I Am So Fried!, Everything is wrong Options

[shelly0923]

So, started when i installed updates (also was trying to watch a tv show online and got weird pop ups)
Had to restart for some reason and....

I have no desktop icons, no start menu.
Using task manager to try and do anything, however I cannot do anything, cannot run any anti virus scans, malwarebytes, avg, superantispyware nothing. I also cant run hijack this.
Tried to reinstall through downloading malwarebytes a few times, but still wont run and I cannot fully change the name, it still references the name.

Cannot access explorer.exe

Cannot system restore - only date available is todays. I now have it turned off.
I am in safe mode right now and all still the same as in regular.
I have tried renaming these files but its not working

The worst part is now the internet is redirected everytime i try to even search out software to fix this.

I did a hijack this ONCE i was allowed but cannot access results, also got a lot of weird errors while it was running. When i click on your links to hijack this to redownload and rename (as per instructions) I get "pagecannotbedisplayed"

Have tried a few rootkey suggestions but the keys arent there to delete.

I am wondering if i go to a store, buy mcafee (which i already own, just cant access), norton, something anything, then pop the disk in will it automatically work since its off disk? I wont buy anything online right now at least not on this PC.

So I am using on of the kids laptops to search for anything i can find, but everything i try on this PC just doesnt work.



Any help is appreciated!~

[HKEd]

Hi shelly0923...welcome to SAF.

What updates were you trying to install? What's the operating system?

Try installing Malwarebytes to a clean USB stick and see if it will run when you transfer it over to the affected computer.

Locate Explorer.exe in C:\Windows and right-click > select Properties. Let us know the exact file size.

Is the Recovery Console installed? You'd know if it was as it would be an option on the boot menu each time you start the computer.

Do you have a full XP CD or a recovery disk that came with the computer? What's the make and model of the computer?

[shelly0923]

hi! thx for askin

What updates were you trying to install? What's the operating system? Just the ones windows auto downloads i dont really check and mostly never install them but i did XP sp2

Try installing Malwarebytes to a clean USB stick and see if it will run when you transfer it over to the affected computer. have done this also did this with HJT as well, doesnt work. I did just do it with combofix from a usb and got it to run, said it had to restart, i let it, disk checked itself (blue screen upon startup) yet nothing has changed same problems still

Locate Explorer.exe in C:\Windows and right-click > select Properties. Let us know the exact file size. .98mb (not .exe just says explorer)

Is the Recovery Console installed? You'd know if it was as it would be an option on the boot menu each time you start the computer. Im going to have to say no on this one im be 90% sure

Do you have a full XP CD or a recovery disk that came with the computer? What's the make and model of the computer? I can find one but really really dont want to do that HP pavilion a714x


update... i am running combofix again and its doing something way different than it did before and im at stage 41 of what is supposed to be 50 stages, hoping i can at least get a log since i have never gotten this far before, when its done i believe i can do a hijack this - since i figured out how to rename it proberly - I am working on laptop to respond, not infected pc.

This post has been edited by shelly0923: Oct 26 2009, 07:55 PM

[HKEd]

Locate the HP recovery disk and put it in the CD tray. Restart the computer. Let me know exactly what options you are presented with. Don't do anything else for the moment. I just need to know if you can do a repair install that will leave your data intact.

The other option is to make a Linux CD and boot with it to back up all your data, then reinstall XP.

[shelly0923]

Locate the HP recovery disk and put it in the CD tray. Restart the computer. Let me know exactly what options you are presented with. Don't do anything else for the moment. I just need to know if you can do a repair install that will leave your data intact.

The other option is to make a Linux CD and boot with it to back up all your data, then reinstall XP.

ok ihave no disc my paperwork (i actually found) says Recovery, built in, preinstalled system recovery so no discs to lose
maybe i can figure out how to access the built in recovery

[HKEd]

I just checked and it seems there is only the option to recover, not to repair.

What makes you think that a virus caused this? It's not unknown for failed update installations to bugger up a computer.

[shelly0923]

I just checked and it seems there is only the option to recover, not to repair.

What makes you think that a virus caused this? It's not unknown for failed update installations to bugger up a computer.

because of the redirecting of websites i am getting when do access the internet on it, like i will go to d/l malwarebytes and it sends me to some survey website or the such.

I am off to bed, midnight here.

i know is it f10 that on boot i can recover i just dont want to, i may take it in, idk.

I will keep researching. i will keep trying to get a highjack log tmrw. Thank you

[HKEd]

On a clean computer, download the Malwarebytes setup file to the USB stick, then run it and install Malwarebytes to the USB stick, transfer it over and see if it will run. Try renaming the file on the USB as well.

