[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7511
  • Last Modified:

Cannot open Internet Explorer

I cannot open IE (I have latest version). When click on IE's icon or http shortcut, or ftp
shortcut, desktop freezes for 3-5 minutes and then I get an error message that the webpage
I have tried to open cannot be found. The only way I am able to open IE and to surf internet is to open windows explorer and then type internet address in its address bar. It switches then to Internet Explorer and goes to specified webpage. However, if click on any link that supposed to open in new window, then I don't get that page, since it does not open new IE's window from internet links also. I do not have window pop-up blocker.

There is one probably unrelated problem, IE's home page is constantly changed to http://findallgood.com/. I have searched for viruses, adware, ect. using all kinds of tools, deleted/uninstalled all found, but homepage is still changed to http://findallgood.com/ approximately every 5-10 minutes, and I don't know what causes it, or how to stop it.

I have reinstalled IE, but it didn't help. Please help, I am limited to Internet Explorer due to specifics of my work. Thank you.
0
leokuz
Asked:
leokuz
  • 4
  • 4
  • 2
  • +1
1 Solution
 
rossfingalCommented:
Hi!

Try running "Hoster" to reset your "Hosts" file -
Download the Hoster from here:
          http://members.aol.com/toadbee/hoster.zip
          Unzip it to the desktop and run it.
          Click "Restore original HOSTS" and OK any prompts.
          You may have to reimmunize with Spybot, SpywareBlaster,
          and/or IE-SPYADs, etc. after doing this.
          Please restart your computer
Also, in Internet Explorer check the "Restricted" sites -
if you see anything with 127.0.0.1 - remove it.

RF
0
 
InteractiveMindCommented:
Does it load up okay in Safe Mode?
0
 
leokuzAuthor Commented:
the link http://members.aol.com/toadbee/hoster.zip doesn't work, but I have checked hosts file and it is fine.

Yes IE loads OK in Safe Mode.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
rossfingalCommented:
Strange - I just tried that link and it worked fine?!?

OK - if you want to, let's try this -
Download HijackThis from:
http://www.gatesofdelirium.com/ee/tools/tools/hijackthis1.99.1.zip

Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis (run in "Normal" mode) and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your log file here!

If you cannot download it from that link, for some reason;
go to another computer (friend's, etc.) and download it and copy it to a floppy.
Install it from there.

We'll take a look at it!  :)

Good luck!
RF
0
 
leokuzAuthor Commented:
I had jijackthis already installed on subject computer, but I knew nothing about wonderful feature "Analysis." It is really great! Here is the log:

http://www.hijackthis.de/logfiles/c3b1e05a6289034f59375469f7cf1240.html
0
 
InteractiveMindCommented:
Leokuz,

> Yes IE loads OK in Safe Mode.
We can thus, quite confidently assume that your problem is a result of some malware.

There are a few processes in your log which I'm concerned with, including:
 
  - CardLauncher.exe
  - PopMan.exe
  - SbCRecE.exe
  - PfussMon.exe
  - C:\WINDOWS\SYSTEM\Loader.dll

As these viruses won't load up into Safe Mode, I suggest that you do the following:
  - Boot into Safe Mode;
  - Run Ad-Aware and any other AV programs that you have;
  - Manually remove anything that you're confident looks dodgey;
  - Open MSCONFIG (Start -> run -> "msconfig" -> OK), go under the "startup" tab, then remove everything that looks dodgey;
  - Reboot and logon as usual, then connect, and try and open IE.


Regards;
0
 
rossfingalCommented:
Hi!

Make sure "Show all Files and Folders", including hidden and system is enabled.
Turn off "System Restore".

I'm pretty sure these entries are valid:
  - CardLauncher.exe
  - PopMan.exe
  - SbCRecE.exe
  - PfussMon.exe

This entry is a pr0n dialer (Loader.dll):
Some info here:
http://www.sophos.com/virusinfo/analyses/dialplatforma.html
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll

With all browser windows closed -
run HijackThis and have it fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://findallgood.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://findallgood.com/

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll

O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)

O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) -
http://www.rmlsweb.com/XMLSearch/XMLCache.CAB

O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} -
C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll

Restart your computer in "Safe" mode -
Search your entire computer for any instances of the following (if present):
ysb.dll
Loader.dll
G7PS.dll
Delete all that you find.

Delete this folder:
C:\Program Files\Common Files\G7PS  <-<- this folder - G7PS

Clean out all your "temp" files:

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Restart your computer in "normal" mode.
Run HijackThis -
Run your log file through the Analysis site -
Post a LINK to your new log file back here.

RF

0
 
leokuzAuthor Commented:
After deleteing Loader.dll Internet Explorer began to function as expected. However, homepage is still changed to http://findallgood.com/ every so many minutes (5-10), even though I "fixed" related to this site entries in HijackThis.

Anyway, here is the new log: http://www.hijackthis.de/logfiles/c3b1e05a6289034f59375469f7cf1240.html.

I did not delete these files since I believe they are valid:

G7PS.dll and C:\Program Files\Common Files\G7PS (I have checked the company in file information and it is same that made my VersaCheck check printing program)
  - CardLauncher.exe (ScanSnap scanner or CardMinder(comes with scanner) related, I believe it is program that scans business card
and saves into contact database)
  - PopMan.exe (fee program that enables me to check and delete emails without downloading)
  - SbCRecE.exe (ScanSnap scanner related)
  - PfussMon.exe (ScanSnap scanner related)

Thank you.
0
 
zoltan9992000Commented:
Leokuz

Can I ask if the computer tries to dial out / connect to the internet when you boot it up.

I ask because I have customers PC with the same problem.

I can reset the home page but when the customer next switches the pc on it dials up the internet (and downloads some code ?) before any of the anti-virus, anti-spyware loads. When she then runs internet explorer the home page is back to www.findallgood.com.

I have "fixed" the customers machine by resetting the home page to google and stopping the automatic dial up (unchecked the auto connection box).

As long as this does not run at start up it has not reverted to www.findallgood.com.

I think it must hook into something when explorer loads to initiate the dail up. Explorer loads before the anti-virus and anti malware programs.

I have used Spybot to lock the home page etc. to prevent changes but the malware looks as though it dials out before spybot loads.

I regularly remove malware from customers PC's but this one has me beat - for now anyway.

I will get back to you if I find a full solution.

0
 
leokuzAuthor Commented:
No dial-ups since I have dsl. I have this problem solved after I started using personal firewall and it now prevents someting being downloaded (like you mentioned above), but I could not figure out what program or file on my pc contacted outside world to get the virus in before I installed this firewall. It is probably still there.
0
 
rossfingalCommented:
Try running these scanners to see if they find something hiding;
Ewido Trojan Scan   http://www.ewido.net/en/download/
(30 day free trial)

Silent Runners    http://www.silentrunners.org/

Rootkit Revealer
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

DLLCompare
http://download.broadbandmedic.com/DllCompare.exe

Maybe one of these will show something
Good luck!
RF
0
 
zoltan9992000Commented:
Right - Finally got to the root of this mystery.

The dialing out was caused by a virus infecting Explorer.exe. (windows ME )

I booted from another drive and using the latest definitions from Mcafee was able to repair Explorer.

Now it does not try to dial out or change any IE settings.

The virus was W32-Bube-gen.

Best information on this is at :

www.sophos.com/virusinfo/analyses/w32bubel.html

Hope this helps somebody !

Regards,

Paul

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now