kevin s Posted May 14, 2004 Share Posted May 14, 2004 P3/1000 Win2000 IE6.0xIE starts at (actually after, I guess) boot. It doesn't show up in the startup group. Where do I look to turn this thing off? Quote Link to comment Share on other sites More sharing options...
Ed_P Posted May 14, 2004 Share Posted May 14, 2004 Was IE 6 running when you shut the pc down?What website is IE 6 opening when it starts? Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 14, 2004 Author Share Posted May 14, 2004 nope. starts at the homepage. not hijacked.Can I go into the startup section of the registry and "rem" the line items? Both are program related, not system. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 14, 2004 Share Posted May 14, 2004 Most likely this is a spyware/adware/malware problem.First update your Anti-Virus program and do a full scan. Or visit http://housecall.trendmicro.com/ to do an online scan. (It's often worth doing even if you do have an AV program as it can pick up things others can't)I would download Spybot S&D update and run that followed by running Ad-Aware.If those two don't clean you out and clear up your problem the we would need to see what is called a hijackthis log. Download and run HijackThis and do what is called a log output and post that here. (Use the forums' CODE function not QUOTE...) It is usually safe to put a check mark by any search and start page setting it lists which you haven't put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7, fix those as well. Please ask for advice before using HijackThis to change anything else. Quote Link to comment Share on other sites More sharing options...
eyerish Posted May 14, 2004 Share Posted May 14, 2004 IE starts at boot. Just finished the same problem on a friends computer. she did a lot of downloads, games devices etc. something wants her ONLINE AT STARTUP. AOL messenger, Yahoo messenger the Weather Channel are always my first checkout to remove the checkmark to START WHEN WINDOWS STARTS in the preferences or options section. some programs are famous for taking over your system. good luck Quote Link to comment Share on other sites More sharing options...
Ed_P Posted May 14, 2004 Share Posted May 14, 2004 Both are program relatedBoth? Does MSConfig exist in W2K? If so, Start>Run>msconfig will show what's being started and allows tasks to be deactivated. If nothing obvious shows up then updating your av and scanning the hd or running trend Micro's Housecall followed by a search for spyware using Adaware and SpyBot should be done. If you run ZoneLabs' ZoneAlarm it should show what's accessing the net from within the pc.Is the pc connected to a dial up ISP or broadband? Quote Link to comment Share on other sites More sharing options...
Rons Posted May 14, 2004 Share Posted May 14, 2004 Win2k doesn't come with msconfig but it can be added:http://windows.about.com/gi/dynamic/offsit.../downloads.htmlTowards the bottom of the page.Running Hijack This as Nathan suggested is a better option for problems with I.E. Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 14, 2004 Author Share Posted May 14, 2004 (edited) Took the "Hijack This" suggestion. Here is the log for those smarter than me (all a' ya'): Logfile of HijackThis v1.97.7Scan saved at 2:02:02 PM, on 5/14/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WIN2000\System32\smss.exeC:\WIN2000\system32\winlogon.exeC:\WIN2000\system32\services.exeC:\WIN2000\system32\lsass.exeC:\WIN2000\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WIN2000\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WIN2000\System32\svchost.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WIN2000\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WIN2000\system32\MSTask.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WIN2000\System32\WBEM\WinMgmt.exeC:\WIN2000\system32\svchost.exeC:\WIN2000\Explorer.EXEC:\WIN2000\system32\Promon.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exeC:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeC:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exeC:\WIN2000\system32\hpoipm07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exeC:\PROGRA~1\WinZip\winzip32.exeC:\HIJACK\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://broadband.zoomtown.com/]http://broadband.zoomtown.com/[/URL]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2000\System32\msdxm.ocxO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Promon.exe] Promon.exeO4 - HKLM\..\Run: [TaskMan] C:\WIN2000\Fonts\rundll32.exeO4 - HKLM\..\Run: [Explorer] C:\WIN2000\Fonts\explorer.exeO4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [System32-Driver] csrs32.exeO4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - HKLM\..\Run: [Vidriver] C:\WINNT\SYSTEM32\hjbfec.exeO4 - HKLM\..\RunServices: [System32-Driver] csrs32.exeO4 - HKCU\..\Run: [System32-Driver] csrs32.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcDcToday.ocxO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [URL=http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.4319444444]http://v4.windowsupdate.microsoft.com/CAB/...8081.4319444444[/URL]O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstBanr.ocxO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [URL=http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/URL]O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstFred.ocxO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcPreview.ocx Edited May 14, 2004 by ross549 Quote Link to comment Share on other sites More sharing options...
