Winlogon.exe and explorer.exe is infected

[jeith]

Well David I tried tat as well..same results...waiting for essexboy

[DavidR]

Yes, he has the tools and importantly the skills to get to the bottom of it.

[essexboy]

This is a more resilient version now - so we will have to work a different way.  If the recovery console was  installed we could work from there - but as it is we will now have to work outside of windows. 

First confirm that both files are still present on the C drive

Please print these instruction out so that you know what you are doing

OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB

• Download OTLPEStd.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPEStd.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads   
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[jeith]

Thanks for your post essexboy, I shall do as u said and let you know how it goes.

[essexboy]

Actuall I just realised that rather than run a scan and posting back and forth.  Ensure that winlogon and explorer are on your root c drive 

When you run OTLPE

Run OTLPE

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Files
  C:\windows\explorer.exe|C:\explorer.exe /replace
  C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace 
  

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[DavidR]

That seems to be a much tidier option

[essexboy]

I usually get there eventually 

[jeith]

Hi Essexboy,
Thanks god we both r online. How do i run OTPLE? when i double clicked OPTLEstd.exe it asked if i wanted to burn it to a cd. I burned it and when i open the cd file there is reatogomenu.exe. i double clicked it but didnt see anything like custom scan/fix. should i reboot the system as you and use the boot cd as you said? or is there any other way that am missing?

[essexboy]

The CD is a boot CD, what that means is you place it in your CD drive and then change the BIOS boot sequence to CD first.  It will then use the CD as a boot drive, completely bypassing your hardrive and windows.  Once loaded there will be a copy of OTL on the desktop   

[jeith]

When i rebooted my device using the boot cd, it loaded a reatogo desktop as u said. i clicked OTLPE.exe, it asked me to select the folder to be scanned and when i selected, it said "target folder must be windows 2000 or later". After which the scan aborted.

Am using an windows XP sp3. I dont know what it means my windows 2000 or later.

[essexboy]

When it asks for the folder to be scanned select the windows folder and it should work

[jeith]

OMG

Essexboy,
I did as u said (i.e., chose windows folder and opened OTLPE. I ran clicked "run fix" after opening the file
:Files
C:\windows\explorer.exe|C:\explorer.exe /replace
C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace

in "custom scan" box. It asked me to reboot. but i cant go to my desktop after reboot. it shows the startup msg and goes until "windows xp" and then goes back to startup msg again.

Also when i tried re-inserted the boot cd (OPTLEstd) and opened OTPLE it said the registry file has been deleted during reboot

What should I do?is there any way to go in? or is that it?

[essexboy]

Run OTLPE again please

this time run a scan with the following pasted into the custom scans box

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%\*. /mp /s


Then post the log that produces

[jeith]

Hi essexboy,
Here is the log of it.and i cant go to my desktop.

I badly need my laptop back in shape asap mate..please help me out..i cant do any of my uni work.

[essexboy]

Hmm I do not know how you did this - but this is the problem

<

MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe\winlogon.exe

Using OTLPE go in to windows explore and change the above two files to read

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe

If after doing that and it does not reboot, then run OTLPE again with these scans

/md5start
explorer.exe
winlogon.exe
userinit.exe
/md5stop