Can't double click to launch programs from windows explorer

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Diggity Dawg, Mar 22, 2005.

  1. Diggity Dawg

    Diggity Dawg Private E-2

    I am trying to clean up my sister's computer and I need some help. She was having all kinds of pop ups and problems with her computer due to spyware and malware. I followed all the instructions in the READ ME post and deleted well over 500 assorted viruses and spyware.

    One problem persists - any time I try to double click on a folder or attempt to double click to open or execute a file from windows explorer I get the following error message with windows 2000 professional:

    "Opening a file from this location may not be safe and is not allowed with your current security settings."

    I still think it's a virus or spyware, because the problem does not persist if I boot in Safe Mode. I can still get to things using the Run feature from the start menu, but it is very cumbersome. I searched the forums here, and the web, but I couldn't find anyone with the same problem. Has anyone had this problem or know how I can fix it????


    PS - thanks for the About:Blank advice - I used it to get rid of that monster on my home computer!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. Diggity Dawg

    Diggity Dawg Private E-2

    Thanks for the response - sorry it took me so long to get back to you.

    I just want to make sure you have enough information, sorry if the following is over kill:

    The problem seems to be getting worse. Still can't double click to launch anything from Windows Explorer and now I cannot open IE. IE starts to open to google, and then automatically shuts itself down in a blink. I tried to reboot, and it did the same thing - so I ran Adaware and spy bot. All of the items that I removed yesterday before I sent you the first email were back. Both pieces of software were unable to remove some the items. Since I can't get the Internet over at her house- I ran HT and brought the log back to my house to send it to you.

    Your advice will be gratefully received.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you notice how out of date the version of IE is? MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
    No wonder you are having problems. This is a huge security problem. After we fix the current problems, this needs to be resolved immediately.

    First please go to Add/Remove programs and look for uninstalls to the below and uninstall if found:
    Neo Toolbar or Toolbar
    WeatherBug
    P2P Networking
    Media Access

    Also if you do not use Viewpoint or Viewpoint Manager (stuff that AOL sneaks in), uninstall it too.
     
    Last edited: Mar 23, 2005
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    F:\PROGRA~1\Toolbar\TBPSSvc.exe
    F:\WINNT\system32\P2P Networking\P2P Networking.exe
    F:\WINNT\iisver.exe
    F:\WINNT\system32\TEXTEDITOR.EXE
    F:\WINNT\system32\iimkvl.exe
    F:\PROGRA~1\Toolbar\TBPS.exe
    F:\PROGRA~1\Toolbar\PIB.exe
    F:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    f:\PROGRA~1\Toolbar\radio.exe

    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - F:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - F:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [P2P Networking] F:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [cdwtmx] F:\WINNT\cdwtmx.exe
    O4 - HKLM\..\Run: [diaas] F:\WINNT\nhvq.exe
    O4 - HKLM\..\Run: [Rzvdnu] F:\WINNT\svchost.exe
    O4 - HKLM\..\Run: [iisver] F:\WINNT\iisver.exe
    O4 - HKLM\..\Run: [Windows Text Editor] TEXTEDITOR.EXE
    O4 - HKLM\..\Run: [KavSvc] F:\WINNT\system32\iimkvl.exe
    O4 - HKLM\..\Run: [Media Access] F:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [ap9h4qmo] F:\WINNT\system32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [TBPS] F:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [Weather] F:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\RunOnce: [Windows Text Editor] TEXTEDITOR.EXE
    O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - F:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - F:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - F:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c17.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - F:\PROGRA~1\Toolbar\toolbar.dll
    O20 - Winlogon Notify: ATINotify - logonnfy.dll (file missing)

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    F:\Program Files\Toolbar <--- the whole folder
    F:\WINNT\system32\P2P Networking <--- the whole folder
    F:\Program Files\AWS\WeatherBug <--- the whole folder
    F:\Program Files\Media Access <--- the whole folder
    F:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker <--- the whole folder
    F:\WINNT\iisver.exe
    F:\WINNT\system32\TEXTEDITOR.EXE
    F:\WINNT\system32\iimkvl.exe
    F:\WINNT\cdwtmx.exe
    F:\WINNT\nhvq.exe
    F:\WINNT\svchost.exe <-- delete this one but not the one in c:\winnt\system32
    F:\WINNT\system32\ap9h4qmo.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  6. Diggity Dawg

    Diggity Dawg Private E-2

    The good news is I have access to the internet again - IE is not shutting down when I open it, and all other programs are staying open as well. The number of Pop Ups has been reduced but not eliminated. The bad news is, my sister shut down her computer last night and when I rebooted this afternoon, some of the items that you instructed to remove were gone and I couldn't kill one of the processes. I have read in other strings that these things can change on a reboot so I apologize and assure you it won't happen again.

    Couldn't Kill this process:
    F:\PROGRA~1\Toolbar\TBPSSvc.exe

    The following were not present:
    F:\PROGRA~1\Toolbar\TBPS.exe
    F:\PROGRA~1\Toolbar\PIB.exe
    f:\PROGRA~1\Toolbar\radio.exe

    After I booted in Safe Mode, the following items that I was instructed to delete where not in their folders:
    F:\WINNT\system32\iimkvl.exe
    F:\WINNT\cdwtmx.exe
    F:\WINNT\nhvq.exe
    F:\WINNT\svchost.exe

    The problem with Double Clicking to launch items still exists in Normal Mode and not in Safe Mode, and any attempt to do so initiates the same error message as posted previously.

    I have installed Windows Service Pack 4 and downloaded IE 6.0 from Microsoft since my last post. In addition, I deleted the programs that you indicated. The Toolbar program was not present. Again, thanks for all the advice and any further assistance you can offer - it has been a great help. I have attached the new HJT log.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before you run the below steps. Please go back to the READ ME FIRST in the Getting Prepared section, step # 3 and double check that you have set everything as it indicates (viewing hidden files, viewing system files, etc).

    The below process and line in HJT are still there.
    Go back and repeat the process for them again.

    F:\WINNT\system32\iimkvl.exe

    O4 - HKLM\..\Run: [KavSvc] F:\WINNT\system32\iimkvl.exe
     
  8. Diggity Dawg

    Diggity Dawg Private E-2

    I killed that last running process and everything is back to NORMAL. The internet is running fine and I can launch programs directly from Windows Explorer.


    Thanks for all your help.


    Diggity Dawg
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds