Posts by gerbil

Holi, eh? What colour did you end up?
I think I tried to guide you in my first post to save data files only and reinstall your OS and applications, for otherwise it can be an adventure discovering the damage Sality has done. Having chosen to attempt a cure you should have used the Kaspersky cleaner at least. The problem with Sality is that when it infects a file it writes its own [encrypted] code at the entry point it uses and attempts to save the original code it is replacing; unfortunately it does a bad job of the latter and so removal/curing software will find the file to be irrecoverable. Once the sys is cleaned you can replace them yourself, of course, but that may be a task neverending. And... was it completely cleaned...?
Backing up the registry? I would not be without ERUNT; it does not entirely supplant System Restore but in most cases is all that is needed. Use the option also in the Windows Backup task to occasionally do a System State backup.

Hello, Somjit. You posted "...then back it up, n do a reformat n a fresh install.. i think my computer is infested with a lot of malware so i was thinking of this reformat."
Yes, there is a lot of malware, including a bootkit, a rootkit and Sality virus, and because you are not averse to the idea of saving wanted files [DATA only, such as picture files, documents etc because Sality is an executable process infector] and then reformating, reinstalling, I feel that is the best option, likely the quickest and easiest, also. You've pointed out that some of your applications are not working correctly - Sality may have infected their executables, and you would need to reinstall them anyway.
Choosing that path gives you the security of knowing that your system will then at least start off clean. It will only stay clean if you dump outdated software such as Grisoft's AS_7.5 ... gee, that is old. And run your chosen AV service.
Save your data files to cd, don't save any executables, even possibly desirable ones such as application installers.
You might start a cleaning job by these initial steps:
-run CCleaner in EACH user's accounts.
-run mbrcheck.exe from http://ad13.geekstogo.com/MBRCheck.exe run it, then close the cmd window and post the log.
-delete C:\rlgb.pif and c:\windows\system32\drivers\cvwgex.sys
-download and run Salitykiller.zip and then Sality Regkeys.zip as per instructions here: http://support.kaspersky.com/viruses/solutions?qid=208279889
-turn System Restore off for all …

There ya go, Trampaw. Before you know it, you'll be out of your truck and spending your life in front of a computer. Those local chicks [chooks] might then give you a new handle... Anyway...
Just for information [for anyone], you can start IE and pass it a file to display with this command as an example: Go Start, Run, and paste in...
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -k "d:\downloads\look.zip"
Then, rclicking Look.bat and choosing Open will give the notepad log as result. Windows has an inbuilt unzip application.
To exit press Alt F4
Note... don't run that example, Trampaw, because you did not save Look.zip to the location I gave in that command. You would probably run something like...
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -k "%homepath%\my documents\downloads\look.zip"
...but I'm guessing...

heya, Pops... look, please remember [or read back] what I told you about using IE to manipulate files [internet explorer.... in TM start iexplore.exe].
Opened one? Right, in the address bar type in where you saved Look.zip to [eg C:\downloads... wherever..]; when you go to it if you have any unzipping tool on your sys it should automatically unzip that file and show Look.bat, probably as an icon. Rclick that, choose Open, and it will run automatically and produce a notepad for you.

Get a version of memtest86+ that is the bootable option you would like to run, boot from that medium and run the test for at least half an hour, have a meal and so give it longer... a zero error result would rule out RAM.

Catalana, to save using task manager you can use IE to do pretty much the file work of explorer. eg open IE; if you don't have it displayed already then show the address bar... set View to show details, then enter C: into the address bar. And go from there [you rclick and choose Open to open a folder etc].
In Windows you should still have Phillies.exe? -dclick it.

"Meanwhile, there is no c:\WINDOWS\explorer.exe there is a c:\WINDOWS\explorer.. I see both on my other computer " -I find that disturbing...

