Internet Explorer 6 will not stay open

Can you read the CD rom from windows.  Also, with windows xp, it has a prompt "press any button to run setup" which is only present for a second of two.  If you miss it it continues to boot from the HDD.

Joediggity2,
Yes it will read the cd from windows. It never gave the "Press any key to boot from cd" I was ready, believe me, with a hair trigger finger. Any other ideas?
atf3doc

Do you have another cd or another cd drive.  Either of which could be damaged.

I don't think the drive is bad..it will run and load other programs. I tried a different Windows XP CD..same deal. I'll try an external drive and see if that works. I still have some spyware evident...I may have to either do an extensive manual removal of a couple of Trojans or just reload windows on a fresh drive and copy necessary files...hoping to not copy any malware threads. I'll keep you posted. Let me know if think of anything else. Thanks.
atf3doc

If you think you're still infected....

It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Please upload the log at EE-Stuff.com
Use the link below and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

Not sure if this will help your CD drive situation but at least we can hopefully get malware ruled out.

I hope I did this correctly. The url is:
http://www.ee-stuff.com/Expert/Upload/upload.php
atf3doc

That link just brings us to the upload page. We need the link to your upload.

I cant find it when I go back to look. I don't know what I am doing wrong.
atf3doc

Here is what I have done with ee-stuff.
I pasted the url for the question in "Question" (I also tried just putting in question number)
I browsed to where the HiJackThis log was and clicked "open" then checked the file location as it showed in "File"  then clicked upload....
Apparently nothing is uploading  ...maybe from the malware or what has been removed.

I loaded Firefox to be able to upload directly from the computer. I will try copying and uploading from a different computer.

Could malware mess up the BIOS? I can't get any drives to read from boot..but all read ok in windows.
Later .
atf3doc

Rename the log to a .txt file and then upload it.

Finally I got it uploaded. In testing to see if it was there I lost the link to the upload. You will have to get to it by pasting this question's url in ee-stuff.. Sorry.
atf3doc

Got it...well even though it doesn't look to bad the lack of 02's and 020's in the log and one of the 04's makes  me think it is Vundo trojan. Combofix to the rescue.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

Combofix hangs....On the first try it said "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double."
I left it alone for approximately 4 hours while I went out to eat. When I returned, it  was at the same point as when I left. I turned off the machine and back on...all desktop items returned ok. When I tried the second time, the desktop remained visible...(first time desktop went blank) it has now been over 17 minutes without any visible activity.I'm going to give it another 5 minutes or so. Any thoughts on this?
atf3doc
I uninstalled the Anti Spyware program before downloading Combofix.

Did you disable you antivirus when running it?  

Also, make sure the computer isn't connected to the internet or your own network when working on it to prevent getting furthor infected or infecting other machines.

If you still have issues with running Combofix try running SDFix first, then run CF again. Upload the SDFix log.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com.

Another problem...I ran SDFix in safe mode..it rebooted into normal mode....however, it is telling me that it can only run with "Administrator account priviledges." In safe mode I have 2 user choices....Gayle and Administrator....In normal mode the two are  Gayle and Guest. I tried ctrl-alt-del to show "administrator" but nothing happens. Gayle is a computer administrator account. I went back and ran SDFix in safe mode on the user Gayle, and when it booted to normal mode, I got the same message. What now?
atf3doc

At what point of running SDFix does it reboot? Sounds like the malware may have affected your permissions, but usually SDFix will correct that.

Do us a favor, rename HJT to something else. Anything, Findvundo.exe or whatever. Just keep the .exe part. Re-run it and post the log. Use a .txt extension on the log to upload to eestuff.

https://filedb.experts-exchange.com/incoming/ee-stuff/5922-copyHJT.txt
I'm getting the hang of this now. Wonder of wonders..this done on Ineternet Explorer...so we are making progress. At first the font size had changed to "largest"...I had to readjust. My initial problem with the upload was being used to uploading to hijackthis.de..it took a while to figure out that I had to save it as a .txt file. Browsing is very slow ...but working.
I am anxiously awaiting your next instruction.

Well....there are still no 02 or 020 entries. Interesting? One line that can be fixed and still looks like part of Vundo.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

---------------------------------

O4 - HKLM\..\Run: [mpkhexiz] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll"

---------------------------------

Then close all windows except this one and press Fix checked.

Now delete the file. You may need to enable hidden files and folders. If you're not sure how to do this see the link:

http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

Best way to delete would be in Safe Mode. If it doesn't go then we can give you a tool to use.

C:\Documents and Settings\All Users\Application Data\mpkhexiz.dll

Reboot and try to run SDFix again.

https://filedb.experts-exchange.com/incoming/ee-stuff/5925-ComboFix.txt

OK... Combo Fix ran and deleted many..but says HUY32 root kit driver still present.

atf3doc

Combofix did get a lot...but much is still very present and a CFScript is needed. I won't have time until later to get to combing through the whole log. Possible rootkit yes too...

Were you able to run SDFix also? If so please upload the log.

Very infected PC here.... I'll get back to you later if rpg doesn't peek in here first. Much work to still be done.

