Solved

Internet Explorer 6 will not stay open

Posted on 2007-11-29
30
566 Views
Last Modified: 2013-12-08
When IE6 icon is clicked on, IE opens for a second or two and then fades away. I have removed some serious malware. I have run Norton WinDoctor and repaired all errors. I have run sfc /scannow..and as a last resort, I tried to do a repair installation of Windows....another problem....it won't boot to the cd-rom drive.
I can get a good reading from windows...I have gone into setup to make sure cd-rom is set before hard drive.
I hit f12 on boot to boot menu and selected cd-rom drived,,but it still boots to the hard drive and windows.
I am at my wits end.
atf3doc
0
Comment
Question by:atf3doc
  • 16
  • 9
  • 5
30 Comments
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379547
Can you read the CD rom from windows.  Also, with windows xp, it has a prompt "press any button to run setup" which is only present for a second of two.  If you miss it it continues to boot from the HDD.
0
 

Author Comment

by:atf3doc
ID: 20379582
Joediggity2,
Yes it will read the cd from windows. It never gave the "Press any key to boot from cd" I was ready, believe me, with a hair trigger finger. Any other ideas?
atf3doc
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20379598
Do you have another cd or another cd drive.  Either of which could be damaged.
0
 

Author Comment

by:atf3doc
ID: 20379746
I don't think the drive is bad..it will run and load other programs. I tried a different Windows XP CD..same deal. I'll try an external drive and see if that works. I still have some spyware evident...I may have to either do an extensive manual removal of a couple of Trojans or just reload windows on a fresh drive and copy necessary files...hoping to not copy any malware threads. I'll keep you posted. Let me know if think of anything else. Thanks.
atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20379823
If you think you're still infected....

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

Not sure if this will help your CD drive situation but at least we can hopefully get malware ruled out.
0
 

Author Comment

by:atf3doc
ID: 20381460
I hope I did this correctly. The url is:
http://www.ee-stuff.com/Expert/Upload/upload.php
atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20381479
That link just brings us to the upload page. We need the link to your upload.
0
 

Author Comment

by:atf3doc
ID: 20381515
I cant find it when I go back to look. I don't know what I am doing wrong.
atf3doc
0
 

Author Comment

by:atf3doc
ID: 20383821
Here is what I have done with ee-stuff.
I pasted the url for the question in "Question" (I also tried just putting in question number)
I browsed to where the HiJackThis log was and clicked "open" then checked the file location as it showed in "File"  then clicked upload....
Apparently nothing is uploading  ...maybe from the malware or what has been removed.

I loaded Firefox to be able to upload directly from the computer. I will try copying and uploading from a different computer.

Could malware mess up the BIOS? I can't get any drives to read from boot..but all read ok in windows.
Later .
atf3doc
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20383970
Rename the log to a .txt file and then upload it.
0
 

Author Comment

by:atf3doc
ID: 20383977
Finally I got it uploaded. In testing to see if it was there I lost the link to the upload. You will have to get to it by pasting this question's url in ee-stuff.. Sorry.
atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20384098
Got it...well even though it doesn't look to bad the lack of 02's and 020's in the log and one of the 04's makes  me think it is Vundo trojan. Combofix to the rescue.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.


0
 

Author Comment

by:atf3doc
ID: 20386823
Combofix hangs....On the first try it said "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double."
I left it alone for approximately 4 hours while I went out to eat. When I returned, it  was at the same point as when I left. I turned off the machine and back on...all desktop items returned ok. When I tried the second time, the desktop remained visible...(first time desktop went blank) it has now been over 17 minutes without any visible activity.I'm going to give it another 5 minutes or so. Any thoughts on this?
atf3doc
I uninstalled the Anti Spyware program before downloading Combofix.
0
 
LVL 4

Expert Comment

by:Joediggity2
ID: 20386830
Did you disable you antivirus when running it?  

