Author Topic: Winlogon.exe and explorer.exe is infected  (Read 29121 times)

0 Members and 1 Guest are viewing this topic.

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #30 on: October 25, 2010, 05:31:32 PM »
Well David I tried tat as well..same results...waiting for essexboy

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #31 on: October 25, 2010, 06:28:22 PM »
Yes, he has the tools and importantly the skills to get to the bottom of it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #32 on: October 25, 2010, 09:46:47 PM »
This is a more resilient version now - so we will have to work a different way.  If the recovery console was  installed we could work from there - but as it is we will now have to work outside of windows. 

First confirm that both files are still present on the C drive

Please print these instruction out so that you know what you are doing

OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB


  • Download OTLPEStd.exe to your desktop
  • Ensure that you have a blank CD in the drive
  • Double click OTLPEStd.exe and this will then open imgburn  to burn the file to CD

  • Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
  • Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive. 
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #33 on: October 26, 2010, 01:56:37 PM »
Thanks for your post essexboy, I shall do as u said and let you know how it goes.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #34 on: October 26, 2010, 09:47:53 PM »
Actuall I just realised that rather than run a scan and posting back and forth.  Ensure that winlogon and explorer are on your root c drive 

When you run OTLPE

Run OTLPE
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :Files
    C:\windows\explorer.exe|C:\explorer.exe /replace
    C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace 

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #35 on: October 26, 2010, 10:31:55 PM »
That seems to be a much tidier option ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #36 on: October 26, 2010, 11:37:07 PM »
I usually get there eventually  ;D

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #37 on: October 27, 2010, 12:07:58 AM »
Hi Essexboy,
Thanks god we both r online. How do i run OTPLE? when i double clicked OPTLEstd.exe it asked if i wanted to burn it to a cd. I burned it and when i open the cd file there is reatogomenu.exe. i double clicked it but didnt see anything like custom scan/fix. should i reboot the system as you and use the boot cd as you said? or is there any other way that am missing?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #38 on: October 27, 2010, 12:11:42 AM »
The CD is a boot CD, what that means is you place it in your CD drive and then change the BIOS boot sequence to CD first.  It will then use the CD as a boot drive, completely bypassing your hardrive and windows.  Once loaded there will be a copy of OTL on the desktop   

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #39 on: October 27, 2010, 12:38:47 AM »
When i rebooted my device using the boot cd, it loaded a reatogo desktop as u said. i clicked OTLPE.exe, it asked me to select the folder to be scanned and when i selected, it said "target folder must be windows 2000 or later". After which the scan aborted.

Am using an windows XP sp3. I dont know what it means my windows 2000 or later.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #40 on: October 27, 2010, 09:26:26 PM »
When it asks for the folder to be scanned select the windows folder and it should work

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #41 on: October 28, 2010, 04:35:42 AM »
OMG

Essexboy,
I did as u said (i.e., chose windows folder and opened OTLPE. I ran clicked "run fix" after opening the file
:Files
C:\windows\explorer.exe|C:\explorer.exe /replace
C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace

in "custom scan" box. It asked me to reboot. but i cant go to my desktop after reboot. it shows the startup msg and goes until "windows xp" and then goes back to startup msg again.

Also when i tried re-inserted the boot cd (OPTLEstd) and opened OTPLE it said the registry file has been deleted during reboot

What should I do?is there any way to go in? or is that it?
« Last Edit: October 28, 2010, 08:16:49 AM by jeith »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #42 on: October 28, 2010, 08:54:17 PM »
Run OTLPE again please

this time run a scan with the following pasted into the custom scans box

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%\*. /mp /s


Then post the log that produces

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #43 on: October 29, 2010, 04:12:45 AM »
Hi essexboy,
Here is the log of it.and i cant go to my desktop.

I badly need my laptop back in shape asap mate..please help me out..i cant do any of my uni work.
« Last Edit: October 29, 2010, 04:26:06 AM by jeith »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #44 on: October 29, 2010, 08:56:20 PM »
Hmm I do not know how you did this - but this is the problem

<
Quote
MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe\winlogon.exe

Using OTLPE go in to windows explore and change the above two files to read

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe


If after doing that and it does not reboot, then run OTLPE again with these scans

/md5start
explorer.exe
winlogon.exe
userinit.exe
/md5stop