Windows Explorer Problems - slow down and crashing

Hi and Welcome


First off you should not be running 2 Antivirus programs at the same time or even have them installed at the same time, that also goes for AntiSpyware programs that live/resident scan, they will conflict and also slow and hang your PC as both will be trying to scan the files at the same time.

as for the popups and any other issues due to malware that maybe on your PC, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

There is no sense in running the scanners if you are not going to allow them fix what they find! You told CounterSpy to ignore everything and it found alot of problems. I could understand (but don't recommend it) you possibly ignoring the two versions of Messenger Plus that it found, but there was a load of other malware found. You need to run it again and allow it to fix this malware. Save and attach a new log. Then move on to the below.

Please go back to step 0 of the READ ME and uninstall the items requested. Like all of the below should have been uninstalled:
DelFin Media Viewer
Red Swoosh EDN Client (remove only)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar (Remove Only)


Now run the procedure in this: Using SDFix and attach the requested log.

 

Okay I see a few other issues related to steps from the READ ME. In step 3 we indicate that only one antivirus applications can be installed. You have at least two and I see a folder for a third however it may have been uninstalled but the folder was not removed.

You have the below installed:
AntiVir/XP
AVG Free Edition

You must uninstall one!

Here is the folder, I'm referring to: C:\Program Files\PC Tools Anti-Virus
You should delete the folder since the program does not appear to be installed.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2

Now install the current version of Sun Java from: Sun Java Runtime Environment

You have Spyware Doctor 2.1 installed. This is way out of date to be that effective in todays malware world. If this is a free trial version, uninstall it. If it is a paid version you should either update to the current version or you should still uninstall it.

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to .NET Framework Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste.NET Connection Service into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
O2 - BHO: (no name) - {125BF341-5647-49C8-9CF4-329D41D4C328} - C:\WINDOWS\system32\wmhlsoku.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\vpnsjtpl.dll (file missing)
O2 - BHO: (no name) - {356914CD-2C1C-4667-AC32-0B33AF9BA7E6} - blank (file missing)
O2 - BHO: (no name) - {5335D775-94E3-48D7-908A-A4C1893CC0E2} - C:\WINDOWS\MICROS~1.NET\acbda.dll (file missing)
O2 - BHO: (no name) - {935D93D4-4600-47CD-94A7-B55BAD42DFDD} - (no file)
O2 - BHO: (no name) - {9897F7DB-963E-4F8E-99A7-C46C221E056C} - blank (file missing)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MyWay <--- the whole folder
C:\WINDOWS\system32\ebxqbnau.exe
C:\WINDOWS\system32\wmhlsoku.dll
C:\WINDOWS\system32\svuvw.tmp2

Now run Ccleaner.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I'm not sure of everything that you are referring to since you did not use names! Which antivirus did you leave running on your PC? You must have one and only one installed.

It should show since it does appear in HJT. Let's do the below.

Download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Save it to a file named services.txt and upload it here as an attachment.

Also run HJT and see if the below line still exists:
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

If it does exist, select it, and the click Fix Checked and tell me what happens. Normally HJT cannot fix a service like this, but it may work if the service is really gone.

Also does this file exist: C:\WINDOWS\svchost.exe If it does then delete it. DO NOT DELETE C:\WINDOWS\system32\svchost.exe which is a valid file.

 

Okay then please attach the followup logs I requested in message # 7. That is after you have completed all of those steps if you have not already done so.

 

This was not in your previous logs! It is new! Goto Add/Remove programs and uninstall NSIS Media Extension.

Also delete the below file:
C:\WINDOWS\system32\1162224013.exe

Did that work?

Attach a new log from ShowNew!

 

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
7. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!