OK neither of those are any good
Do you have access to a windows CD or another XPSP3 computer that we can copy the file from ?
I have XP Pro SP3 and have zipped the two files using 7zip and uploaded to mediafire, http://www.mediafire.com/?vymuqzpvkjk55rk.
Thank you David ;D
@jeith download and extract the files to your c drive i.e. C:\explorer.exe and C:\winlogon.exe
Then run the following CF script
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
Fcopy:: C:\explorer.exe|C:\windows\explorer.exe C:\winlogon.exe|C:\windows\system32\winlogon.exe
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new OTL log.
You’re welcome, hopefully jeith has 7zip, if not it is fairly easy to get hold of. There is no password applied to the Wlogon_explorer.7z file.
Thanks David and Essezboy, I have jus downloaded the zipped files and shall do as Essexboy said and post the logs soon.
No problem, glad I could help.
It is almost 1am in the UK, so essexboy will be in bed now and back later tomorrow.
I have run the combofix. here is the log of it. and a new OTL.
But avast still says that winlogon.exe is affected. 
I’m not too familiar with the combofix logs.
Did you first create and drag the CFScript.txt into combofix.exe as per essexboy’s last post ?
I though that this would first replace the two infected files and then start the combofix scan. Though the log still shows that the two files are still infected.
But the log does say it did run the command switches:
Command switches used :: c:\documents and settings\Jeith!\Desktop\CFScript.txt
It does say that the infected files were deleted, so I can only assume that it did replace them with the good copies or your system wouldn’t be working without explorer.exe if it just deleted them.
I also assume that an avast scan is no longer reporting these files as infected ?
If you run combofix again manually I guess it wouldn’t report these files as infected any longer ?
@DavidR
Yes I did as said by essexboy. once I dragged teh CFScript.txt to Combofix.exe it said a newer version of CF is available do you want to download it. I clicked yes and then it proceeded with the scan. at the end of the scan the CFScript.txt was no longer seen in my desktop (probably since I dragged it onto CF?).
Also as I said avast says winlogon.exe is infected but nothing about explorer.exe.
You could try to repeat the exercise, creating the CFScript.txt again but only for the winlogon.exe file and drag and drop it again to initiate the combofix scan and see it it jhas any better success this time round.
Fcopy::
C:\winlogon.exe|C:\windows\system32\winlogon.exe
If that doesn’t work, there must be something else in the mix and will need essexboy’s box of trick again.
Well David I tried tat as well…same results…waiting for essexboy
Yes, he has the tools and importantly the skills to get to the bottom of it.
This is a more resilient version now - so we will have to work a different way. If the recovery console was installed we could work from there - but as it is we will now have to work outside of windows.
First confirm that both files are still present on the C drive
Please print these instruction out so that you know what you are doing
OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB
[*]Download OTLPEStd.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
Thanks for your post essexboy, I shall do as u said and let you know how it goes.
Actuall I just realised that rather than run a scan and posting back and forth. Ensure that winlogon and explorer are on your root c drive
When you run OTLPE
Run OTLPE
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files C:\windows\explorer.exe|C:\explorer.exe /replace C:\windows\system32\winlogon.exe|C:\winlogon.exe /replace
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
That seems to be a much tidier option ;D
I usually get there eventually ;D
Hi Essexboy,
Thanks god we both r online. How do i run OTPLE? when i double clicked OPTLEstd.exe it asked if i wanted to burn it to a cd. I burned it and when i open the cd file there is reatogomenu.exe. i double clicked it but didnt see anything like custom scan/fix. should i reboot the system as you and use the boot cd as you said? or is there any other way that am missing?
The CD is a boot CD, what that means is you place it in your CD drive and then change the BIOS boot sequence to CD first. It will then use the CD as a boot drive, completely bypassing your hardrive and windows. Once loaded there will be a copy of OTL on the desktop
When i rebooted my device using the boot cd, it loaded a reatogo desktop as u said. i clicked OTLPE.exe, it asked me to select the folder to be scanned and when i selected, it said “target folder must be windows 2000 or later”. After which the scan aborted.
Am using an windows XP sp3. I dont know what it means my windows 2000 or later.