Also, make sure the computer isn't connected to the internet or your own network when working on it to prevent getting furthor infected or infecting other machines.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20386855
If you still have issues with running Combofix try running SDFix first, then run CF again. Upload the SDFix log.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:atf3doc
ID: 20388171
Another problem...I ran SDFix in safe mode..it rebooted into normal mode....however, it is telling me that it can only run with "Administrator account priviledges." In safe mode I have 2 user choices....Gayle and Administrator....In normal mode the two are  Gayle and Guest. I tried ctrl-alt-del to show "administrator" but nothing happens. Gayle is a computer administrator account. I went back and ran SDFix in safe mode on the user Gayle, and when it booted to normal mode, I got the same message. What now?
atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20388282
At what point of running SDFix does it reboot? Sounds like the malware may have affected your permissions, but usually SDFix will correct that.

Do us a favor, rename HJT to something else. Anything, Findvundo.exe or whatever. Just keep the .exe part. Re-run it and post the log. Use a .txt extension on the log to upload to eestuff.
0
 

Author Comment

by:atf3doc
ID: 20388931
https://filedb.experts-exchange.com/incoming/ee-stuff/5922-copyHJT.txt
I'm getting the hang of this now. Wonder of wonders..this done on Ineternet Explorer...so we are making progress. At first the font size had changed to "largest"...I had to readjust. My initial problem with the upload was being used to uploading to hijackthis.de..it took a while to figure out that I had to save it as a .txt file. Browsing is very slow ...but working.
I am anxiously awaiting your next instruction.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20389140
Well....there are still no 02 or 020 entries. Interesting? One line that can be fixed and still looks like part of Vundo.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

---------------------------------

O4 - HKLM\..\Run: [mpkhexiz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll"

---------------------------------

Then close all windows except this one and press Fix checked.

Now delete the file. You may need to enable hidden files and folders. If you're not sure how to do this see the link:

http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

Best way to delete would be in Safe Mode. If it doesn't go then we can give you a tool to use.

C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll

Reboot and try to run SDFix again.
0
 

Author Comment

by:atf3doc
ID: 20389175
https://filedb.experts-exchange.com/incoming/ee-stuff/5925-ComboFix.txt

OK... Combo Fix ran and deleted many..but says HUY32 root kit driver still present.

atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20389326
Combofix did get a lot...but much is still very present and a CFScript is needed. I won't have time until later to get to combing through the whole log. Possible rootkit yes too...

Were you able to run SDFix also? If so please upload the log.

Very infected PC here.... I'll get back to you later if rpg doesn't peek in here first. Much work to still be done.
0
 

Author Comment

by:atf3doc
ID: 20389858
Thanks for your help now and later!!! I will get the SDFix log uploaded. I have another machine to do after this one . Similar infections. The only common thread between the two is "My Space." Do you think that all this junk could come from that? The two machines are from different locations. Thanks again!
atf3doc
0
 

Author Comment

by:atf3doc
ID: 20389886
Joediggity2,
The pervious post applies to you as well...A hearty thanks!
To answer one of your previous questions about disabling anti-virus...I totally had uninstalled the anti-virus and anti-spyware to ensure that they would not interfere with SDFix or ComboFix. As soon as it is clean, I will reload them.
atf3doc
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20390016
>""The only common thread between the two is "My Space." Do you think that all this junk could come from that?""<
Possible...MySpace itself is clean but it's what gets passed around there that can be trouble. I also see Limewire in there. P2P is pretty much the number 1 cause of Malware from what I see...

Just a "few" files to get with combofix...


