Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

Internet Explorer 6 will not stay open

When IE6 icon is clicked on, IE opens for a second or two and then fades away. I have removed some serious malware. I have run Norton WinDoctor and repaired all errors. I have run sfc /scannow..and as a last resort, I tried to do a repair installation of Windows....another problem....it won't boot to the cd-rom drive.
I can get a good reading from windows...I have gone into setup to make sure cd-rom is set before hard drive.
I hit f12 on boot to boot menu and selected cd-rom drived,,but it still boots to the hard drive and windows.
I am at my wits end.
atf3doc
0
atf3doc
Asked:
atf3doc
  • 16
  • 9
  • 5
2 Solutions
 
Joediggity2Commented:
Can you read the CD rom from windows.  Also, with windows xp, it has a prompt "press any button to run setup" which is only present for a second of two.  If you miss it it continues to boot from the HDD.
0
 
atf3docAuthor Commented:
Joediggity2,
Yes it will read the cd from windows. It never gave the "Press any key to boot from cd" I was ready, believe me, with a hair trigger finger. Any other ideas?
atf3doc
0
 
Joediggity2Commented:
Do you have another cd or another cd drive.  Either of which could be damaged.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
atf3docAuthor Commented:
I don't think the drive is bad..it will run and load other programs. I tried a different Windows XP CD..same deal. I'll try an external drive and see if that works. I still have some spyware evident...I may have to either do an extensive manual removal of a couple of Trojans or just reload windows on a fresh drive and copy necessary files...hoping to not copy any malware threads. I'll keep you posted. Let me know if think of anything else. Thanks.
atf3doc
0
 
IndiGenusCommented:
If you think you're still infected....

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

Not sure if this will help your CD drive situation but at least we can hopefully get malware ruled out.
0
 
atf3docAuthor Commented:
I hope I did this correctly. The url is:
http://www.ee-stuff.com/Expert/Upload/upload.php
atf3doc
0
 
IndiGenusCommented:
That link just brings us to the upload page. We need the link to your upload.
0
 
atf3docAuthor Commented:
I cant find it when I go back to look. I don't know what I am doing wrong.
atf3doc
0
 
atf3docAuthor Commented:
Here is what I have done with ee-stuff.
I pasted the url for the question in "Question" (I also tried just putting in question number)
I browsed to where the HiJackThis log was and clicked "open" then checked the file location as it showed in "File"  then clicked upload....
Apparently nothing is uploading  ...maybe from the malware or what has been removed.

I loaded Firefox to be able to upload directly from the computer. I will try copying and uploading from a different computer.

Could malware mess up the BIOS? I can't get any drives to read from boot..but all read ok in windows.
Later .
atf3doc
0
 
Joediggity2Commented:
Rename the log to a .txt file and then upload it.
0
 
atf3docAuthor Commented:
Finally I got it uploaded. In testing to see if it was there I lost the link to the upload. You will have to get to it by pasting this question's url in ee-stuff.. Sorry.
atf3doc
0
 
IndiGenusCommented:
Got it...well even though it doesn't look to bad the lack of 02's and 020's in the log and one of the 04's makes  me think it is Vundo trojan. Combofix to the rescue.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.


0
 
atf3docAuthor Commented:
Combofix hangs....On the first try it said "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double."
I left it alone for approximately 4 hours while I went out to eat. When I returned, it  was at the same point as when I left. I turned off the machine and back on...all desktop items returned ok. When I tried the second time, the desktop remained visible...(first time desktop went blank) it has now been over 17 minutes without any visible activity.I'm going to give it another 5 minutes or so. Any thoughts on this?
atf3doc
I uninstalled the Anti Spyware program before downloading Combofix.
0
 
Joediggity2Commented:
Did you disable you antivirus when running it?  

