Winlogon.exe and Explorer.exe Infected

If you can boot into the recovery console, do this:

Once you are back to the C:\Windows> prompt of the Recovery Console, input the below bold font commands one at a time each followed by the enter key.
copy D:\i386\explorer.ex_ explorer.exe
cd system32
copy D:\i386\winlogon.ex_ winlogon.exe
exit
This assumes your cd-rom drive is D:
Reboot and tell me how things are running, while I look at your other logs.

 

Your message #3 indicated that you tried to run fixboot. This indicated to me you were able to get into the recovery console. Is this not true? Do you have your Windows CD? Is the recovery console installed?

You may need to get an external disc drive to be able to fix this.

 

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  winlogon.exe
  explorer.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCopy::
C:\MGtools\temp\explorer.exemg | C:\Windows\explorer.exe
C:\MGTools\temp\winlogon.exemg | C:\Windows\system32\winlogon.exe

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now attach the new combo log.

 

Combo replaced the files, but I want to double check that all is OK. Please run combo again so we can see if it is still reporting the files as infected.

 

Do you have your OS CD? We may need to have you boot into the Recovery Console. You may need to borrow an XP Home edition cd to make this work.

 

I don;t think the recovery disc will let you boot into the recovery console. I may be wrong, but we need an install disc to copy the files from the disc to the system. Can you borrow one from someone?

 

Not a problem. I will be here when you are ready. Once you have the disc, you will need to boot into the bios, change the boot order to cd-rom as first boot device, put in the disc and reboot.

Once you are back to the C:\Windows> prompt of the Recovery Console, input the below bold font commands one at a time each followed by the enter key.
copy D:\i386\explorer.ex_ explorer.exe
cd system32
copy D:\i386\winlogon.ex_ winlogon.exe
exit

Then boot back into normal mode and re-run ComboFix. Attach that log so we can see if you are clean.

 

If you can't boot in either normal or safe mode, and you have your windows installation key ( which should be on a sticker on the bottom of a laptop or the back of a tower ), you can use the disc to do a repair installation. If you need assistance with that, please post in the software forum. A repair install will not remove any malware, so you will need to come back to this thread when you are back up and running.

 

Thanks for letting me know. Glad you are back up and running.