Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe or winlogon.exe corrupted/infected


  • This topic is locked This topic is locked
4 replies to this topic

#1 Trexman

Trexman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 20 March 2011 - 04:53 PM

This problem appeared in the mid of February. This infection happened all in the sudden and it got me unprepared.


***Symptoms***

When I turn on Windows normally, all the icons and the 'START' bar as well. Only the backround is present.
I tried bringing the Windows Task Manager using [CTRL]+[ALT]+[DEL] & [CTRL]+[SHIFT]+[ESC] but nothing happened.
Then, I tried to fix the problem in Safe mode but even THERE the icons and the 'START' bar were missing. Luckily, I was able to bring the Windows Task Manager. It seemed that explorer.exe had some "problems". So I copied a new explorer.exe, a healthy one, and pasted in the sick computer. I've brought task manager and there... I've activated again and the icons and the 'START' bar returned.
Excited, I thought that the problem was solved. I was wrong. When I restarted it, normally, the problem was still there.

Further info about explorer.exe

I'm not really sure but explorer.exe seems fine and works in Safe mode but not when I start Windows normally.

Have any of you heard of explorer.exe.vir ?

Here's what happened: when I've pasted the healthy explorer.exe into the computer, at the task manager, it gave me two results of what to "activate":

C:\WINDOWS\explorer.exe

and

C:\WINDOWS\explorer.exe.vir


I'm not sure of the '.vir' one. It seemed executable but I haven't found the icon.


Further info about explorer.exe ends here



So I've followed others advice and downloaded several programs to fix it. Although, with many infected files, it still dind't made any changes.

Antivirus,Antimalware,Antispyware used:

-Avast Antivirus

-Malwarebytes

-SUPERAntiSpyware


*Note

The SUPERAntiSpyware, after a scan, it could repair some corrupted or infected programs. I've selected them, clicked Repair and then it asked me to restart. I've restarted and nothing was fixed.


***Repair with the Windows XP original CD***

At some point, I tried to repair using Windows' original CD. I know the obvious steps:

#1> http://web.qx.net/rburgess/storage/XPrepair/2.gif
#2> http://1.bp.blogspot.com/_C7zkkTFCD0o/TMot6kejcJI/AAAAAAAAAMM/lNsfTOcaWsU/s1600/f8.gif
#3> http://www.windowsreinstall.com/winxppro/installxpcdrepair/Image6b.gif

BUT

At the 3rd step, some "different" options appeared and there wasn't a repair option. Here's what it gave me at step #3:

http://farm1.static.flickr.com/46/124152337_d75f22de5c_o.jpg
As you can see, there isn't a Repair option.



***Restore system***

Everytime I start in Safe mode, a window pops-up to tell me that if I want to:

Windows is running in safe mode.
This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be avaible.

To proceed to work in safe mode, click "Yes". If you prefer to use System Restore to restore your computer to a previous state, click "No".


I've clicked "Yes", I've selected a date from December and it continued to restore the system.
It finished the restoration in short time (too short...) and when I started normally... poof, the problem was still there.
Mad, I started, again, in Safe mode and the first window to pop-up was about the restoration: it failed and no changes were made.



I've searched some more for my trouble and I've found out that another, possible, threat would be this winlogon.exe.
Without wanting to do any more stuff of my own, I came here to seek help.



***Optional request***

Please, let's keep the option to reinstall Windows as a last 'n desperate solution. What happened to me was all in the sudden, unprepared and I'd lose important data.




***GMER -unable to save the log-***

I have tried as much as possible to follow all the steps from the Preparation guide.
At the part where I have to save the log of GMER was impossible to do because:

1- The screen resolution, in Safe mode, is 640 by 480 pixels & I can't change the resolution in Safe mode

2- To save the log, I had to click the Save button but... it is too deep and I couldn't get there, even if I had to change the window's size, so to speak.



I'm sorry but I couldn't save the GMER log file.
I'll attach the other two.
Please excuse me if I had to break a step/rule but I'm very tired (it's nearly midnight) and I was in the weekend in the mountains and some hours ago I just came home.

My other topic: http://www.bleepingcomputer.com/forums/topic385614.html/page__gopid__2176535#entry2176535

Attached Files


Edited by Trexman, 20 March 2011 - 04:56 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:57 AM

Posted 21 March 2011 - 08:08 PM

Hello Trexman ,

Posted Image

Let's see if ComboFix can fix this Bamital infection :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to trexman.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Trexman

Trexman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 22 March 2011 - 06:01 PM

Okay, I understand.

Now, I wouldn't say I fear risks but I had to search a bit more about ComboFix.

Basically, I followed this video for guidance:


So, what I've understood:

1- Enter in Safe mode.
2- Unistall or disable antivirus/antimalware/antispyware & disable the firewall.
3- Run ComboFix.
4- Wait.
5- It reboots my PC.
6- Wait a little longer for the log.
7- I install Malwarebytes, run it, full scan & delete what it finds as malware.
8- Restart because it wants to.
9- Delete ComboFix
10- That's it.
11- Post the log in here.



I'm VERY sorry for delaying the log.
Is this right? Is this what I have to follow, step-by-step?

Edited by Trexman, 22 March 2011 - 06:02 PM.


#4 Trexman

Trexman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 25 March 2011 - 02:01 PM

Sorry for the double post.



Problem solved.
Request lock.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:57 AM

Posted 25 March 2011 - 02:24 PM

Thanks for letting me know. :)

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users