First off, those reg keys. If, as I suspect, one or more of them contain a huge list of hexadecimal code as data entries then I think it is safe to delete them - malware can load that data into memory. They are not registered/conforming CLSIDs anyway, merely invented.
klmd.sys has been subverted by the TDSS rootkit family on other systems, so many systems that I cannot ascertain by search what is its function.. it is not on my XP-SP3 sys. For the time being, rename it to system32/drivers/0000klmd.sys.bak.
catchme is a part of combofix; combofix jamming is a cause for alarm, it is being targeted. Try updating malwarebytes and scanning with it, see if it can catch any newly exposed files, then attempt combofix again.
If a CLSID refuses to delete then rclick it, go Permissions and take control, then whack it.
"Many thanks again for all you efforts. I was almost on the verge of a disk reformat."... apart from that, it is always nice to wring the neck of some malware. Writers are pouring effort into it, a lot of money is involved now. And thanks to you for hanging on, for fighting; it is frustrating but understandable when some folks give up and reformat... we learn little from that, but there are some utterly destructive viruses that leave no option - their aim is malicious damage, the aim of this stuff is theft and control.
Mind-boggling stuff:
0x20E Non-fatal A …

Gee, that was a journey. Did driver verifier pick up the modification to Volsnap.sys?
If you have not already done so, run
combofix /uninstall
...then dl a fresh copy from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or http://subs.geekstogo.com/ComboFix.exe
Close down your AV and firewall as before, and run Combofix just the once.
Sorry, but it is very late here, beddy-byes for me.

Fin, could you wander into registry and delete those two CLSIDS manually, please?
You could export them to your desktop first, and post them, if you would.
Next do a search for all instances of {B4502AD1-AF97-EC66-7D66-304FFAC0F1DB}, export the subkeys and post them also? Tah.

And a couple of other things you could do.. GMER originally put up a blue screen error of PFN_LST_CORRUPT... now that would have been caused by a driver [the rootkit?] accessing the page frame list incorrectly or trying to lock its physical memory range so that it stayed resident [exactly what error occurred would be indicated by the parameters given with the error code]. Run Driver Verifier with these settings:
Go Start, Run, and enter:
verifier
Ensure 'Create Standard Setting' is selected, hit next;
Click on 'Automatically select all drivers installed on this computer' and hit Finish;
Reboot.
And chatting with PP, it might be an idea to try TDSSKiller because of the prevalence recently of that rootkit type:
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

Argghh.. because of the way it was structured, I was wondering if you were meaning to have a shutdown -r in there to test phillies.exe... and somehow was thinking of the path %systemroot%, not %systemdrive%. Why don't these machines understand that and adjust for it?

Thing is, fin, I have no way to trap these things on your sys... memory management will not place the pages at the same physical addresses each time they run. The launching process is not evident.
!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

==============================================
>Stealth

Unknown page with executable code
Address: 0x86F243CC
Size: 3124

Unknown page with executable code
Address: 0x86F2328A
Size: 3446

Unknown page with executable code
Address: 0x86F29143
Size: 3773

Try downloading and running GMER again:
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html ...or the exe from http://www.gmer.net/download.php - it will have some obscure name.
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs.
-dclick the .exe to start it; wait for the intial scan to complete [a few seconds]. Press the Copy button, open Notepad and paste into it.
-Then, if you did NOT get a warning at startup about rootkit activity, uncheck all drives but your systemdrive in the drives section; click the Scan button and wait for the scan to finish (do not use your computer during the scan); again press the Copy button, paste also into that Notepad.
-please post that log.

Catalana, PP is not available atm. To save him/you some time I have taken the liberty of rearranging his zipped batch file to present further information re explorer.exe in your sys. Could you extract the .bat file from the attached zip, run it and post peek.txt as before?

