Hello there!

While Spybot doesn't find it, Kaspersky has detected a trojan that has infected C:\WINDOWS\explorer.exe on our computer here. The trojan is called Trojan.Win32.Patched.k.

Kaspersky cannot disinfect explorer.exe, and so suggests deleting it -- which of course seems a risky thing to do just like that.

Would be thankful for any advice on what to do! :sad:

HJT log follows (had to divide into two posts):

Logfile of HijackThis v1.99.1
Scan saved at 22:11:41, on 2007-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program\ltmoh\Ltmoh.exe
C:\Program\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Launch Manager\LaunchAp.exe
C:\Program\Launch Manager\PowerKey.exe
C:\Program\Launch Manager\HotkeyApp.exe
C:\Program\Launch Manager\CtrlVol.exe
C:\Program\Launch Manager\OSDCtrl.exe
C:\Program\Launch Manager\Wbutton.exe
C:\Program\CyberLink\PowerDVD\PDVDServ.exe
C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\OpenOffice.org 2.0\program\soffice.exe
C:\Program\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\DOCUME~1\PIIAPO~1\LOKALA~1\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comhem.se/portal/comhem/ettan
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] "C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OrderReminder] C:\Program\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AVP] "C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102181378812
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bw+0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {62A3C033-5A28-45A8-A581-6DC1F0C53F47} - C:\Program\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: "C:\Program\KASPER~2\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

Hello pika72 and welcome to the Forums :)

Ok let's see...

Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\explorer.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

:bigthumb:

Hi JAk3,

Thanks for the help!

Alas, the situation has changed since we posted our problem here. Subsequently, Kaspersky started finding the trojan in question in files in the System Restore directory and other places. We disinfected/deleted these as they came along. However, all of a sudden Kaspersky said it did have a way of disinfecting C:\WINDOWS\explorer.exe, which required re-booting. So, we happily rebooted, and when we then logged into Windows, we got an empty desktop. We accessed the harddrive through the TaskManager, and indeed, there was now no explorer.exe at all in the WINDOWS folder. :sad: (Nice disinfection, Kaspersky...)

So, our problem is now a new one: how do we get a new explorer.exe file in place? Simply copy one from another source? And then perform a new virus scan? Or another solution altogether?

Grateful for your help! :)

Ok do you have the original windows installation disk?

:bigthumb:

What we're dealing with here is a laptop, to make that clear. It came with everything preinstalled, and then only a "System" CD and a "Recovery" CD ("XP Home"). The instructions seem to say that these will wipe the harddrive clean and restore the system as was at date of purchase... (Which will take us right back to August 2004... Added note: It does not seem possible to write backups of all our files to CD from within the Task Manager, so... :buried: )

We do, however, have a "Windows reinstallation" disk for our desktop computer -- same OS as the laptop, Windows XP Home Edition.

So -- we'd like to repair this without blowtorching the harddrive, if possible, of course! Thankful for further advice! :flowers:

Hello and sorry for the long delay :)
You have the CDs, that's great!

Our mission is to restore the missing explorer.exe.

You should print these instructions.

At first you need to use your Windows installation disk and boot the computer to Repair Console. Instructions and description -> link (http://support.microsoft.com/kb/314058)

Use the Windows Setup floppy disks or the Windows CD-ROM to start your computer. At the "Welcome to Setup" screen, press F10 or press 'R" to repair.

After you start the Windows Recovery Console, you receive the following message:
Microsoft Windows(R) Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.

When ready, type this command and hit Enter:


Expand X:\i386\explorer.ex_ c:\windows\explorer.exe

*where X is the letter of the Cd-drive where the Windows disk is... Might be D or E for instance

When ready, take the disk out from the cd-drive and try to restart the computer normally.

Let me know how it went :bigthumb:

Hi,

Thanks again!

We tried this procedure, but, alas, got the result "could not create explorer.exe". "Zero files expanded." :sad:

Starting the Setup file on the Windows disk from the Task Manager revealed that it was an older version of XP than the one preinstalled on the laptop -- could this be the problem?

As we said before, the recovery disks that came with the laptop will simply reformat the whole harddrive...

(At least now we've been able to backup our latest files using a stick memory... But we'd still prefer to restore the missing explorer.exe rather than blowtorch the whole harddrive!)

At the moment we can't even find out which XP version we have on the laptop, so that we can get the right installation disk... Seems we totally screwed up. :whistle:

We would of course be ever so grateful to learn of any other possible steps we could take! :bow:

Hello :)

Well you have XP with Service Pack 2 update installed. Still we should be able to do this...

Hmm are you sure that you had the right letter in the command?


Expand X:\i386\explorer.ex_ c:\windows\explorer.exe

The X needs to be changed to D if that is the letter of the cd-drive where the Windows disk is. In that case the command should be :


Expand D:\i386\explorer.ex_ c:\windows\explorer.exe

Could you please try again :bigthumb:

Also if that doesn't work, please try this command:


Expand X:\i386\explorer.ex_ c:\explorer.exe

Again remember to change the "X" to eg D. Let's see if this works.

