explorer.exe and winlogon.exe infected/corrupted by virus

Hi TNoD,

Try the following steps to replace the corrupt files.

a. Click Start, click Run, type cmd and click ok.

b. On the command prompt, type the following and hit enter.

expand <drive_letter>:\i386\explorer.ex_  <drive_letter>:\Windows\explorer.exe

expand <drive_letter>:\i386\winlogon.ex_  <drive_letter>:\Windows\System32\winlogon.exe

Note: <drive_letter> is the letter of the drive where Windows XP is loaded.

c. If prompted to replace the files, then confirm to replace them.

d. Restart the computer and check the difference.

Visit our Microsoft Answers Feedback Forum and let us know what you think.

I did try most of the recovery console command, help works

dir seems to work but can't access anything in windows or anywhere else

I tried some other commands but it all revolved around unrecoverable errors...

I really doubt there's anything wrong with the CD (DVD in my case, didn't have CDs lying around) but I will still see if it works on another machine.

In that case, there is something else going on and I am not sure what to do, but will think about it.  

Was there any kind of power interruption with this system - plug pulling, power button, etc.

It is good that you got the CD made and booted on it though.

See if any other Recovery Console commands work:

help

dir

If not, try the CD in another system and see if you end up in the C:\WINDOWS folder (you don't have to run chkdsk - just make sure there is nothing wrong with the CD).

Let's wait and see what other folks advise (I am not a tryer).  

This place is swarming with Microsoft MVPs and Microsoft Support Engineers!

Don't guess what the problem might be - figure it out and fix it. I need YOUR votes and points for helpful replies and Propose as Answers. I am saving up for a pony!

I believe I got rid of the virus because  the original virus was prompting me to "install genuine anti-virus that would help me" redirect web pages etc. I made sure that AVG 2010 got rid of all those (installed a clean version after the virus corrupted my previous version of AVG 8.5) and it got rid of many infected files. However it appears I did that too late, because after a few full system scans, AVG told me that C:\windows\explorer.exe and C:\windows\system32\winlogon.exe were infected with a trojan (Patched_c.JHC and Patched_c.JHH to be exact) and I would get regular popups from AVG alerting me of "multiple threats detected" about explorer and winlogon. I then decided to kill explorer.exe (from process explorer, and just use my computer regularly using run) and suspended winlogon.exe and the threats stopped popping up and everything was running smooth.

However, now I'm posting from my laptop because this morning after another daily scan, AVG found some other infected files (from the report there were 6, 4 that looked exactly like explorer and winlogon (same location etc...) but that were not white-listed and the two usual white-listed "real" winlogon and explorer. AVG promted me to reboot to finish the scan, so I did, and from that point on, my computer wouldn't boot.

By not booting, it simply resets at the windows XP loading screen (infinite loop)

Please provide additional information about your system:

What is your system make and model? I built my computer myself... Not sure if that answers the question

What is your XP Version and Service Pack? XP Pro SP3

Describe your current antivirus and anti malware situation:  McAfee, Norton, Spybot, AVG, Avira!, MSE, Defender, ZoneAlarm,

PC Tools, Comodo, etc.

Working AVG Free 2010

Does the afflicted system have a working CD/DVD drive?

Yes

Do you have a genuine bootable XP installation CD (this is not the same as any Recovery CDs that came with your system)?

No. I borrowed one from my school (I still have a genuine license of my windows XP, but I don't "own" an actual physical CD.

What do you see that you don't think you should be seeing?

Infected windows core files?

What do you not see that you think you should be seeing?

Clean windows core files?

Fill in the blank:  My system was working fine until: October 20th 2010

I am currently burning the iso you told me to get and trying it out.

Thanks for the help, I'll be back as soon as it works or not :)

edit: sorry about choosing the wrong forum section, heh

Describe how you believe you got rid of the virus.

Why do you think your explorer.exe and winlogon.exe are infected?

If your computer will not boot, describe what happens when you try to boot.

Please provide additional information about your system:

What is your system make and model?

What is your XP Version and Service Pack?

Describe your current antivirus and anti malware situation:  McAfee, Norton, Spybot, AVG, Avira!, MSE, Defender, ZoneAlarm,

PC Tools, Comodo, etc.

Does the afflicted system have a working CD/DVD drive?

Do you have a genuine bootable XP installation CD (this is not the same as any Recovery CDs that came with your system)?

What do you see that you don't think you should be seeing?

What do you not see that you think you should be seeing?

Fill in the blank:  My system was working fine until: ________________________.

You are going to have to boot on something, so while you are waiting, do this:

Boot into the Windows Recovery Console using a bootable XP installation CD.

If you have no bootable XP media (or are not sure what you have) create a bootable XP Recovery Console CD and be sure.

This is not the same as any recovery disks that might have come a store bought system.  

You can make a bootable Recovery Console CD by downloading an ISO file and burning it to a CD.

The bootable ISO image file you need to download is called:

xp_rec_con.iso 

Download the ISO file from here:

http://www.mediafire.com/?ueyyzfymmig

Use a new CD and this free and easy program to burn your ISO file and create your bootable CD:

http://www.imgburn.com/

Here are some instructions for ImgBurn:

http://forum.imgburn.com/index.php?showtopic=61

It would be a good idea to test your bootable CD on a computer that is working.

You may need to adjust the computer BIOS settings to use the CD ROM drive as the first boot device instead of the hard disk.  These adjustments are made before Windows tries to load.  If you miss it, you will have to reboot the system again.

When you boot on the CD, follow the prompts:

Press any key to boot from CD...

The Windows Setup... will proceed.

Press 'R' to enter the Recovery Console.

Select the installation you want to access (usually  1: C:\WINDOWS)

You may be asked to enter the Administrator password (usually empty).

You should be in the C:\WINDOWS folder.  This is the same as the 

C:\WINDOWS folder you see in explorer.

The Recovery Console allows basic file commands like: copy, rename, replace, delete, cd, chkdsk, fixboot, fixmbr, etc.

For a list of Recovery Console commands, enter help at the prompt.

First verify the integrity of your file system using the chkdsk command.

From the command prompt window run the chkdsk command on the drive where Windows is installed to try to repair any problems on the afflicted drive.

Running chkdsk is fine even if it doesn't find any problems.  It will not hurt anything to run it.

Assuming your boot drive is C, run the following command:

chkdsk C: /r

Let chkdsk finish and correct any problems it might find.  It may take a long time for chkdsk to complete or it may appear to be 'stuck'.  Be patient.  If the HDD light is still flashing, chkdsk is doing something.  Keep an eye on the percentage amount to be sure it is still making progress.  It may even appear to go backwards sometimes.

You should run chkdsk /r again until it finds no errors to correct.

Don't guess what the problem might be - figure it out and fix it. I need YOUR votes and points for helpful replies and Propose as Answers. I am saving up for a pony!