It's a long shot, but it might just work.

[shelly0923]

On a clean computer, download the Malwarebytes setup file to the USB stick, then run it and install Malwarebytes to the USB stick, transfer it over and see if it will run. Try renaming the file on the USB as well.

It's a long shot, but it might just work.

Did that already, it will run for four seconds then stop - Am at work now, will play more later.

[shelly0923]

On a clean computer, download the Malwarebytes setup file to the USB stick, then run it and install Malwarebytes to the USB stick, transfer it over and see if it will run. Try renaming the file on the USB as well.

It's a long shot, but it might just work.

ok i have a disk with knoppix on it our it guy said to use ummmmm im afraid to insert it! what should i expect to happen? and if its a "backup" of my system wont the virus back up too?

OK MWB is actually running, i finally tricked system..... will update

This post has been edited by shelly0923: Oct 27 2009, 04:19 PM

[shelly0923]

ok i have a disk with knoppix on it our it guy said to use ummmmm im afraid to insert it! what should i expect to happen? and if its a "backup" of my system wont the virus back up too?

OK MWB is actually running, i finally tricked system..... will update

ok Malwarebytes found and supposedly fixed 107 issues - reboot and still no desktop icons, no start menu BUTTTTTTT i seem to no longer have this re-direct virus as i was able to go to and attemp to also get superantispyware - only prob with that is it said i had to delete older version first - but cannot access add/remove programs
so i think alot of bad stuff is gone, but same issue of no desktop icons no start menu is still there.... how should i proceed? I will try my best to geta HJT log, its just hard to find a site that will allow me to save source as... also i know MWB saved a notepad i just cant seem to find it...

???

Thanks

[HKEd]

also i know MWB saved a notepad i just cant seem to find it

Run MBAM and click on the Logs tab. Open the most recent log and post it.

When you boot from the Knoppix CD, only Knoppix will load. Windows is not involved at all. If you can get a clean copy of Explorer.exe from another XP system, copy it to a USB drive, load Knoppix and copy Explorer.exe to C:\Windows, replacing the existing infected or corrupted file, you could be back in business.

In C:\Windows there should be a file called Explorer. It looks like a folder with a looking glass on it. What happens if you click on that?

[HKEd]

As well as the above, open the task manager and click on the Applications tab. Click on New Task, then copy/paste the bold text below to the Open field:

regedit /e c:\winlogon.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Open C: using the task manager, then locate Winlogon.txt and open it. Copy/paste the contents of the file here.

[shelly0923]

didnt knoppix - got a HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:20 AM, on 10/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.foxnews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\123\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [combofix] C:\123out132991\CF16083.exe /c C:\123out132991\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\123out132991\CF16083.exe /c C:\123out132991Combobatch.bat
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Logicool SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
O4 - Startup: Start.lnk = C:\PENSOFT\Quick95.exe
O4 - Global Startup: Logicool SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ca.msnusers.com
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashionda...eb.1.0.0.21.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Pastry%20Passion/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfishgames.com/en_cooking-d...Web.1.0.0.9.cab
O16 - DPF: {1CDFA4E8-3396-439D-8C9D-AD0E32DE94B6} (CPlayFirsttastyplanetControl Object) - http://games.bigfishgames.com/en_tastyplan...net.1.0.0.4.cab
O16 - DPF: {2108E348-A0C0-1563-D327-730450CF5E34} (CPlayFirstDDComcastControl Object) - http://www.shockwave.com/content/dinerdash...st.1.0.0.39.cab
O16 - DPF: {26E6B759-DEEB-42A1-A21C-78CD29098411} (CPlayFirstFitnessDasControl Object) - http://games.bigfishgames.com/en_fitness-d...eb.1.0.0.11.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2D168880-539F-4967-BA11-F7C2862B9E1D} (CPlayFirstDiaperDashControl Object) - http://games.bigfishgames.com/en_diaper-da...Web.1.0.0.4.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v57/bjattack/bja.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.67.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/realarcade-webgam...houseplayer.cab
O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://www.shockwave.com/content/weddingda...eb.1.0.0.13.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Babysitting%20Mania/Images/armhelper.ocx
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://gamenextus.oberon-media.com/Gameshe...ronGameHost.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematyc...inematycoon.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingda...sh.1.0.0.47.cab
O16 - DPF: {F135A813-7152-4532-AC8D-28AC2136DFC7} (CPlayFirstParkingDasControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...sh.1.0.0.10.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {733f4871-7e93-47a9-934f-e510815968aa} - C:\WINDOWS\batmeter16.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logicool, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 17161 bytes

[HKEd]

I asked you to do three things:

1. Post the MBAM log.

2. Click on the Explorer/lookinglass icon.

3. Run the registry export from the task manager.

You did none of the above. How am I supposed to help you if you won't do what I ask?