1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\SYSTEM32\fceaepyp.exe
C:\WINDOWS\SYSTEM32\opqss.bak2
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\SYSTEM32\xgbmaavn.ini
C:\WINDOWS\SYSTEM32\nvaambgx.dll
C:\WINDOWS\SYSTEM32\omywcnbm.dll
C:\WINDOWS\SYSTEM32\pynvhkec.exe
C:\WINDOWS\SYSTEM32\ibminpbm.dll
C:\WINDOWS\SYSTEM32\pabjuivs.dll
C:\WINDOWS\SYSTEM32\qstwa.tmp2
C:\WINDOWS\SYSTEM32\nmllm.tmp
C:\WINDOWS\SYSTEM32\dcbeg.tmp
C:\WINDOWS\SYSTEM32\betgljnq.ini
C:\WINDOWS\SYSTEM32\spdaoayd.dll
C:\WINDOWS\SYSTEM32\afwvbadx.ini
C:\WINDOWS\SYSTEM32\mwilfsgf.dll
C:\WINDOWS\SYSTEM32\KernelDrv.exe
C:\WINDOWS\SYSTEM32\kcopt.dll
C:\WINDOWS\SYSTEM32\mfiymchi.dll
C:\WINDOWS\SYSTEM32\yiomawjl.ini
C:\WINDOWS\SYSTEM32\ayadd.tmp
C:\WINDOWS\SYSTEM32\bftdsygq.dll
C:\WINDOWS\SYSTEM32\ekguubmd.ini
C:\WINDOWS\SYSTEM32\phkoacqn.dll
C:\WINDOWS\SYSTEM32\mlokxbnd.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\spdqitvn.ini
C:\WINDOWS\SYSTEM32\lttbyipr.dll
C:\WINDOWS\SYSTEM32\uhdidtyd.ini
C:\WINDOWS\SYSTEM32\freqwhxp.dll
C:\WINDOWS\SYSTEM32\mhcfhudu.dll
C:\WINDOWS\SYSTEM32\vnrymihk.ini
C:\WINDOWS\SYSTEM32\ylusqobj.ini
C:\WINDOWS\SYSTEM32\qstwa.tmp
C:\WINDOWS\SYSTEM32\tjymcvrd.ini
C:\WINDOWS\otmtqrmf.dll
C:\WINDOWS\SYSTEM32\uhncqsvo.ini
C:\WINDOWS\SYSTEM32\ewlsfyib.ini
C:\WINDOWS\SYSTEM32\jjldyjeg.ini
C:\WINDOWS\SYSTEM32\ijkkj.tmp2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\system32\chkntfs.dll

Folder::
C:\Program Files\WinPerformance
C:\WINDOWS\PerfInfo


---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

----------------------------------

As combofix suggested, we need a rootkit check or 2 here.

Download Rootkit Revealer here (bottom of page):

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log.
0
 

Author Comment

by:atf3doc
ID: 20391382
https://filedb.experts-exchange.com/incoming/ee-stuff/5939-SDFix-report.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5940-ComboFix2log.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5941-hijackthis.txt

The first is the second run of SDFix...#2= ComboFix after dropping list of files...#3=HiJackThis after all.
Getting ready to run root kit revealer.
Internet Explorer now works but I can't upload the files on ee-stuff on that computer; I had to copy and send on another.
atf3doc
0
 

Author Comment

by:atf3doc
ID: 20391567
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 400 total points
ID: 20392270
Wow, this is one of the most seriously infected machines I have seen recently. I now see a wareout infection along with rootkits, more Vundo files, and who knows what else. I have to be honest and I don't usually like to give in but a re-install is in order I believe here. I would like to get a second opinion from one of the other experts, rpg if you look in I would appreciate it. Do you have the resources to re-install Windows?

Also, considering there are Rootkits and backdoor trojans found here I need to advise you of the following.

These types of infections allow hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please advise what you would like to do.
0
 
LVL 4

Assisted Solution

by:Joediggity2
Joediggity2 earned 100 total points
ID: 20392311
I would definately agree with Indigenus.  Even if you aren't going to be using the machine for something confidential, with all the different bad things on your computer,  there is a good chance even after what looks like a successful clean you may still have stuff hiding out there.  If you do decide not to reload, don't forget to check your user accounts and make sure there aren't any extra accounts with remote rights to your machine that you don't know about.
0
 

Author Comment

by:atf3doc
ID: 20392319
I totally agree that a format and reinstall is in order. I am preparing for that now. I am going to zero fill the hard drive, maybe a couple of times before reinstalling windows. One thing that still bothers me is the fact that I can read cd's from windows (and install programs) but I can't boot to either cd or dvd rom drive. I have hooked another drive up and can boot to that. It seems strange that I would loose bootability to both the original drives.
I have started on the second machine...I ran housecalls to see what that came up with...vundo, virtumondo, and a host of others.
Thanks for hanging in there with me. I appreciate all the support!! I wish I couls give more points than available.
atf3doc
0
 

Author Closing Comment

by:atf3doc
ID: 31411856
I hope this was a fair division of the points. Again I wish I could give both of you more points.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now