So you backed up your files to a folder on your desktop, then reinstalled Windows to that same drive without formatting it. Fine. It is one risky backup method, should be safe, may not be... this is windows.
Anyway, a new version of Windows, a new User. May even be the same name you used before, but to Windows you are a hash, and with the possibilities available in a 128? bit hash, you are not known as the User of old. You must take ownership of the old user's files [know that his desktop is a folder inside his Docs n Setts folder].
User profiles are given a unique Security Identifier. So even if on a new installation you create a user with the same name the account will not have the same SID. My Documents folder is a special Windows folder; it is related to the owner by SID. You can take possession of it [if XP Pro] by using the Security tab in Properties. If XP Home Edition then to get the Security tab to show on folders you must start in Safe mode, log on with an account that has administrative rights. Access to the Security tab is required in order to change security permissions. Rclick a folder on the drive, select properties, > security tab, > advanced tab, click owner, click edit, click your user name in the list [or Administrator if you logged in as such] and check Replace owner on subcontainers …

Your drive is corrupting its NTFS file system records, the Master File Table.
Security data stream and attribute record are part of the file system metadata, the first codes who can deal how with a file, the second is how it is displayed etc. Pretty much, if the MFT ever becomes irrecoverable ALL your files are irrevocably lost. To all but the most expensive recovery work.
2000. Middle-aged to senior. Get your data off, reformat that partition and see how it performs with new and non-sensitive stuff.

You could try to find the name of that hidden driver; its presence may be concealed by the driver loading and executing some code as a system thread, and then removing itself; that way its details [name etc] cannot be read. I wonder....you could try to show it up - you can make a change in reg to show hidden drivers in Dev Mgr [remains until you reverse it], or a change to the environment inside a cmd shell [dies with the closing of that shell].
1)System Properties, paste in as an environment variable name:
devmngr_show_nonpresent_devices ; value of 1. [that adds it into Session Manager key in reg].
Or 2) In a cmd window enter:
set devmngr_show_nonpresent_devices=1 -then start Dev Mgr from inside that shell with..
devmgmt.msc
Inside Dev Mgr under View tab check Show hidden devices. Hidden [deliberately] or non-loaded [no device present on sys] drivers are shown greyed out. I doubt if it will reveal anything though.
When you find a suspect driver investigate it thoroughly - you don't want to delete a crypted firewall or SCSI driver.
You could delete C:\Qoobox and contents.

!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

This entry is a worry. And I don't know what to do about it. Do IceSword or RKRevealer show anything? You might try posting that piece plus the Hooks section and serf_conf log over at Sysinternals Malware board - it's …

His work is supreme... of the four you mention, I have yet to see Ponyo.
I love the artwork [all hand-drawn/painted, not a computer graphic anywhere]; Disney or the modern tech artists cannot hold a candle to Miyazaki's works. They involve me, transport me, "simple" stories of magic and rightness.
I was starting to think I was alone.
Right, those tools, before you run them close off all other applications. Makes looking over the results easier.

Been watching Howl's Moving Castle by Miyazaki.... a sublime anime, as are all by him... Anyway...
The serf_conf log... it originates from libserf, a language, it allows the client to make HTTP requests. I don't know if the config log that iexplore built is where it's been or where it's going, the former I guess. I'm out of my depth.
Something is directing IE, and it is still hidden. You might try another rootkit scan or three, one I like is Rootkit Unhooker [they had a very public and enduring slanging match with GMER & other AR software authors, but now are involved with M$...check Help About.. :)]. Get it, and any other you like from here: http://www.antirootkit.com/software/index.htm
I suggest...
R Unhooker -from this site is an earlier version than one I have... you need the author's site, or http://www.rootkit.com/newsread.php?newsid=902
R Revealer.
IceSword.
R Unhooker... as with IceSword, check each tab; RU scans run automatically except for Files & Hooks. Look for unknown hooks. Generally a rootkit's presence will be well indicated. Don't be surpised by SPTD software you may have throwing up alerts eg Alcohol.