[shelly0923]

Run MBAM and click on the Logs tab. Open the most recent log and post it.

When you boot from the Knoppix CD, only Knoppix will load. Windows is not involved at all. If you can get a clean copy of Explorer.exe from another XP system, copy it to a USB drive, load Knoppix and copy Explorer.exe to C:\Windows, replacing the existing infected or corrupted file, you could be back in business.

In C:\Windows there should be a file called Explorer. It looks like a folder with a looking glass on it. What happens if you click on that?

Will do when I get home from work -
As far as the explorer when i go there there is not the thing with a looking glass

[shelly0923]

LOG:

Malwarebytes' Anti-Malware 1.41
Database version: 3037
Windows 5.1.2600 Service Pack 2

10/27/2009 7:28:50 PM
mbam-log-2009-10-27 (19-28-50).txt

Scan type: Quick Scan
Objects scanned: 123498
Time elapsed: 10 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 11
Registry Data Items Infected: 4
Folders Infected: 11
Files Infected: 86

Memory Processes Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pro antispyware 2009 4.6 (Rogue.ProAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Refog Software (Refog.Keylogger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\2 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\CPDA (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\CPDM (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\xrqu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\idwy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NWCWov32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Nwsapv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WmdmPv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Wmiv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_5089014944.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OKI6FBDN\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\I40022_8077016551 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\I40023_3811986458 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\I40075_8898493519 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\I40096_8221167824 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\T40091_8238736921 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\1\T40094_8304356481 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\2\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\2\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\CPDM\cpfm.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger\Get discount!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger\Order now!.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger\REFOG Free Keylogger on the Web.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger\REFOG Free Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Free Keylogger\Uninstall REFOG Free Keylogger.lnk (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Mpk.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPK.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Mpk64.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPK64.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\MPKView.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.




Wish it didnt delete my logger i wanted that!~

Next:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000000
"DefaultDomainName"="MOM"
"DefaultUserName"="HP_Owner"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="HP_Owner"
"AltDefaultDomainName"="MOM"
"EnableQuickReboot"="1"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\
00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,31,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\
00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,31,00,34,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
"DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
"DLLName"="avgrsstx.dll"
"Startup"="AvgStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
"DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
"Asynchronous"=dword:00000000
"Startup"="OnStartup"
"Logon"="OnLogon"
"StartShell"="OnStartShell"
"Logoff"="OnLogoff"
"Shutdown"="OnShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event]
"Logon"="LBTWLgn_LOGON"
"StartShell"="LBTWLgn_STARTSHELL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
"Asynchronous"=dword:00000000
"DllName"=hex(2):4c,00,4d,00,49,00,69,00,6e,00,69,00,74,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,6e,91,d7,1a,30,df,9e,48,8a,df,43,01,44,a9,71,95,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,f5,6f,be,e7,89,77,41,5b,\
6b,0d,8a,67,a7,ae,5e,13,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,b5,\
b2,a0,5d,80,4c,72,80,76,67,c6,89,bd,29,34,7c,b0,01,00,00,17,10,e8,a3,73,f8,\
18,26,84,3a,b9,23,61,90,4d,5b,63,85,4f,34,9e,a1,e6,1d,43,bb,54,44,b5,de,19,\
cf,19,8d,ea,e9,53,31,a1,3c,04,d8,97,a3,9b,f2,04,54,05,a7,40,6f,4c,de,4d,3d,\
ab,b7,9d,f4,c1,b8,34,dd,a3,84,72,ee,ab,d2,8a,42,86,0c,99,30,34,a2,68,b4,ff,\
e2,94,aa,75,36,4c,f0,17,4a,55,d5,30,ac,74,3f,c0,24,13,e2,b6,ae,ef,73,66,19,\
9f,ce,72,5b,1a,94,fb,6a,61,b2,27,88,65,bd,ad,83,10,92,5b,89,c0,7b,77,24,81,\
a6,26,08,55,74,10,cc,38,5e,4b,84,a5,72,07,df,31,b4,59,fb,72,15,f0,70,aa,d4,\
2a,6c,98,97,a7,46,b9,f9,4f,2f,66,72,c4,65,a9,9e,44,9b,7c,a9,1f,2e,21,fb,95,\
da,b5,e5,83,ff,36,6d,b4,68,c0,ff,6f,d3,88,ee,bb,4c,bc,82,d2,c9,a9,73,9d,65,\
5b,9b,f0,ed,05,22,80,9d,1f,ea,da,2e,d9,dc,76,87,5f,43,76,80,bf,21,e7,7e,0e,\
dc,31,c5,67,e9,3b,41,2f,8f,84,ba,84,8a,3b,b6,29,c7,d5,2e,07,5a,fb,c8,40,25,\
06,9f,b2,a1,f8,6c,78,7f,1f,86,ff,ee,fb,08,cf,55,3b,13,5d,15,81,5a,61,cd,a3,\
50,93,b7,e3,b4,2a,c8,cb,aa,76,94,7c,d2,cd,bd,11,b1,ac,11,9b,53,6a,7a,42,20,\
24,84,fc,73,5e,5c,e1,90,e8,f3,00,3f,a1,ad,10,e6,dc,54,de,6e,66,89,f4,3e,b6,\
fe,50,47,2c,4d,80,4b,a6,94,aa,67,f8,09,c0,26,d9,f2,a3,ba,02,c0,82,30,84,63,\
aa,da,9a,9a,ca,e0,76,e5,b9,98,74,ca,bb,e7,11,06,23,da,c4,31,cc,39,34,86,78,\
98,4a,15,cc,50,9b,a3,81,fc,98,d1,21,98,e9,fb,e3,f3,ac,56,ce,e7,55,58,91,51,\
bc,cc,63,90,7d,2f,f7,dc,f3,1a,bf,f9,83,99,2c,7b,bb,0a,41,da,b8,93,ec,74,f6,\
fe,14,00,00,00,99,f8,09,d4,f9,cb,4b,a7,84,d1,d3,f5,ca,e1,3f,16,ae,8e,1e,ac