Also, make sure the computer isn't connected to the internet or your own network when working on it to prevent getting furthor infected or infecting other machines.
0
 
IndiGenusCommented:
If you still have issues with running Combofix try running SDFix first, then run CF again. Upload the SDFix log.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.
0
 
atf3docAuthor Commented:
Another problem...I ran SDFix in safe mode..it rebooted into normal mode....however, it is telling me that it can only run with "Administrator account priviledges." In safe mode I have 2 user choices....Gayle and Administrator....In normal mode the two are  Gayle and Guest. I tried ctrl-alt-del to show "administrator" but nothing happens. Gayle is a computer administrator account. I went back and ran SDFix in safe mode on the user Gayle, and when it booted to normal mode, I got the same message. What now?
atf3doc
0
 
IndiGenusCommented:
At what point of running SDFix does it reboot? Sounds like the malware may have affected your permissions, but usually SDFix will correct that.

Do us a favor, rename HJT to something else. Anything, Findvundo.exe or whatever. Just keep the .exe part. Re-run it and post the log. Use a .txt extension on the log to upload to eestuff.
0
 
atf3docAuthor Commented:
https://filedb.experts-exchange.com/incoming/ee-stuff/5922-copyHJT.txt
I'm getting the hang of this now. Wonder of wonders..this done on Ineternet Explorer...so we are making progress. At first the font size had changed to "largest"...I had to readjust. My initial problem with the upload was being used to uploading to hijackthis.de..it took a while to figure out that I had to save it as a .txt file. Browsing is very slow ...but working.
I am anxiously awaiting your next instruction.
0
 
IndiGenusCommented:
Well....there are still no 02 or 020 entries. Interesting? One line that can be fixed and still looks like part of Vundo.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

---------------------------------

O4 - HKLM\..\Run: [mpkhexiz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll"

---------------------------------

Then close all windows except this one and press Fix checked.

Now delete the file. You may need to enable hidden files and folders. If you're not sure how to do this see the link:

http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

Best way to delete would be in Safe Mode. If it doesn't go then we can give you a tool to use.

C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll

Reboot and try to run SDFix again.
0
 
atf3docAuthor Commented:
https://filedb.experts-exchange.com/incoming/ee-stuff/5925-ComboFix.txt

OK... Combo Fix ran and deleted many..but says HUY32 root kit driver still present.

atf3doc
0
 
IndiGenusCommented:
Combofix did get a lot...but much is still very present and a CFScript is needed. I won't have time until later to get to combing through the whole log. Possible rootkit yes too...

Were you able to run SDFix also? If so please upload the log.

Very infected PC here.... I'll get back to you later if rpg doesn't peek in here first. Much work to still be done.
0
 
atf3docAuthor Commented:
Thanks for your help now and later!!! I will get the SDFix log uploaded. I have another machine to do after this one . Similar infections. The only common thread between the two is "My Space." Do you think that all this junk could come from that? The two machines are from different locations. Thanks again!
atf3doc
0
 
atf3docAuthor Commented:
Joediggity2,
The pervious post applies to you as well...A hearty thanks!
To answer one of your previous questions about disabling anti-virus...I totally had uninstalled the anti-virus and anti-spyware to ensure that they would not interfere with SDFix or ComboFix. As soon as it is clean, I will reload them.
atf3doc
0
 
IndiGenusCommented:
>""The only common thread between the two is "My Space." Do you think that all this junk could come from that?""<
Possible...MySpace itself is clean but it's what gets passed around there that can be trouble. I also see Limewire in there. P2P is pretty much the number 1 cause of Malware from what I see...

Just a "few" files to get with combofix...


