My windows explorer is being a PITA

Welcome to Majorgeeks!

HijackThis logs alone are not adequate! To the best of your ability based on your malware problems, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

When you edit the log files to remove things like your user name, we cannot always make proper fixes for your problems. Especially when the fixes need to be inserted into automatic tools for removals. Please avoid doing that in the future. No one is going to learn that much about you based upon seeing a username in one of these logs files and you have to be a registered user to see them and your thread is just one among many tens of thousands. If you were so concerned about security, you should never have used a revealing name for your user account to begin with.

Please uninstall Viewpoint Media Player as requested in step 0 of the READ ME.

Also please do step 2 of the READ ME properly. You did not follow those instructions exactly as written.

Also as requested in step 6 you were supposed to uninstall this very old Sun Java version: Java 2 Runtime Environment, SE v1.4.2_03

Then update to the current Sun Java version for this link: Sun Java Runtime Environment


Please install and name HijackThis as requested in the READ ME in step 7. You have it installed exactly where we specify not to install it and naming it like you did only makes it look like malware. Also HijackThis logs must be from Normal Boot mode and your is from safe mode. Please follow our directions. But doo not get a new log yet. First run this Virtumonde aka Trojan Vundo Removal

Now please download the new version of GetRunKey (just updated): Using GetRunKey

Now attach:

• the log from VundoFix
• a new GetRunKey log
• a new ShowNew log
• a new HJT log

 

No!!! You neeed to follow my directions only and nothing else or you will interfere with proper removal.

 

The last thing I ask for contain requests for the below logs. You need to follow all the instructions in message # 5 and attach the below logs as requested and do not edit or add your comments to any of the logs! You are not finished removing this malware yet!!

• the log from VundoFix
• a new GetRunKey log - make sure you have the new version as requested.
• a new ShowNew log
• a new HJT log

 

Not necessarily true. I remove them all the time and they typically only come back when my sons reinstall a AIM or install a new version. Also Viewpoint is considered a form or malware and should be remove. This is why a tool like this ViewpointKiller was created and why it is in an antispyware download folder. In fact you should run ViewpointKiller.

MyWay is malware and thousands of people screamed at Dell about their stupidity of putting this on their PCs. At first Dell denied it was a problem but then eventually they even gave removal steps. If this was not malware, it should have been easily removable just by going to add/remove programs and uninstalling it. But that did not work. Thus, behavior is that of malware and MyWay (there are about 10 or so different names) is classified as malware and that is what you also see a bunch of them listed in the link in step 0 of the READ ME to be uninstalled! Are you saying you like having all those word underlined/highlighted??? If so, you are the first! Everyone else has come here complaining about them. If you want to keep this that's fine, it's your PC. Just be aware that it is defined like this:

which means it is classified as adware which is a sub-category of the blanket term malware.

You need to make sure you have followed all of my instructions, and then get new logs and attach them. We only say recommend at the end for Messenger Plus because some people insist on keeping this scurge of the internet. Most of what is in that list really should be mandatory for removal. That list begins with the below statement and it does not say recommended.

 

Did you make the below setting yourself?

This registry setting is explained in more detail here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58881.mspx?mfr=true

 

Let's continue with your cleanup by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

After clicking Fix, exit HJT.


Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!


Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if you do get this message, please let me know!)

If Killbox does not reboot just reboot your PC yourself.

Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

No! A value of "1" activates the policy and a value of "0" or just deleting the registry subkey deactivates the policy.

I cannot answer that! What I asked was did you set this up? Now I have to ask is this what you wanted to do? If not, then yes we need to remove that policy setting.

No!

 

Not a problem! You could get a few of them. All it means is that a registry key being checked for does not exist which is okay! If it did exist, the log would show it and then we would check what the contents of the key was to see if it was a problem.


The cleanup with Pocket Killbox did not work. You must have received the PendingFileRename Operations error I said you should tell me about.


Run Windows Explorer and manually locate and delete the below files:
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\bcbeg.bak1
C:\WINDOWS\system32\bcbeg.bak2
C:\WINDOWS\system32\bcbeg.tmp
C:\WINDOWS\system32\bcbeg.ini
C:\WINDOWS\system32\bcbeg.ini2


Don't worry about things you may see in C:\!Killbox they are backups from PocketKillbox and my final steps will remove them once we get to that point. (We are almost there!)

After deleting the above files, attach a new log from ShowNew.

 

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I'm not sure! Do you have all of your Windows & Office updates (step 1 of the How to protect thread)? Do you or did you ever use SQL Server. Do you have a log showing exactly what it blocked?

Have you read things like the below:
http://www.cert.org/advisories/CA-2003-04.html
http://www.symantec.com/security_response/writeup.jsp?docid=2003-012502-3306-99
http://www.google.com/search?q=SQL+slammer&hl=en&start=10&sa=N

Like this!

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Popups are not really malware in themselves. If you click on them and make the wrong choices of what to click on, that is discussed in the how to protect thread. Your browers (if you use FireFox as suggested in the How to protect link) and your firewall can normally also block popups. There are other popup blockers available but I personally don't see them as being necessary. I don't find popups to be a problem.

This does not matter now as far as I can tell but in the future make sure you are using the links we give you for tools. Never assume you already have the correct version. Tools can sometimes change daily.

 

Why not? What message did you receive?

Does the info in the below link look familiar to you. Do you access websites in China? How about for gaming or cheats....etc?

http://www.dshield.org/ipinfo.html?ip=220.248.243.034


There as only one hit from that address in the log. This really may not be an issue. It could just be your firewall doing its normal job. Things like this happen all the time once hacker sites have obtained your IP address. This is why having a router with a hardware firewall and a software firewall too are so important.

 

That means you did not save the file properly. Double check the steps and follow them exactly. Make sure there you do not have a blank line above the REGEDIT4 line.

Yes I know it is the IP address from your firewall. I got it from your log. I'm just tell you that the IP address is for a site in China. Thus is you have accessed sites there while playing your games or using P2P applications....etc. Some one may have your IP address and is trying to get to you. Your firewall is doing its job and is blocking the incoming attach. Just like all the other incoming items you see being blocked. When you play online games and use P2P, you are opening up incoming ports to your PC and are susceptible to attacks. This is something you chose to do. No matter how much protection you have, it cannot protect you from things you choose to do on your own.

iMesh is malware and should never be used.

 

You're welcome!

Follow the steps below in the order written, this System Restore step is covered.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!