:bigthumb:

Hello,

We've been away for a few days.

Alas, we've tried all different sorts of permutations of the code (big or small letters, "c:\windows\explorer.exe" or "c:\explorer.exe") -- all your suggestions -- but we still get "Could not create explorer.exe". The CD-drive is "E:". We type "E:". But for some reason it doesn't want to play that game... :sad:

Our disk is XP Service Pack 1a. Would possibly a disk with XP Service Pack 2 solve it? Or has something crashed more seriously? Again, we are ever so grateful for your help!

Hello :)

Ok let's do some research.

Restart the to the recovery console again. Try this command instead:


dir E:

There should appear a list of files and folders.

Is a folder named i386 listed?
If not, please copy the names of the folders listed to here :bigthumb:

Hi there, :)

Ah, yes, good old DOS commands! Been a while.

Indeed, the i386 directory exists, and a "dir e:\i386" reveals the explorer.ex_ file is there. But it still won't expand it...

We are meant to type the expand command under C:\WINDOWS>, right? We tried "cd .." to C:\> as well, and typed the command there, just to try, but no cigar.

Hmmm.

Hello :)

Yep, this is oldschool.Yes can be used under C:\WINDOWS

You're logged in with an administrator password?

Ok let's try with this command.

expand -r E:\i386\explorer.ex_ C:\windows

Does it work better? :bigthumb:

Hello again,

Nope, didn't work. "Illegal parameter".

Thinking that "C:\windows" is the default target anyway, we tried skipping that part, typing "expand e:\i386\explorer.ex_". Voila -- "1 file(s) expanded"!

Exiting and logging in to Windows, we were however greeted by "explorer.exe has run into problems as has to be turned off". Browsing "c:\windows" from the task manager however revealed that "explorer.exe" now exists there. So possibly some other files are also missing? Or did we simply do something that seemed right but isn't?

Thankful for your further input! :)

Hello :)

Ok that is an improvement. Please try if you're able to restart the computer into the safe mode :bigthumb:

Hi there,

Alas -- same result in safe mode: explorer.exe has to shut down. :sad:

Grhh sounds that the system is messed up pretty badly :sick:

Please try if this option works --> http://support.microsoft.com/kb/307852

:bigthumb:

Nope. Same explorer.exe error message. (Needless to say, it's been a few restarts since last time the computer worked as it should...)

I wonder if we deleted some other vital file when Kaspersky tried to combat the trojan...

Hello :)

OK let's try to restore all other missing system files.

You should be able to run System File Checker via Task Manager even if Explorer.exe is down.
Run -> sfc /scannow

You will need to windows disk again if the tool needs to restore missing files. Here are some instructions --> Link (http://dwightblackburn.com/winxp/)

Let me know how it went :bigthumb:

Just a quick question: And all this should still be possible even if the Windows disc is not the exact same XP version as that on the laptop?

Well, anyway, what it did was that it ran the scan and then just finished. No prompts of any sort. Shouldn't it at least say "Scan finished, no problems found"?

And the computer still won't work normally?

No, same situation.

We then tried deleting the explorer file we had managed to expand, and ran the scan again. It didn't say anything that time either. :trample:

Grhh...

The infection has propably damaged the system. Seems that explorer.exe ins't the only thing that not working...

You could try to expand the explorer.exe again but this time restart the computer to the safe mode first. You could also try expanding via Task Manager

:bigthumb:

Expanded explorer.ex_ again, restarted to safe mode -- same error message.

Is it complete Windows re-installation time now? :sad:

Or could we do some other kind of scan, possibly an online scan, that will reveal the problem? (So far, we've kept the laptop disconnected from the network in case there was any risk of nasty hijacking...)

Some added info -- there was no info before on the trojan, but now there is:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=150664

Seems pretty nasty, eh?

Hi :)

Yea the re-install might be the only solution.

This could also be worth a try (if the link you gave me is to the same variant you have) :

In safe mode via TaskManager:

delete explorer.exe file

Paste these lines on by one:
attrib -r -h -s "C:\WINDOWS\Inf\kbdb32.dll"
del /f /q "C:\WINDOWS\Inf\kbdb32.dll"

expand the explorer.exe again

restart the computer

:bigthumb:

OK, will try. Should say, however, that after reading the description of the trojan, we browsed the "WINDOWS\Inf\" folder and could not find that .dll-file...

OK in that case it propably won't help...

Sorry to say this but I think that it would be best to do a complete format & re-install.

We can't know what else the infection has damaged on the system....

Let me know if you need instructions :bigthumb:

OK - we'll let you know if we run into any problems with the re-install!

Other than that, thanks for all your help -- here's hoping we don't need it again! ;)

Ok good :)

Here are some simple steps that should help you to keep the computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)