PP, I didn't touch this thread further because Combofix has gotten away from me... but this file is sus?
c:\windows\aventura.exe

The ACMRU key records Most Recent Used uses of the Search Assistant [eg, you search for a file with Search in Explorer, the detail is recorded there. But it does not have to be user searches that get entered there, as shown by this one: iexplore.exe http;//clickport.org /ac.php?aid=5&cid=direct2
There may be four subkeys:
- 5001: terms used for Internet Search Assistant
- 5603: terms used for files and folders search
- 5604: terms used in a word search
- 5647: terms used in the other computers or people search
The actual entries there are of no harm, merely system record keeping. You can delete them safely [the 001..003 names]. But you might wonder from where that one originated. I cannot raise the site, nor the findclean.org site. Google is of no help, except it turns up this page:http://www.threatexpert.com/report.aspx?md5=927f2c1b6c8d732a7ba55a5969393ed3 with another connection attempt to clickport.org amongst other suspect sites.
This instance of iexplore: iexplore.exe SC0DEF:3016 CREDAT:79873 -those codes show that it is a child process of an iexplore.exe frame process with a PID of 3016 in this case, the code defines their relationshp so that they know each other.
It is IE8 at play. Process Explorer will give you the actual command line which opened iexplore.exe.
Keep hunting... there is something there, and it is bad.

:). Looks like Combofix took great issue with your USB mobile connection software [beats me why the software created an inf folder in All Users, instead of using the %windir%\inf folder]. And that old 7Zip file .
It doesn't think much of Eminem, either. I'm with Combofix, right there. Is/was it actually a playable mp3?
The deleted firefox extensions, all two sets of them, are baddies; I notice that Greatis [anti-rootkit folk] have identified some such files linked to your rogue lsass.exe infection.
This one should be genuine, though - c:\windows\system32\BSTIeprintctl1.dll? You would have to check its properties to see if it was a legal version.
What is in this folder : c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE ?
There are several registry keys to unlock, but I'll wait for PP's thoughts on what combofix has done. Any files wrongly deleted can be reinstated from its vault. Else you just reinstall...

I use IE6... but only when I must. [Some routers etc will not load config files correctly with FF or Opera!!, some M$ sites only accept IE still ]. It's fine. For IE6 there is a download of repair files for IE installations, IEFix 1.6; I don't know IE8, and am happy to accept Judy's guidance on that.Anyway, back to your point... something is calling IE, try to find that. I'd try ProcMon, run it as a boot monitor and then search for iexplore.exe calls.

You need a bootable medium with chkdsk. One such simple self-installer to floppy is NTFS4DOS. It's originally an Avira utility. Search for it; the original [vsn 1.8 or 1.9] will install to a sys, and when run will create a bootable floppy with chkdsk.exe on it. Other reworked free offerings on the web will create a cd iso or USB flashdrive bootable version. You choose. Boot from the created medium and run chkdsk.
Oh, what the heck, here [both are good, create a floppy]:
http://download.fyxm.net/Avira-NTFS4DOS-78905.html
http://files.extremeoverclocking.com/file.php?f=180

Yow. Those files that Unlocker could not remove sure had some protection cast upon them, I imagine that would have been from that rogue lsass.exe or C:\WINDOWS\dmdskmgrwow.exe.
Please delete these files:

c:\documents and settings\owner\ezrjfdslvv.tmp
c:\windows\system32\mll_mtf3.dll
and folders...
c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE
c:\windows\system32\582933403

To remove Spybot cleanly the easiest way is to reinstall it over the top of the old, then uninstall.
I would uninstall Adaware also... it once was good, seems not so now. Well, it did not save you from this attack.
Whenever GMER crashes it is usually because of malware killing it deliberately to protect itself. So your sys is sus. Still. Often the process of cleaning involves removing layers of protection files.
So now get a fresh copy of GMER and try it again. And if it will not run cleanly try again but in Safe Mode.
MBAM. I like clean runs.. repeat the quick scan.

