Cant open folders on desktop

Hi have you tired any of the steps and extracting the files in safe mode?

 

Please explain why you cannot run Explorer. How do you try to run (step by step)?

Why can't you run GetRunKey or ShowNew? Are you saying you cannot extract files from a ZIP file? You should not be extracting these to your Desktop. They should be in their own folder which is not on your Desktop.

How did you extract HijackThis fromt the ZIP file?

Did you run the two Online Scanners in the READ ME? Did you run all other steps in the READ ME?

 

Did you see the error messages and work arounds given in the download links for GetRunKey and ShowNew. Are either of those messages things you are seeing? If so, use the work arounds in the download links.

Either way attach a HijackThis log for me to look at.

 

That means you did not follow the directions in the download page. You MUST extract ALL of the files from the ZIP file. You cannot run the .bat files from inside the ZIP. It will not work this way. This is explain on the download pages.

You did not rename HijackThis as required! You have

C:\Program Files\Hijackthis\HijackThis.exe

You must rename it so it looks like this:

C:\Program Files\Hijackthis\analyse.exe

This is very important.

Why is BitComet running?

Your HJT log does not show any major problems. I will give you something to do below but it will not fix the problems you have been mentioning. I think to fix your problems you may have to uninstall Norton/Symantec.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MyWaySA <--- the whole folder:

Now run Ccleaner .

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!
Now reboot in normal mode
Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

Don't worry about the renaming right now? Complete the other steps and look into uninstalling Norton as I suggested because based on purely your HJT log, you don't have malware. But note that a HJT log is not a good indicator of malware status.

 

Can you click Start, Run, and enter APPWIZ.CPL and click OK! If so that should bring up Control Panel. And maybe you can uninstall that way.

I also want you to do the below but if you cannot get Windows Explorer open, you will not be able to do this.

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If you can get the registry editor opened by clicking Start, Run, and entering regedit and clicking OK, then we can manually import the fixme.reg patch into the registry.

 

Well first a couple of questions! You have uninstalled Norton, right? Have you rebooted? If not, please reboot. Do you still have all the same problems?

No do not reinstall Norton! At least not yet!

If you cannot run Windows Explorer to locate the fixme.reg file and double click on it, then run the Registry Editor again and click File, Import and then navigate to whereever you saved the fixme.reg file and select it then click on Open. Let me know if this works ok. You should get a message about the file being added to the registry.

Since you now have a way to run Add/Remove programs, also uninstall the below:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
MyWay Search Assistant
Viewpoint Media Player

We need to delete the below files if you can run Windows Explorer
C:\WINDOWS\system32\bqoovqcq.dll
C:\WINDOWS\system32\vnuvjhai.dll
C:\WINDOWS\system32\xwdolabs.dll
C:\WINDOWS\system32\thxcfg.ini

Attach new logs from HJT and ShowNew.

 

You did not get all of Norton uninstalled! Go back to Add/Remove programs and uninstall Norton Security Center

Also let's see if any of the below are causing any problems. Uninstall the below.
TrojanHunter 4.5
Windows Defender


If you click Start, Run, and enter explorer and click OK! Does Windows Explorer run?

 

Download and install this ExplorerXP

Run it an use it to delete the below files:
C:\WINDOWS\system32\bqoovqcq.dll
C:\WINDOWS\system32\vnuvjhai.dll
C:\WINDOWS\system32\xwdolabs.dll
C:\WINDOWS\system32\thxcfg.ini

Also locate C:\Program Files\HJT\HijackThis.exe using ExplorerXP and right click on it and select Rename. Rename it to Analyse.exe and then run Analyse.exe and get a new log and attach it. Also attach a new log from ShowNew.

When did you install Internet Explorer version 7? Before or after having these problems? If before, how soon afterwards did problems begin?

Is System Mechanic Professional 6 a paid program or free trial? I see it was only recently installed.

 

That's not legal! Are you sure what your friend gave you was not infected?

More malware showed up! (By the way you installed ExplorerXP not Windows Explorer). Let's fix this a diferent way now that you have HJT renamed properly, we can see another problem.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of caolg.dll once and then click the kill button. After you have killed all of the caolg.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of caolg.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {90166FBC-2D33-4BFC-AF33-90445D4D7FDE} - C:\WINDOWS\repair\caolg.dll
O2 - BHO: (no name) - {D8E07B40-2A00-4584-A221-BCBD87AEB162} - C:\WINDOWS\repair\caolg.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\fqwsgxoe.dll
O20 - Winlogon Notify: caolg - C:\WINDOWS\repair\caolg.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\repair\caolg.dll
C:\WINDOWS\system32\fqwsgxoe.dll
C:\WINDOWS\system32\bpdmolqn.exe
C:\WINDOWS\system32\jkgmxypy.exe
C:\WINDOWS\system32\mybnibyf.exe
C:\WINDOWS\system32\nspsllbo.exe
C:\WINDOWS\system32\cnuubyrn.dll
C:\WINDOWS\system32\fqwsgxoe.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Brian\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Now install and run a scan with AVG Free Edition

Let me know if it finds anything (I don't want to reinstall Norton ---- at least not yet).

 

This is no longer necessary. It appears that CCleaner got everything!

Yes delete the below folder:

C:\Program Files\VSAdd-in


And then if you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely!