Solved Google redirect and no folder options

[Broni]

OK, you have two important Windows system files infected, explorer.exe and winlogon.exe
We'll have to replace those two files with healthy one.
You don't have ant replacements on your computer, so I'll provide those files.

I uploaded both files (zipped) HERE

Download both files, unzip them and paste both files into your C:\ folder

Then, I want to see, if you placed them correctly, so...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  explorer.exe
  winlogon.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Wormjerry]

winlogon failed
http://www.smartestcomputing.us.com/index.php?app=core&module=attach&section=attach&attach_id=61856

 

[Broni]

I don't know, what happened.
It should work now...

 

[Wormjerry]

im lookin online how to replace those exe files its not letting me delet them and everythin online is talking about useing the cds recovery console

 

[Broni]

Do NOTHING, than what I told you.
I didn't ask you to replace anything.
Please, read my previous reply CAREFULLY and act accordingly.
This is very dangerous step.
Follow my instructions to the dot!

 

[Wormjerry]

ok running systemlook

 

[Wormjerry]

SystemLook 04.09.10 by jpshortstuff
Log created at 20:34 on 13/09/2010 by Worm Jerry
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\explorer.exe --a---- 1033728 bytes [03:33 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR01.078\explorer.exe --a---- 1033728 bytes [02:58 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR02.484\explorer.exe --a---- 1033728 bytes [03:26 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR04.687\explorer.exe --a---- 1033728 bytes [02:59 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR05.562\explorer.exe --a---- 1033728 bytes [02:59 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR12.968\explorer.exe --a---- 1033728 bytes [03:00 14/09/2010] [12:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:53 11/03/2009] [12:00 14/04/2008] 0154DB374C8064778BF2BFEC2E38F504
C:\WINDOWS\system32\dllcache\explorer.exe --a---- 1033728 bytes [12:53 11/03/2009] [12:00 14/04/2008] C42AE2AB7D2658BC91E497A1EB1D9D6A

Searching for "winlogon.exe"
C:\winlogon.exe --a---- 507904 bytes [03:33 14/09/2010] [08:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\Documents and Settings\Worm Jerry\Local Settings\temp\Rar$DR07.093\winlogon.exe --a---- 507904 bytes [03:18 14/09/2010] [08:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:53 11/03/2009] [12:00 14/04/2008] 77F4BE7A778F6330779784D64F0DE94D

-= EOF =-

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\explorer.exe|C:\explorer.exe /replace
  C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Re-run SystemLook with very same script as in my reply #26

 

[Wormjerry]

mcafee keeps poping up - generic.dx!tld trojan removed in c:\windows\explorer.exe
its haveing me restart and scan

 

[Wormjerry]

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File C:\WINDOWS\explorer.exe successfully replaced with C:\explorer.exe
Unable to replace file: C:\WINDOWS\system32\winlogon.exe with C:\winlogon.exe without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 644011 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 300 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 2420 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Worm Jerry
->Temp folder emptied: 6398230 bytes
->Temporary Internet Files folder emptied: 35399 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 46806791 bytes
->Flash cache emptied: 3330 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2430441 bytes

Total Files Cleaned = 54.00 mb


[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Worm Jerry
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.0 log created on 09132010_205445

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Wormjerry]

SystemLook 04.09.10 by jpshortstuff
Log created at 21:07 on 13/09/2010 by Worm Jerry
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [03:33 14/09/2010] [12:00 14/04/2008] B2FB3993BACB1AE3BAE599258DCFB398
C:\WINDOWS\LastGood\explorer.exe --a---- 1033728 bytes [04:03 14/09/2010] [12:00 14/04/2008] (Unable to calculate MD5)
C:\WINDOWS\system32\dllcache\explorer.exe --a---- 1033728 bytes [03:33 14/09/2010] [12:00 14/04/2008] B2FB3993BACB1AE3BAE599258DCFB398

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:53 11/03/2009] [12:00 14/04/2008] 77F4BE7A778F6330779784D64F0DE94D

-= EOF =-

 

[Broni]

It didn't work as planned.

Download both files again from my link and place both of them (unzipped) again in C:\ folder.

Let me know, when ready.

 

[Wormjerry]

looks like it loads up fine then everything disapears and just my background shows and mcafees warning about the trojan pops up that it

 

[Broni]

Please, follow my previous reply.

 

[Wormjerry]

restarted again and now its doin a chkdsk on C
its done im ready

 

[Broni]

Is chkdsk done?

 

[Wormjerry]

i only have my background and mouse indicator nothing else on screen all restarts and checkdisk were on its own

 

[Broni]

There is a chance, that stupid McAfee removed explorer.exe

Press CTRL+ALT+DEL to bring up Task Manager.
Click "New task", type in:
explorer.exe
Click OK.
Is your desktop back?

 

[Wormjerry]

windows cannot find

 

[Broni]

No worries. We'll fix it.

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Under the Custom Scan box paste this in:
  
  /md5start
  explorer.exe
  winlogon.exe
  /md5stop
  
  
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[Wormjerry]

no cd drive is that ganna b ok??

 

[Broni]

I forgot, you have no CD drive. Hold on....

 

[Broni]

Here you go: http://forums.majorgeeks.com/showthread.php?t=216844

 

[Wormjerry]

alright ill give it a shot and continue tomarrow thanks

 

[Broni]

We'll fix it, but it'll take a while, especially since my bed time is coming and I have to go to work tomorrow.
Just be patient and do not try anything by yourself.
That Bamital trojan, you have is a nasty piece.