I would find it a nuisance! You might try repairing IE8. Go Start, Run, paste or type in...
%windir%\inf
Locate ie.inf, rclick it, and choose Install. You may need your installation cd if the requisite i386 files are not on hdd.

Hello, aventura, the others are in bed, or should be....
Firstly, get Unlocker:
==This is a general purpose force-deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, which is cool.
To use,, browse to the file to delete, rclick it, choose Unlocker, remove any hooks with Unlock...choose Delete, and delete it.
Use Unlocker on these files:

C:\WINDOWS\dmdskmgrwow.exe
C:\WINDOWS\system32\mp4sdecd32.dll
C:\WINDOWS\system32\WMVXENCD32.exe
C:\WINDOWS\system32\msftedit32.exe
C:\WINDOWS\system32\autodisc32.dll
C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe

Start hijackthis, scan only, place checkmarks against these entries and fix them:
O2 - BHO: (no name) - {0144DFBA-5F69-4C56-974E-131BE52F7C7a} - C:\WINDOWS\system32\autodisc32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll
Restart your sys, try GMER and MBAM now.

When this is over, you might dump Sygate as recommended by PP n Judy, perhaps get Comodo or similar. McAfee failed you, perhaps try Avast Free. It has the advantage of being active against some non-virus malwares.

Mmm...this "the MFT is 75% in use even... " could be because of temp file or other large directory deletions following, say, an SP3 upgrade? The MFT grows with the added files, does not shrink as they are deleted, even though the MFT record space is freed, so now files only use 75% of that old total..
I've almost convinced myself. Wonder what free software does an MFT defrag? XP is supposed to be able, but will only if there is enough free space in one block on the drive to copy the MFT metadata files to. MyDefrag?

Nope.. it's not that.. I find that the MFT Zone does not subtract from available space, cos it IS available space, just reserved unless required by the file system. So.

I'm idly wondering if recently your MFT has not grabbed another 12.5% from the MFT Zone. Your drive is only 15GB; Windows and the few basic services, file systems and windows apps that I cannot move out of my C: occupy 23,000+ files on my 8GB system partition. The C: MFT is 75% full. So if the C: is your only drive with apps and data then perhaps your MFT has incremented in size. What does the Defragmenter report indicate [you don't have to defrag, just analyse and then Save the rpt for easy reading in notepad]?
Another thing, if XP by itself increments the MFT Zone size [to 25% of total drive space] is it reflected in this key value?
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem]
"NtfsMftZoneReservation"
If unset, or with a zero value [as set by user either directly in reg or via fsutil] it indicates the MFT Zone is at the standard 12.5% of total drive space.
I don't know about the recurrent attribute error, though.
Just wondering, is all... because my Defrag report figures confuse me as to my MFT size - with 25,700 entries the MFT is 75% in use even though only 33Mb in size. 12.5% of 8GB is 1GB.

Okay, thanks. Undergone a name-change, or done its job and been removed?

Wondering what this one is, also:
2011-01-08 14:10:54 88 --sh--r- c:\windows\system32\AD53B5037A.sys
DDS has it in 3M, but not CF.... something to do with divx? - it appeared on the sys at close to that time...
And this one is still there..
S3: gel90xne.sys

[just trying not to get way out of touch, or step too often on your's an PP's toes, crunchie.. :)]

So... did you get it working, Rik?

Hi. Could I see the results of this scan, please; it should give a better idea of what is trying to start?
HiJackThis:
You have a choice of versions, installable program or stand-alone executable; in action they are fundamentally identical.

i] -download hijackthis: http://www.majorgeeks.com/download5554.html or http://www.filehippo.com/download_hijackthis/
-dclick that .msi file to install Hijackthis as a program. Else...
ii] - download the executable file from: http://www.bleepingcomputer.com/files/hijackthis.php
- unzip if necessary; copy hijackthis.exe to a new FOLDER placed either alongside your program files or on your desktop.
Start Hijackthis via the desktop icon or by dclicking hijackthis.exe.
- CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
- click the Scan and Save a Logfile button. Post the log here.