Thanks for your help now and later!!! I will get the SDFix log uploaded. I have another machine to do after this one . Similar infections. The only common thread between the two is "My Space." Do you think that all this junk could come from that? The two machines are from different locations. Thanks again!
atf3doc

Joediggity2,
The pervious post applies to you as well...A hearty thanks!
To answer one of your previous questions about disabling anti-virus...I totally had uninstalled the anti-virus and anti-spyware to ensure that they would not interfere with SDFix or ComboFix. As soon as it is clean, I will reload them.
atf3doc

>""The only common thread between the two is "My Space." Do you think that all this junk could come from that?""<
Possible...MySpace itself is clean but it's what gets passed around there that can be trouble. I also see Limewire in there. P2P is pretty much the number 1 cause of Malware from what I see...

Just a "few" files to get with combofix...


1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:


---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\SYSTEM32\fceaepyp.exe
C:\WINDOWS\SYSTEM32\opqss.bak2
C:\WINDOWS\SYSTEM32\opqss.ini
C:\WINDOWS\SYSTEM32\xgbmaavn.ini
C:\WINDOWS\SYSTEM32\nvaambgx.dll
C:\WINDOWS\SYSTEM32\omywcnbm.dll
C:\WINDOWS\SYSTEM32\pynvhkec.exe
C:\WINDOWS\SYSTEM32\ibminpbm.dll
C:\WINDOWS\SYSTEM32\pabjuivs.dll
C:\WINDOWS\SYSTEM32\qstwa.tmp2
C:\WINDOWS\SYSTEM32\nmllm.tmp
C:\WINDOWS\SYSTEM32\dcbeg.tmp
C:\WINDOWS\SYSTEM32\betgljnq.ini
C:\WINDOWS\SYSTEM32\spdaoayd.dll
C:\WINDOWS\SYSTEM32\afwvbadx.ini
C:\WINDOWS\SYSTEM32\mwilfsgf.dll
C:\WINDOWS\SYSTEM32\KernelDrv.exe
C:\WINDOWS\SYSTEM32\kcopt.dll
C:\WINDOWS\SYSTEM32\mfiymchi.dll
C:\WINDOWS\SYSTEM32\yiomawjl.ini
C:\WINDOWS\SYSTEM32\ayadd.tmp
C:\WINDOWS\SYSTEM32\bftdsygq.dll
C:\WINDOWS\SYSTEM32\ekguubmd.ini
C:\WINDOWS\SYSTEM32\phkoacqn.dll
C:\WINDOWS\SYSTEM32\mlokxbnd.ini
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\spdqitvn.ini
C:\WINDOWS\SYSTEM32\lttbyipr.dll
C:\WINDOWS\SYSTEM32\uhdidtyd.ini
C:\WINDOWS\SYSTEM32\freqwhxp.dll
C:\WINDOWS\SYSTEM32\mhcfhudu.dll
C:\WINDOWS\SYSTEM32\vnrymihk.ini
C:\WINDOWS\SYSTEM32\ylusqobj.ini
C:\WINDOWS\SYSTEM32\qstwa.tmp
C:\WINDOWS\SYSTEM32\tjymcvrd.ini
C:\WINDOWS\otmtqrmf.dll
C:\WINDOWS\SYSTEM32\uhncqsvo.ini
C:\WINDOWS\SYSTEM32\ewlsfyib.ini
C:\WINDOWS\SYSTEM32\jjldyjeg.ini
C:\WINDOWS\SYSTEM32\ijkkj.tmp2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\system32\chkntfs.dll

Folder::
C:\Program Files\WinPerformance
C:\WINDOWS\PerfInfo


---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

----------------------------------

As combofix suggested, we need a rootkit check or 2 here.

Download Rootkit Revealer here (bottom of page):

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log.

https://filedb.experts-exchange.com/incoming/ee-stuff/5939-SDFix-report.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5940-ComboFix2log.txt

https://filedb.experts-exchange.com/incoming/ee-stuff/5941-hijackthis.txt

The first is the second run of SDFix...#2= ComboFix after dropping list of files...#3=HiJackThis after all.
Getting ready to run root kit revealer.
Internet Explorer now works but I can't upload the files on ee-stuff on that computer; I had to copy and send on another.
atf3doc

https://filedb.experts-exchange.com/incoming/ee-stuff/5942-RootkitReveal.txt

Rookit Revealer report
atf3doc

I totally agree that a format and reinstall is in order. I am preparing for that now. I am going to zero fill the hard drive, maybe a couple of times before reinstalling windows. One thing that still bothers me is the fact that I can read cd's from windows (and install programs) but I can't boot to either cd or dvd rom drive. I have hooked another drive up and can boot to that. It seems strange that I would loose bootability to both the original drives.
I have started on the second machine...I ran housecalls to see what that came up with...vundo, virtumondo, and a host of others.
Thanks for hanging in there with me. I appreciate all the support!! I wish I couls give more points than available.
atf3doc

I hope this was a fair division of the points. Again I wish I could give both of you more points.