Had a malware detection which is how I ended up here. Thx.
---------------------
Malware Detection so Posting Here. Sorry if too much background info. Didn’t know if it would help! Thank you!
System Info: In Case You Need It
Operating System:Windows XP Home Edition Service Pack 3 (build 2600)
Sony Corporation VAIO Desktop PCV-RX650 (2001)
Background:
Tried to restore a 2 week old backup registry and computer crashed. Restored it to operational from Restore Console (with repair files) but desktop blank and can only get to task manager.This restored a bunch of junk like uninstalled program back to add/remove programs but cannot uninstall because they can’t find links. I previously had uninstalled all old Java and uninstalled entries all entries I could. BTW… Do not have Sony OEM recovery disk.
Symptomsut in explorer and explorer.exe from Run line and get a microsecond flash of bottom task bar. Unable to click start button real quick and get a response. Subsequently tried to replace explorer.exe from another PC renaming it also but didn’t take it seemed.
Ran the following within the last 48 hours:
Notice: Malware Bytes-2 Items as follows
Files Infected:
c:\WINDOWS\explorer1.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\explorer.com (Heuristics.Reserved.Word.Exploit) -> No action taken.
*Malware Bytes said it had fixed these but I see says no action taken.
Ran Autoruns last night and is showed catchme.sys. From reading that 2007 post I figured it was malware so I deleted it. Ran again today and didn’t see it. Also, These two showed up. After research, deleted both.
PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump
cpuz134 File not found: C:\DOCUME~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys
This file keeps coming back. Later found out it might be okay.

 

Thank you for clearing this up. I do see some malware in your logs but first I need to know if you can launch explorer.exe from Safe Mode with Command Prompt? See >> Starting your computer in Safe mode

If not, run the following command from Safe Mode with Command Prompt:

• sfc /scannow

Most likely you will be asked to insert your Windows XP Home Edition CD to restore clean files (explorer.exe included).

Answer the above questions and then I will be able to help you further.

 

Ran it twice. Didn't ask for CD.This is an OEM machine. Don't have recovery or XP home CD.Thx.

 

Can you complete the below directions? Try to...

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O3 - Toolbar: (no name) - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - (no file)
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
RBXMOQEG
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Administrator.VALUED-7B9600FA\Local Settings\Temp\RBXMOQEG.exe
C:\WINDOWS\system32\AEMEZNAQSF
C:\WINDOWS\system32\AYDO
C:\WINDOWS\system32\SET177.tmp
C:\WINDOWS\system32\url(2).dll
C:\WINDOWS\system32\crypt32(3)(2).dll
C:\WINDOWS\system32\crypt32(2).dll
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\System32\drivers\Dbgv.sys
c:\windows\system32\dllcache\wab.exe
c:\windows\system32\dllcache\61883.sys
c:\windows\system32\dllcache\4mmdat.sys
c:\windows\System32\drivers\KDATA.SYS
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
c:\documents and settings\User\Application Data\Uniblue
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-602162358-308236825-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  ipsec.sys
  lsass.exe
  netbt.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Line 24 not showing...only goes up to line 23. Ran it.

 

Whenever you dragged CFScript.txt on top of ComboFix.exe, did you let go of the left-mouse click button? That should launch it.

 

Yes, sir....got it to start finally. It locked up my system so I couldn't even pull up the task manager....only had a blinking cursor and blank desktop...had to manually reboot. Next try it started and said, "Newer version available. Do you want it?" or something close.....I said yes and then it was running with errors stating could not open various files ...also said I had Avira AV running which I have uninstalled, ran their remover and edited out all instances from the registry therefore I know it is not running. I installed Avast Free AV. I disabled all "real time" protections and it still says "secure". No documentation on how to disable it totally in one click but only by clicking on taskbar icon which I don't have.

Tried to uninstall combofix at start with "Combofix /uninstall but nothing happens as I was going to download a new copy. That's where I am to this point. Should I uninstall it differently? Carve it out of the registry? Uninstall Avast? Thx.

