I’ve been having this problem off and on for a while now. Sometimes my computer will boot to just a black screen and and a cursor and if I try to start explorer.exe from the task manager it will say “explorer.exe contains a virus”. I have to restart a few times to get a normal boot. Other times while the computer is running Avast will have a pop-up explorer.exe was stopped / FILEREPMALWARE.
I’ve ran ComboFix and here is the log:
I have finally decided to ask for help. 
Hi ledbthand,
Please read this:
http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html
No need for standard logs procedures when you already run ComboFix. Follow mine instruction:
Step#1
Open notepad and copy/paste the text present inside the code box below:
FileLook:: c:\windows\system32\mshtml.tlbKillAll::
ClearJavaCache::Folder::
c:\users\Chris.WIN7\AppData\Local\Torch
c:\programdata\TorchCrashHandlerDriver::
TorchCrashHandlerDDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Step#2
Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Step#3
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type Torch* into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
ComboFix 14-05-13.01 - Chris 05/13/2014 22:20:27.3.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8132.4605 [GMT -7:00]
Running from: C:\Users\Chris.WIN7\Desktop\ComboFix.exe
Command switches used :: C:\Users\Chris.WIN7\Desktop\CFScript.txt
AV: avast! Antivirus Disabled/Updated {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: avast! Antivirus Disabled {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
SP: avast! Antivirus Disabled/Updated {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender Enabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
@ledbthand
Post back again the ComboFix report and attach the log here. It is located here C:\ComboFix.txt Same goes for FRST’s logs as they are where tool is run from, they should be located C:\Farbar
//Use Attachments and other options > Attach options for attaching the logs
http://www.mcshield.net/personal/magna86/Images/avast%20attach%20post.png
Besides CF report, I would also like to see the GMER’s ARK (antirootkit) reports as FRST log shows the possible rootkit presence. GMER will help in determining the fix procedure …
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click Scan button and wait until the full scan is complete;
[*]Click Save … - save the report to the Desktop (named ARK );
[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named 3rd party );
note: time scan for “3rd party” log may take some time
[*]Click the >>> and select Autostart card;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )
Attach here all Gmer logreports. (ARK; 3rd party and autostart)
Working on the 3rd party scan now.
Hi ledbthand,
Please note that this might be new infection, thats why we are diggin …
GMER’s 3rd party scan shall tell a lot. While GMER preforming the scan, coult you please re run FRST once again for additional file checks. Re-run FRST/FRST64 by double-clicking:
[*]Type Explorer.exe;User32.dll into the Search: field in FRST then click the Search File button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
We can run all the scans you want No problem.
I’ll add the logs as they finish. The farbar search for Explorer.exe;User32.dll is still running, about 30 mins now. So I’ll add it when it’s done.
Is FRST still searching for files? If does, stop the scan. I’ll provide you the fist fix-steps …
It just finished:
Hi ledbthand,
This fix contains a a two-step. First, creating Fix.reg file. Second step is creating FixList for FRST tool and execution.
Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with this fix…
If you are unsure how to do this please read this or this Instruction.
=> Step#1
Open Notepad and copy/paste the entire contents of the codebox below into Notepad(don’t forget to copy and paste REGEDIT4):
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dib\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ico\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jfif\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpe\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mfp\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.png\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.URL\OpenWithList\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.webm\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithList\Torch.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds]
"TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\TorchSetup-r20-n-bf.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TorchHTML.DO6B6BGQB4IYD472WFS5DQUAXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Torch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Torch.DO6B6BGQB4IYD472WFS5DQUAXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\TorchCrashHandler]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\torch.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\TorchVLC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Torch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Torch]
[-HKEY_USERS\S-1-5-21-2935059939-49806373-1791657811-1000\Software\Microsoft\IntelliType Pro\AppSpecific\torch.exe]
[-HKEY_USERS\S-1-5-21-2935059939-49806373-1791657811-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\Torch]
[-HKEY_USERS\S-1-5-21-2935059939-49806373-1791657811-1000\Software\Torch]
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
Notice: Save fix.reg at [b]C:[/b] as it should be located in root of your system drive (full path: C:\fix.reg) as I shall tell FRST via FixList to search file at C:\fix.reg and execute the file only from there.
File itself should look like this:
http://i244.photobucket.com/albums/gg37/chemist2008/reg.jpg
.
=> Step#2
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start File: C:\Core Temp.exe File: C:\Program Files (x86)\FS\Spyro Portal\FlashPortal.exe File: C:\Windows\system32\perfc015.dat File: C:\Users\Chris.WIN7\Downloads\kate-s-video-toolkit-free.exe Folder: C:\Users\Chris.WIN7\AppData\Roaming\abgx360 CMD: reg import C:\fix.reg C:\Users\Chris.WIN7\Downloads\TorchSetup-r20-n-bf.exe C:\Users\Chris.WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch.lnk C:\Users\Chris.WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch C:\Users\Chris.WIN7\Desktop\Torch.lnk C:\Users\Chris.WIN7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch C:\Users\Chris.WIN7\AppData\Local\Torch C:\Users\Chris.WIN7\jagex_cl_loginapplet_LIVE.dat C:\Users\Chris.WIN7\jagex_cl_runescape_LIVE.dat C:\Users\Chris.WIN7\jagex_cl_speccollect_LIVE.dat C:\Users\Chris.WIN7\jagex_runescape_preferences.dat C:\Users\Chris.WIN7\jagex_runescape_preferences2.dat C:\Users\Chris.WIN7\random.dat REPLACE: C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe C:\Windows\explorer.exe testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION! nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION! REBOOT: Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF Plugin-x32: TorchVLC - C:\Users\Chris.WIN7\AppData\Local\Torch\Plugins\Video\VLC\npvlc.dll No File CHR DefaultSearchKeyword: search.conduit.com CHR DefaultSearchProvider: Conduit CHR DefaultSearchURL: http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&cui=UN40057112292760174&ctid=CT3287804&UM=2 R3 ALSysIO; \??\C:\Users\CHRIS~1.WIN\AppData\Local\Temp\ALSysIO64.sys [X] AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4 AlternateDataStreams: C:\ProgramData\TEMP:58D8F144 AlternateDataStreams: C:\ProgramData\TEMP:75D366A3 AlternateDataStreams: C:\ProgramData\TEMP:9638A27E AlternateDataStreams: C:\ProgramData\TEMP:DDE29E40 End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Here is the fixlog.
Ok. Please re-run FRST hit the Scan button and post me the fresh FRST.txt logreprot.
Now even in safe mode it says explorer.exe “class not registered” on a black screen.
Do you have instalation CD on your hand?
… … …
Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
… … …
Here’s this one I’ll upload the Combo fix when it finishes.
ledbthand, is ComboFix shill working?
Bdw, tell me, do you see "“Test Mode Windows 7 Build 7600"” watermark in the lower right-hand corner?
Did you turn testsigning on? And do you have installation CD for Windows 7?
No test mode just build 7601 service pack 1
I have the disk yes.
here is the log it just finished:
Ok, we might need to use it to repair some sistem files. Tell me, do you can access to normal mode?
No test mode just build 7601 service pack 1We will remove this.
Try this FixList and tell me how is the thing after this fix:
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
REPLACE: C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe C:\Windows\explorer.exe
REBOOT:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
fixlog