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000

As for the explorer when i click on it it says cannot acces, file path blah blah, there are 2 explorer one is .exe and the other is .scf

I do have a clean system right here to try to copy the explorer... but will wait til i hear further

[HKEd]

Explorer.scf is the file with the folder/looking glass icon. What happens if you click on that?

The only way to replace Explorer.exe is through the Recovery Console or Knoppix. Let's see if the recovery console can be installed. Open the task manager and click on the Applications tab. Click the New Task button and copy/paste the bold text to the Open box;

C:\i386\winnt32.exe /cmdcons

If it works, you should get a Windows Setup Dialog Box describing the Recovery Console option. To confirm the installation, click Yes.

Restart the computer. The "Microsoft Windows Recovery Console" should appear on the startup menu.

Let me know how that goes.

[shelly0923]

Explorer.scf is the file with the folder/looking glass icon. What happens if you click on that?

The only way to replace Explorer.exe is through the Recovery Console or Knoppix. Let's see if the recovery console can be installed. Open the task manager and click on the Applications tab. Click the New Task button and copy/paste the bold text to the Open box;

C:\i386\winnt32.exe /cmdcons

If it works, you should get a Windows Setup Dialog Box describing the Recovery Console option. To confirm the installation, click Yes.

Restart the computer. The "Microsoft Windows Recovery Console" should appear on the startup menu.

Let me know how that goes.

Ok when i click on either of the explorers i am told access is denied no such file, etc...
I will do your next step when I get home.... Will I lose stuff - i.e. my paint shop pro, animation shop, pictures, files doing this?

Also, Knoppix when I googled "how to" very extremly complicated instructions were found, that to be honest scares me very much! I have the disk ready to go, just afraid.

What about what you suggested before about using one of the laptops to copy explorer.exe onto a flash drive then replacing mine - is that still an option?

Can you tell me if you see a virus or anything very bad in the logs I posted? Like how screwed am I? and do you believe this could have happened by installing updates?

Thanks!~

[shelly0923]

Explorer.scf is the file with the folder/looking glass icon. What happens if you click on that?

The only way to replace Explorer.exe is through the Recovery Console or Knoppix. Let's see if the recovery console can be installed. Open the task manager and click on the Applications tab. Click the New Task button and copy/paste the bold text to the Open box;

C:\i386\winnt32.exe /cmdcons

If it works, you should get a Windows Setup Dialog Box describing the Recovery Console option. To confirm the installation, click Yes.

Restart the computer. The "Microsoft Windows Recovery Console" should appear on the startup menu.

Let me know how that goes.

Big error:

C:\i386 refers to a location that is inacessable..... could be on hard drive..... information may have been moved to a different location