 

You should not be doing anything other than what I requested.

First, uninstall Avast and Avira (if still present) from Add/Remove programs. Reboot your PC

Next:

Download and run: Avast Uninstaller
Reboot your PC again

Next:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip to a folder on your desktop.

• Run Repair_Windows.exe.
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Register System Files
  • Repair WMI
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Do not stop it next time. ComboFix will kill all processes running (including Task Manager) and prevent them from opening until later stages of ComboFix. Unless your mouse locked up, your PC was most likely not "frozen".

Rerun the ComboFix steps I outlined for you again, but this time let it run unhindered as much as possible. Only close out of any potential error messages you may see. Pressing OK will let ComboFix continue (at least until it runs into another problem).

 

Combofix log attached.Thx.

 

Here is the full combofix log. The other one was incomplete so I tried to delete it off the prior post.Thx.

 

Code:

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 

A couple of questions for you:

• Do you know who opened this TCP Port?
• Do you make use of Windows Remote Management?

Answer the above and don't forget to attach the logs from running OTL

 

Code:

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.94 Gb Total Space | 0.15 Gb Free Space | [B][COLOR="Red"]1.04% Space Free[/COLOR][/B] | Partition Type: NTFS

[COLOR="red"][B]511.53 Mb Total Physical Memory[/B][/COLOR] | 232.89 Mb Available Physical Memory | 45.53% Memory free

Couple of things:

• You are running very low on hard drive space.
• You have a low amount of memory. At least 1GB is recommended for Windows XP SP3.

There are some traces of malware in your logs, but not much.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (PCIIde)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpt3xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {E166B4A2-83E7-11D3-B4FD-004005A47AAA} - No CLSID value found.
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - Reg Error: Key error. File not found
[2011/12/08 22:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Uniblue
[393 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2011/12/10 13:48:53 | 027,546,654 | ---- | M] () -- C:\WINDOWS\System32\AEMEZNAQSF
[2011/12/07 03:46:06 | 031,571,968 | ---- | M] () -- C:\WINDOWS\System32\AYDO
[2011/12/03 02:33:55 | 007,045,256 | ---- | M] () -- C:\WINDOWS\System32\QXCVGEKCDQX
[2005/01/14 08:34:51 | 004,260,368 | RHS- | M] () -- C:\AVG6DB_F.DAT
[2004/11/29 13:57:32 | 000,017,302 | RHS- | M] () -- C:\AVG6DB_N.DAT
[2004/12/28 18:14:01 | 000,004,988 | RHS- | M] () -- C:\AVG6DB_R.DAT
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Freed up about 1.5 gig. My C drive is almost full. Would like to repartition it and make it larger but heard you can't do that too easily on the operating system drive. Suppose there is a way though.

Yes, need more memory.

Really, I went through the cleaning procedure with the other guy running all those programs. What malware and can we eliminate it please?

Attached it, Thanks!

 

That OTL fix was successful and removed the small amount of malware traces you had.

How is the PC running now? Your logs were pretty clean to begin with.
I do not recommend that you install an Antivirus program until you get some more memory installed as that will just slow your PC down even more.

 

I ran Kapersky TDSS. I know you didn't ask for it but I had run it before and it has suspicious files so I wanted to get your take to see if any would indicate a rootkit? I attached the log if you don't mind taking a peak.Much appreciated.

I do appreciate all your help! You have been very gracious and patient with me. Thank you!

This may be out of your jurisdiction but I am still left with the initial problem that drove me here. Malware Bytes showed two infections for my explorer.exe and the backup I made which was explorer1.exe.These were in my first post which I copied below for your convenience. The major issue persists which is Windows Explorer won't start. I know you are probably going to say what everyone else does which clean install because there are too many files gone. Explorer died when I merged an old registry backup trying to fix my Quicken program. I know I used a shotgun to shoot a fly and I learned from that experience. Still it is a royal pain to try and navigate without windows explorer. Aside from doing a fresh install of XP home (no disk anyway), is there anyway to get explorer.exe to work? I have tried everything under the sun for weeks.