1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\SYSTEM32\fceaepyp.exe
C:\WINDOWS\SYSTEM32\opqss.bak2
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\SYSTEM32\xgbmaavn.ini
C:\WINDOWS\SYSTEM32\nvaambgx.dll
C:\WINDOWS\SYSTEM32\omywcnbm.dll
C:\WINDOWS\SYSTEM32\pynvhkec.exe
C:\WINDOWS\SYSTEM32\ibminpbm.dll
C:\WINDOWS\SYSTEM32\pabjuivs.dll
C:\WINDOWS\SYSTEM32\qstwa.tmp2
C:\WINDOWS\SYSTEM32\nmllm.tmp
C:\WINDOWS\SYSTEM32\dcbeg.tmp
C:\WINDOWS\SYSTEM32\betgljnq.ini
C:\WINDOWS\SYSTEM32\spdaoayd.dll
C:\WINDOWS\SYSTEM32\afwvbadx.ini
C:\WINDOWS\SYSTEM32\mwilfsgf.dll
C:\WINDOWS\SYSTEM32\KernelDrv.exe
C:\WINDOWS\SYSTEM32\kcopt.dll
C:\WINDOWS\SYSTEM32\mfiymchi.dll
C:\WINDOWS\SYSTEM32\yiomawjl.ini
C:\WINDOWS\SYSTEM32\ayadd.tmp
C:\WINDOWS\SYSTEM32\bftdsygq.dll
C:\WINDOWS\SYSTEM32\ekguubmd.ini
C:\WINDOWS\SYSTEM32\phkoacqn.dll
C:\WINDOWS\SYSTEM32\mlokxbnd.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\spdqitvn.ini
C:\WINDOWS\SYSTEM32\lttbyipr.dll
C:\WINDOWS\SYSTEM32\uhdidtyd.ini
C:\WINDOWS\SYSTEM32\freqwhxp.dll
C:\WINDOWS\SYSTEM32\mhcfhudu.dll
C:\WINDOWS\SYSTEM32\vnrymihk.ini
C:\WINDOWS\SYSTEM32\ylusqobj.ini
C:\WINDOWS\SYSTEM32\qstwa.tmp
C:\WINDOWS\SYSTEM32\tjymcvrd.ini
C:\WINDOWS\otmtqrmf.dll
C:\WINDOWS\SYSTEM32\uhncqsvo.ini
C:\WINDOWS\SYSTEM32\ewlsfyib.ini
C:\WINDOWS\SYSTEM32\jjldyjeg.ini
C:\WINDOWS\SYSTEM32\ijkkj.tmp2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\system32\chkntfs.dll

Folder::
C:\Program Files\WinPerformance
C:\WINDOWS\PerfInfo


---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

----------------------------------

As combofix suggested, we need a rootkit check or 2 here.

Download Rootkit Revealer here (bottom of page):

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log.
0
 
atf3docAuthor Commented:
https://filedb.experts-exchange.com/incoming/ee-stuff/5939-SDFix-report.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5940-ComboFix2log.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5941-hijackthis.txt

The first is the second run of SDFix...#2= ComboFix after dropping list of files...#3=HiJackThis after all.
Getting ready to run root kit revealer.
Internet Explorer now works but I can't upload the files on ee-stuff on that computer; I had to copy and send on another.
atf3doc
0
 
atf3docAuthor Commented:
0
 
IndiGenusCommented:
Wow, this is one of the most seriously infected machines I have seen recently. I now see a wareout infection along with rootkits, more Vundo files, and who knows what else. I have to be honest and I don't usually like to give in but a re-install is in order I believe here. I would like to get a second opinion from one of the other experts, rpg if you look in I would appreciate it. Do you have the resources to re-install Windows?

Also, considering there are Rootkits and backdoor trojans found here I need to advise you of the following.

These types of infections allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please advise what you would like to do.
0
 
Joediggity2Commented:
I would definately agree with Indigenus.  Even if you aren't going to be using the machine for something confidential, with all the different bad things on your computer,  there is a good chance even after what looks like a successful clean you may still have stuff hiding out there.  If you do decide not to reload, don't forget to check your user accounts and make sure there aren't any extra accounts with remote rights to your machine that you don't know about.
0
 
atf3docAuthor Commented:
I totally agree that a format and reinstall is in order. I am preparing for that now. I am going to zero fill the hard drive, maybe a couple of times before reinstalling windows. One thing that still bothers me is the fact that I can read cd's from windows (and install programs) but I can't boot to either cd or dvd rom drive. I have hooked another drive up and can boot to that. It seems strange that I would loose bootability to both the original drives.
I have started on the second machine...I ran housecalls to see what that came up with...vundo, virtumondo, and a host of others.
Thanks for hanging in there with me. I appreciate all the support!! I wish I couls give more points than available.
atf3doc
0
 
atf3docAuthor Commented:
I hope this was a fair division of the points. Again I wish I could give both of you more points.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 16
  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now