trojan in explorer.exe

[pika72]

Hello there!

While Spybot doesn't find it, Kaspersky has detected a trojan that has infected C:\WINDOWS\explorer.exe on our computer here. The trojan is called Trojan.Win32.Patched.k.

Kaspersky cannot disinfect explorer.exe, and so suggests deleting it -- which of course seems a risky thing to do just like that.

Would be thankful for any advice on what to do!

HJT log follows (had to divide into two posts):

Logfile of HijackThis v1.99.1
Scan saved at 22:11:41, on 2007-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\ltmoh\Ltmoh.exe
C:\Program\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\CtrlVol.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\OpenOffice.org 2.0\program\soffice.exe
C:\Program\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\DOCUME~1\PIIAPO~1\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comhem.se/portal/comhem/ettan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OrderReminder] C:\Program\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVP] "C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102181378812
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: bw+0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

[pika72]

O18 - Protocol: bwx0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: "C:\Program\KASPER~2\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

[Mr_JAk3]

Hello pika72 and welcome to the Forums

Ok let's see...

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\explorer.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

[pika72]

Hi JAk3,

Thanks for the help!

Alas, the situation has changed since we posted our problem here. Subsequently, Kaspersky started finding the trojan in question in files in the System Restore directory and other places. We disinfected/deleted these as they came along. However, all of a sudden Kaspersky said it did have a way of disinfecting C:\WINDOWS\explorer.exe, which required re-booting. So, we happily rebooted, and when we then logged into Windows, we got an empty desktop. We accessed the harddrive through the TaskManager, and indeed, there was now no explorer.exe at all in the WINDOWS folder. (Nice disinfection, Kaspersky...)

So, our problem is now a new one: how do we get a new explorer.exe file in place? Simply copy one from another source? And then perform a new virus scan? Or another solution altogether?

Grateful for your help!

[Mr_JAk3]

Ok do you have the original windows installation disk?

[pika72]

What we're dealing with here is a laptop, to make that clear. It came with everything preinstalled, and then only a "System" CD and a "Recovery" CD ("XP Home"). The instructions seem to say that these will wipe the harddrive clean and restore the system as was at date of purchase... (Which will take us right back to August 2004... Added note: It does not seem possible to write backups of all our files to CD from within the Task Manager, so... )

We do, however, have a "Windows reinstallation" disk for our desktop computer -- same OS as the laptop, Windows XP Home Edition.

So -- we'd like to repair this without blowtorching the harddrive, if possible, of course! Thankful for further advice!

[Mr_JAk3]

Hello and sorry for the long delay
You have the CDs, that's great!

Our mission is to restore the missing explorer.exe.

You should print these instructions.

At first you need to use your Windows installation disk and boot the computer to Repair Console. Instructions and description -> link

Use the Windows Setup floppy disks or the Windows CD-ROM to start your computer. At the "Welcome to Setup" screen, press F10 or press 'R" to repair.

After you start the Windows Recovery Console, you receive the following message:
Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.

When ready, type this command and hit Enter:

Code:

Expand X:\i386\explorer.ex_ c:\windows\explorer.exe

*where X is the letter of the Cd-drive where the Windows disk is... Might be D or E for instance

When ready, take the disk out from the cd-drive and try to restart the computer normally.

Let me know how it went

[pika72]

Hi,

Thanks again!

We tried this procedure, but, alas, got the result "could not create explorer.exe". "Zero files expanded."

Starting the Setup file on the Windows disk from the Task Manager revealed that it was an older version of XP than the one preinstalled on the laptop -- could this be the problem?

As we said before, the recovery disks that came with the laptop will simply reformat the whole harddrive...

(At least now we've been able to backup our latest files using a stick memory... But we'd still prefer to restore the missing explorer.exe rather than blowtorch the whole harddrive!)

At the moment we can't even find out which XP version we have on the laptop, so that we can get the right installation disk... Seems we totally screwed up.

We would of course be ever so grateful to learn of any other possible steps we could take!

[Mr_JAk3]

Hello

Well you have XP with Service Pack 2 update installed. Still we should be able to do this...

Hmm are you sure that you had the right letter in the command?

Code:

Expand X:\i386\explorer.ex_ c:\windows\explorer.exe

The X needs to be changed to D if that is the letter of the cd-drive where the Windows disk is. In that case the command should be :

Code:

Expand D:\i386\explorer.ex_ c:\windows\explorer.exe

Could you please try again

Also if that doesn't work, please try this command:

Code:

Expand X:\i386\explorer.ex_ c:\explorer.exe

Again remember to change the "X" to eg D. Let's see if this works.

[pika72]

Hello,

We've been away for a few days.

Alas, we've tried all different sorts of permutations of the code (big or small letters, "c:\windows\explorer.exe" or "c:\explorer.exe") -- all your suggestions -- but we still get "Could not create explorer.exe". The CD-drive is "E:". We type "E:". But for some reason it doesn't want to play that game...

Our disk is XP Service Pack 1a. Would possibly a disk with XP Service Pack 2 solve it? Or has something crashed more seriously? Again, we are ever so grateful for your help!