"The idea I had was to remove the hdd, plug it up to my laptop (via a usb adapter), throw the windows cd contents onto it and install it."

Well, roughly that... what you should do is pull the hdd and plug it into another system using some adapter, as you suggest.
Format that hdd; let's say you give it a drive letter G:
Then with the installation cd inserted into that secondary sys [as, say, D:], use the cmd window to run winnt32.exe with the following switches:
d:\i386\winnt32 /syspart:g: /tempdrive:g: /makelocalsource /noreboot
When that phase completes the sys will pause; to ensure that your new system partition will be C: and not G: you must delete the MIGRATE.INF file in G:\$WIN_NT.~BT\
Reinstall the hdd back into the tablet and power up. Setup should continue. Or give an error... :)
[that cmd line runs the Setup phase that copies the temp files required to G:, marks it as Active, copies all other installation files over so the cd is not required again, and halts; if you then don't delete MIGRATE.INF your system partition would remain as G:, which you likely would not want].

Perhaps one or more of those pgms has Startup entries remaining? You can delete them from C:\Docs and Setts\either You or All Users\Start Menu\Programs.

"My client is wanting to install an application that strengthens her mind "
Nothing like investigating the possibilities and then fixing your own sys to do that.
I have Asus boards, they seem fairly accepting of RAM brands. This one is running some junk-brand [ok, rebranded] reasonably hi-spec set. The individual chips are well-known.
"The RAM on the system is DDR PC2700 and on the other side it says 64X64 PC3200 DDR. " What? Is that on the one stick? It has to be one or the other. The PC3200 spec is the error-free maximum speed they can get from the RAM. Try derating it via BIOS to a lower speed, see if it works then. If it does, the RAM is not up to its rated specification of 400MHz.

When you are to dl the windows updates, instead of doing it automatically via the update service, go to the site and dl the related KBxxxx exes. That way you have all the updates available for slipstreaming if you so wish, no need to dl them again. Just an idea...
Shame about the ol installation.

Tooth fairies don't do hdd miracles. Either a quick or full format will erase your file records from the MFT, a full format will also carry out what yu already did, a scan for bad sectors.
It does not hurt to repeat chkdsk /r. Just in case. Use the RC on your installation cd to run chkdsk c: /r again.

You could restore these 2 entries from hijackthis backup. They are benign, and useful.
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
This one is a USB connection monitor. Up to you. It is not needed.
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe

No problem, Trampaw. Hope you pull through. I won't ask about "some women".. :)
c:\windows\servicepackfiles\i386 -is explorer.exe there? It darn well should be in the SP3 unpack. If it is, drag it over to c:\windows.
Or... If it is not there, do you still have the SP3 exe, WindowsXP-KB936929-SP3-x86-ENU.exe ? If so, you can expand it from there...:
If that file is saved on your C: drive you could use this command, or modify the path to suit. Paste these into the Run window in Task Manager, and let them run:

"c:\WindowsXP-KB936929-SP3-x86-ENU.exe" /X:c:\SP3files
expand -r c:\SP3files\i386\explorer.ex_ c:\windows

Those two will unpack the windows SP3 downloaded exe to c:\sp3files, and then expand explorer into c:\windows, where it should be. Try then to run it via TM.
Take care to spot the spaces in those commands.. :)
- there is one after this: 86-ENU.exe"
-and one after this: \explorer.ex_ plus the 2 obvious ones near the front of the 2nd line.

No problem, Trampaw. Hope you pull through. I won't ask about "some women".. :)
c:\windows\servicepackfiles\i386 -is explorer.exe there? It darn well should be in the SP3 unpack. If it is, drag it over to c:\windows.

I must admit that I have not tried it, but it may be possible to run that SP3 installer over the top of your current installation without first reverting to SP2. Give it a try - at worst it can only deny. Ok, i hope.