Could I take relevent explorer reg keys from my laptop that runs XP SP3 and replace or add them to this Sony? What about uninstalling SP3 so I would go back to SP2 then reinstalling it. Would that fix explorer.exe?BTW... I had tried replacing explorer.exe with my laptop version but it didn't work like the file was locked or something.

This is an old Sony Vaio OEM and I don't have the recovery disk but I think the system files are stored on the C Drive. If I have to do a clean install, could I use drive image XL for example and backup up the Sony OEM system files, drivers, even the windows registration key file and then use that as a basis for a fresh install?

I do have an XP Pro Disk that was given to me around 2002 but it is a copy with a key so not really legit. Did wonder if I can extract files from it though that might work to rehab xp home? Wasn't able to figure out how to do that successfully. If I can't get windows explorer working, maybe there is a substitute shell I can use that you might recommend or do you think I should just bag the concept of rehabbing explorer?

Sorry to be so long winded but if you can get explorer.exe working on here then you are the ultimate guru because I have researched for weeks and other tech guys just say wipe and reinstall XP which seems to be the pat answer although it may be technically correct.

"Tried to restore a 2 week old backup registry and computer crashed. Restored it to operational from Restore Console (with repair files) but desktop blank and can only get to task manager.This restored a bunch of junk like uninstalled program back to add/remove programs but cannot uninstall because they can’t find links. I previously had uninstalled all old Java and uninstalled entries all entries I could. BTW… Do not have Sony OEM recovery disk.
Symptomsut in explorer and explorer.exe from Run line and get a microsecond flash of bottom task bar. Unable to click start button real quick and get a response. Subsequently tried to replace explorer.exe from another PC renaming it also but didn’t take it seemed.
Ran the following within the last 48 hours:
Notice: Malware Bytes-2 Items as follows
Files Infected:
c:\WINDOWS\explorer1.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\explorer.com (Heuristics.Reserved.Word.Exploit) -> No action taken.."


You may have noticed the following two desktop files that nobody can delete or get rid of....Are they malware? I took a screenshot prior to losing my explorer and attached it. The files always come up not found when trying to delete them. and delete them. File size is 0 bytes. I had another tech guy working on this for a week to no avail. Thanks!

"C:\Documents and Settings\User\Desktop\An oldie but goodie_ Hands...."
"C:\Documents and Settings\User\Desktop\Fire Waterfall....."

Are you saying run without an AV? Isn't that rather risky?Is there a low overhead option where I can get some protection? if I have monopolized your time too much then I understand. In any event, thanks again for all your help!

 

All of the detections by TDSSKiller are OK, they are only being detected because they are not digitally signed files.

I saw these in your logs:

Code:

[2011/12/11 02:15:40 | 001,033,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\explorerlap.exe
[2011/12/04 15:26:38 | 001,033,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\explorerlap.exe
[2011/12/01 22:40:03 | 001,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\exp.exe
[2011/12/01 22:36:38 | 001,033,728 | ---- | C] (Microsoft Corporation) -- C:\exp.exe

.. and they do not need to be here. Did you put each of these here and in these locations? They are the correct file sizes at least.

What did you use to do this? How did you go about backing up the registry?

 

Okay, Thanks!

Yes as I was trying to import an explorer file that worked.Renamed the files then put them in start-run. Explorerlap is the file from my laptop.

Exported "My Computer" from registry into a .reg file then just doubleclicked it to merge but got an error message that said some files it could not replace. Computer then crashed so I used recovery console to replace system files with repair ones which was how I got it to boot all the way. It was in a continuous loop then BSOD.Thx.

 

Can you launch explorer.exe from Safe Mode with Command Prompt? See >> Starting your computer in Safe mode

If you can, stop here and let me know before doing anything else.

