Solved

running ie 8 on xp will not open throws up virus error using kapaskeys

Posted on 2011-02-14
18
785 Views
Last Modified: 2013-12-06
running ie8 but throws up the below error if you deny it then it just closes if you runit then it just hangs
have run kapaskeys and avs4 and have found nothing reloaded and reset ie and still no good.


Attempt to run browser with command line parameters: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:14337.

here is the hijack this file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:52 PM, on 15/02/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Easy PDF Creator] C:\Program Files\Easy PDF Creator\EasyPDFCreator.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe
O4 - HKLM\..\Run: [MSODESNV7] C:\WINDOWS\system32\msvmiode.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe
O4 - HKLM\..\Run: [Advanced DDTML Enable] C:\DOCUME~1\ACERLO~1\LOCALS~1\Temp\13830.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\DOCUME~1\ACERLO~1\LOCALS~1\Temp\3522.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\cfdrive32.exe
O4 - Global Startup: PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6495 bytes
0
Comment
Question by:sydneyguy
  • 8
  • 6
  • 2
  • +2
18 Comments
 
LVL 32

Accepted Solution

by:
aleghart earned 100 total points
Comment Utility
IE8 tracks tabs with different processes.

See here for a not-necessarily safe workaround that basically whitelists any IE process.  Not sure if that's a smart thing to do.

Are you running IE add-ons that can be disabled?  Try killing them all and re-enabling.  For instance, you probably have Kaspersky and Skype add-ons running by default for anti-banner adverising blocking and Skype phone # translation.  You have AdAware running as well?
0
 
LVL 6

Assisted Solution

by:Raneesh Chitootharayil
Raneesh Chitootharayil earned 100 total points
Comment Utility
boot in safe mode; clear all the entries in system temp folder and temporary internet files;

could you please install antimalware and scan the system (normal mode)
http://www.malwarebytes.org/mbam.php

also read this link and try whether it is useful or not

http://translate.google.ae/translate?hl=en&sl=es&u=http://www.forospyware.com/t246438.html&ei=KgNaTYyOH4uIhQfOlf2dDQ&sa=X&oi=translate&ct=result&resnum=1&ved=0CB4Q7gEwAA&prev=/search%3Fq%3DSCODEF:2176%26hl%3Den%26biw%3D1280%26bih%3D802%26prmd%3Divns
0
 
LVL 35

Assisted Solution

by:torimar
torimar earned 100 total points
Comment Utility
There are nasties on your system:

cfdrive32.exe: http://www.superantispyware.com/malwarefiles/CFDRIVE32.EXE.html
msvmiode.exe: http://www.superantispyware.com/malwarefiles/MSVMIODE.EXE.html

as well as these:
C:\DOCUME~1\ACERLO~1\LOCALS~1\Temp\13830.exe
C:\DOCUME~1\ACERLO~1\LOCALS~1\Temp\3522.exe

Superantispyware (www.superantispaware.com) and MBAM (see link in raneeshcr's comment above) should be able to help.

You might also want to cross-check by scanning with HitmanPro: http://www.surfright.nl/en
0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
Sorry, mistyped a URL above. It must read:

www.superantispyware.com
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 200 total points
Comment Utility
In your specific case I would suggest using RegRun by Greatis. It will not only backup you registery, but also remove those malicious files and setup registery protection and file protection. This can also be run parallel with your antivirus. I would also suggest that you install Sandboxie and surf through the internet using that from now on as further protection from this type of malware. It will contain most of the malware that comes from using a web browser as long as you run it through sandboxie. This files will not escape the sandbox unless the malware uses a exploit in the sandboxie's open process. Of course install this after deleting that malware from your pc first and foremost. Also suggested to watch this video and setup your Internet Explore link as it done in this video and you should be a lot safer surfing the internet. This is coming from a Malware Researcher. So keep this suggestion in mind as safe practice and avoidance of catching malware such as this in the future. I would also suggest anyone who is reading this to do this as well. It hinders this malware type of drive-by attacks, not all but most attacks of this nature.