Trampaw [is that your grandkids name for you?] check if you have this folder:
c:\windows\$NtServicePackUninstall$ - you should, unless you deliberately deleted it, from when you did either an online update or ran the self installer for SP3. It contains all the files etc necessary to rollback to SP2, including an SP2 explorer.exe version. So rolling back to SP2 would then be an option [use the Control Panel|Add/Remove Pgms page for that], and then re-updating to SP3. I prefer to use the self-installer package for that : http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en
Uninstalling via Control Panel [start it with IE, dclick Add, Remove Pgms, click Windows XP Service Pack 3], and then reinstalling would probably be the easiest option to restore your sys.
And then run another virus, malware check.

Ah. Possibly too few people do know of the commonality between IE and Explorer. You can use Explorer to go on the web, too, by entering a web address, but in a limited way because Explorer cannot handle hpertext. And you can not only find files from there, but run them if executable, or if you prefer, open them.
For the life of me I cannot remember the folder where a backup copy of Explorer.exe is kept if you have not done an SP upgrade but merely have an untouched installation. But as I said, obviously you do not have one.
Right, we need to know your XP Pro version... SP? Explorer is version specific... - and I will say this: upgrading from SP2 to SP3 will solve your problem if such is available as an option.

Fine. Gotcha. Above when i referred to IE I meant Internet Explorer. Try it and report back. for example, if you type c:\windows into the IE address bar then you should see the files and folders inside \windows. Is explorer.exe there? And if you enter C:\windows\system32 you should see winlogon.exe [you must have that, cos otherwise you would not have been able to restart your sys].
Actually, they both should be there because the moment BDF deleted those two at your behest Windows File Protection System should have replaced then both. Obviously your sys does not have a backup of explorer.exe. You could check that by entering into IE address bar:
c:\windows\servicepackfiles\i386 -is explorer.exe there? [you will only have that folder if you have upgraded a service pack, eg SP2 to SP3].

If IE works you can temporarily use that as an Explorer substitute. Just type C:\ in the address bar, then rclick and Open files or folders that are shown. And so on. You also will find all Control Panel functions available there - type control panel in the addy bar.
And don't cut the story short.. just how did you lose Explorer? Is the executable gone from \Windows, or does it just not run? Why [especially?] were you running Bitdefender - did you suspect a malware issue, did bdf say what it was?

Try BIOS Setup [enter by Del key?] and disable 1394, if you think you won't be needing it.

You're welcome, Techno. good luck.

Are those the VM [actually Page File] figures from before the change? You have 32GB available [free on disk]... which because of the system management choice is theoretically all available to the PF. I don't understand why you are getting the warning. No process should have that large a memory leak!.
I prefer to use the Custom Size setting; because your Currently Allocated figure is 1586 MB, you could set min 1000MB, max 3000MB.
To keep the PF contiguous on disk you would set min=max=3000MB.
Up to you.
In TM in the Processes, under View tab you could check Virtual Memory Size; see if any process is using an exorbitant amount of memory.

Firstly, taking/posting snapshots [screenshots]: you might have a key labelled Printscreeen? Press, then open Paint[via Pgms > Accessories, paste using Edit; crop as desired and save as a jpg. In Daniweb, use Advanced, choose to add files and browse to your jpg, Open and post once it uploads. The last is the same for any other filetype in the accepted files list. And if the type is not there you simply zip it and upload that.
Your Commit Charge 1872M/2166M.... [they correspond to Total 1916928 and Limit 2217984 from the CC [K] block under the Performance tab] does show that your sys is, at that point, within 15% of total available RAM + PF size. You do need to increase the size of your PF for the process/applications you have running. Using the process described above by rch increase your PF to 1500MB [currently it is 1200MB?] as a minimum; to the point, you might choose Custom Size, min = 1000, max = 1500.
If problem surfaces again jump max size up to 1800MB. 1500MB should do....
I don't know what applications you are running, but that is a reasonably large PF usage.