__________________________________________________________________________________

If you cannot then proceed with these directions:

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]FCopy::[/COLOR]
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe | C:\WINDOWS\explorer.exe
[COLOR="DarkRed"]NetSvc::[/COLOR]
WinRM
[COLOR="DarkRed"]Registry::[/COLOR]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

No

Attached. Thx.

 

Does not look like that last fix worked. Try the below:


http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\explorer.exe|C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe /replace
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP"=-

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

________________________________________________________________________


Take a look at the below (don't act upon anything yet):

Code:

-c--a-w            24,576 2011-12-12 00:37:16  C:\system volume information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w            65,536 2011-12-12 00:37:07  C:\system volume information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w        35,401,728 2011-12-12 00:37:11  C:\system volume information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w        19,017,728 2011-12-12 00:37:16  C:\system volume information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w           688,128 2011-12-12 00:37:06  C:\system volume information\_restore{B6441411-87B0-4BDA-9E4A-8AC5B81921CD}\RP6\snapshot\_REGISTRY_USER_.DEFAULT

You only have 1 snapshot and it is around the time you started having trouble.

Sometimes you will find another registry snapshot in the following folder: C:\WINDOWS\Config
But usually this one is really out of date!

Ultimately you may want to read through the following: http://support.microsoft.com/kb/307545

 

Nice try though! Thanks!

Attached it but unfortunately it didn't start explorer.

Yes, I discovered this Microsoft page I basically performed the same procedure on 11-28 (one day after crash) from this website: http://www.aitechsolutions.net/winxpnoboot.html
Only thing I don't remember is if I did this deletion in the procedure:
delete c:\windows\system32\config\systemdelete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default
Think I must have because computer booted. Also, noticed this blurb on that Microsoft page:
Warning Do not use the procedure that is described in this article if your computer has an OEM-installed operating system. The system hive on OEM installations creates passwords and user accounts that did not exist previously. If you use the procedure that is described in this article, you may not be able to log back into the recovery console to restore the original registry hives.
Should I not have performed this?
BTW...I ran Spybot prior to the crash which occurred on 11-27. Funny thing was after the crash, I had no restore points as it appeared that somehow my system restore was turned off and they were gone.

Crash happened on 11-27 so this won't help. Thx. though.Found these two backups... I have a ERUNT backup on my backup drive:
Hiv-Backup Folder
Tuesday, August 02, 2011, 6:23:51 PM
72.3 MB (75,816,960 bytes)
16 files, 7 folders
Cache Folder
Sunday, July 31, 2011, 2:10:24 PM
27.1 MB (28,467,200 bytes)
79 files
I also just found a 149 mb .reg backup dated 10-1-11. I could try and restore it or the one above. Of course, this is how I crashed it in the first place...lol. What do you think?
FYI...I have the .reg that I merged (made it a text file) that caused the initial crash and a post crash reg text file but they were to large to attach here. Didn't know if that would tell you anything.

Nothing in that folder on curent or backup drive.

Commented on this above. Will try your suggestion from your next message.Thanks!

 

Unsuccessful but thanks!

 

Is there a way you can tell us what Spybot removed? (if anything was detected)?

It has been a while since I've used Spybot but if I recall correctly you can see what was quarantined in the "Recovery" section.

Other than that, I'm sorry but I am out of ideas

 

I've never backed up the registry this way so I would not know.

If they are registry backups from the system you are having trouble with -- I'd say it's worth a try. It's up to you if you want to try it, unless you just want to navigate everywhere without explorer.exe

A Windows Repair may also be needed if the ERUNT backup does not work. See: How-to repair Windows XP for more information.

 

Spybot was a few days prior to the crash. Don't recall exactly what was deleted but it was minor things like cookies etc. so don't think it was a factor other than
maybe turning off system restore.Thx.

 

Thank you so much for your extensive help. I must commend you as others have not even attempted what you did. I really appreciate your efforts! You did a great job assisting me!! Thanks so much! Wish you the best!

 

Words like these just warm my heart
Take care now and good luck!