Youtube Video of Sandboxie Review by mrizos
0
 

Author Comment

by:sydneyguy
Comment Utility
have loaded and run http://www.malwarebytes.org/mbam.php
loaded and run (www.superantispaware.com
loaded and run RegRun by Greatis.
cleared the menory and temp files rebooted numerous time

will post the new hijack this but explorer still will not run
0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
How do you start IE? By clicking on an icon?
If so, check its properties. Maybe the shortcut to launch it was altered and now has those command line parameters (SCODEF:2176 CREDAT:14337). Remove them, or create a new explorer shortcut.

Also consider using Firefox or Opera instead of IE for security reasons. IE, after all, is one of the main hatches for malware, and a major flaw to all security endeavours.
Personally, I have never used IE nor any of the other MS mass products, like Outlook, Outlook Express, Windows Media Player, Windows Address Book etc. (not even Paint or Notepad ;)), and I never got seriously infected in 16 years or hardcore-browsing even the darkest spots of the internet.
0
 

Author Comment

by:sydneyguy
Comment Utility
i have ff and opera working on the machine but i need ie8 running so that i can test some software that does not seem to run on it ie8 but works fine on ie7
tried a new shortcut no good


0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
Next step would then be to uninstall and reinstall IE 8.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:sydneyguy
Comment Utility
it works ok in safe mode but when it loads it just stops may try reinstlling ie8
0
 

Author Comment

by:sydneyguy
Comment Utility
thats under normal non safe conditions so wil not run normally only under safe mode
0
 

Author Comment

by:sydneyguy
Comment Utility
have just deleted and reloaded and its still the same cannot load ie8 any one have any other ideaas.

i am going to pick up another computor tonight and see i  can load that up and see how that ones goes but this has me stummped
0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
Do you still receive the same error message as posted in your original post?
If so, have you run a search in your registry for those strange options ("SCODEF:2176 CREDAT:14337")?


Also: If it is only for testing purposes that you need IE8, you might want to consider using a browser compatibility testing tool instead of an installed version.
This one could help: http://www.my-debugbar.com/wiki/IETester/HomePage

Or Expression Web SuperPreview: http://expression.microsoft.com/en-us/dd565874.aspx

Here's a complete overwview of compatibility testing tools, online and offline:
http://www.hongkiat.com/blog/complete-guide-to-cross-browser-compatibility-check/
0
 

Author Comment

by:sydneyguy
Comment Utility
yes i have have not found any also went throughlookign for the ie dir path that it says it finds
also looked for bits but still no good.\

i need the full version as i have to be identical to make sure that there is no problems for testing of the system and the scripts.
wiill have a looka the pages thbks
0
 
LVL 35

Expert Comment

by:torimar
Comment Utility
Try this;
Get Autoruns: http://technet.microsoft.com/en-us/sysinternals/bb963902

Run it and click on the tab "Image Hijacks". If there are any entries found under the registry keys, untick them. Cloes Autoruns, reboot and try launching IE8 again.
0
 

Author Comment

by:sydneyguy
Comment Utility
nothing in the image hijacs but love the program, been looking for some thing like this for a long tim will keep looking though thanks for this
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 200 total points
Comment Utility
The line  (SCODEF:2176 CREDAT:14337) is auto-generated by IE8. With that being said 2176 is the  LCIE frame process for a single running tab and the 14337 I couldn't find anything about this part I would assume that it has to do with the URL command line option. So you wont find this in the registery. They "Microsoft" said it is nothing to worry about as it is just a another process spawned from IE's tabs.  

Now that it settled. Are you still getting error's or warnings from IE or Kaspersky?
0
 

Author Closing Comment

by:sydneyguy
Comment Utility
thanks every one have tried all that has been suggested so at this point of time have given up and just got anonther computer to do the job. so will try again when i have time
so thanks for all the help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now