Ed_P Posted May 14, 2004 Share Posted May 14, 2004 Remove this: O4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exe. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 14, 2004 Share Posted May 14, 2004 You've got a trojan downloader.Several of the items is your hijack file are suspect. O4 - HKLM\..\Run: [TaskMan] C:\WIN2000\Fonts\rundll32.exeO4 - HKLM\..\Run: [Explorer] C:\WIN2000\Fonts\explorer.exe Explorer running in the FONT directory? O4 - HKLM\..\Run: [System32-Driver] csrs32.exeO4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exeO4 - HKLM\..\RunServices: [System32-Driver] csrs32.exeO4 - HKCU\..\Run: [System32-Driver] csrs32.exe You can check and remove them with HijackThis but I suspect that a hidden service will just restore them.Download spybot and Ad-Aware and run both without delay. Visit the housecall site as well. You system needs to be purged and not all the items will show up on any of these tools. YOU MUST RUN THEM ALL.Do that and then post a new hijack log after you have done the three things listed in my first post! Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 14, 2004 Author Share Posted May 14, 2004 Thanks nline*. I have spybot and have run it, but I don't have ad-aware on this machine yet. I am current on Win updates, Norton Antivirus and Norton firewall software. I'll run the Hijack program to clean up the meanies, then run everything again, per your directions.Yeah, some stuff definitely looked wierd, but I didn't know what to grenade. This helps a lot. Quote Link to comment Share on other sites More sharing options...
Ed_P Posted May 14, 2004 Share Posted May 14, 2004 According to Trend Micro who own PC-cillin you have the Worm SDBOT.RD. You might check the Norton AV site to see what they have to say about it. Maybe they haven't updated their virus patterns yet or you missed one of their AV updates. It was only discovered 4/22. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 14, 2004 Share Posted May 14, 2004 Thanks nline*. I have spybot and have run it, but I don't have ad-aware on this machine yet. I am current on Win updates, Norton Antivirus and Norton firewall software. I'll run the Hijack program to clean up the meanies, then run everything again, per your directions.Yeah, some stuff definitely looked wierd, but I didn't know what to grenade. This helps a lot.You should note that Spybot issued a brand new version ,1.3,just the day before yesterday. Unless you have the new one you are going to miss things. Ditto with Ad-Aware. Also both programs need to be updated just like AV programs before you use them. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 14, 2004 Share Posted May 14, 2004 According to Trend Micro who own PC-cillin you have the Worm SDBOT.RD. You might check the Norton AV site to see what they have to say about it. Maybe they haven't updated their virus patterns yet or you missed one of their AV updates. It was only discovered 4/22.Good find Ed. One more reason to run Housecall as TrendMicro thinks this thing is NOT in the wild. That will inform them that is now started to spread. Norton sucks at finding this kind of trojan. Get AVG or even PC-Cillin. AVG is free. Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 17, 2004 Author Share Posted May 17, 2004 Fixed. (and advice taken)Thanks, all. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 17, 2004 Share Posted May 17, 2004 No Problem. Glad it is now working for you. Do you mind reposting using the CODE marks a new copy of Hijackthis? I'd like to make sure your system is fully purged. These little buggers are getting tricker by the second and often you think your clean only to have the program redownload the missing parts and fully reinfect you all over again. Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 17, 2004 Author Share Posted May 17, 2004 Will do. It's one of the computers here at work. I'll have to wait until the culprit ('er computer user) goes to lunch. Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 18, 2004 Author Share Posted May 18, 2004 Here 'ya go. Look better?Logfile of HijackThis v1.97.7Scan saved at 10:14:29 AM, on 5/17/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WIN2000\System32\smss.exeC:\WIN2000\system32\winlogon.exeC:\WIN2000\system32\services.exeC:\WIN2000\system32\lsass.exeC:\WIN2000\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WIN2000\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WIN2000\System32\svchost.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WIN2000\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WIN2000\system32\MSTask.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WIN2000\System32\WBEM\WinMgmt.exeC:\WIN2000\system32\svchost.exeC:\WIN2000\Explorer.EXEC:\WIN2000\system32\Promon.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exeC:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeC:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exeC:\WIN2000\system32\hpoipm07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exeC:\Program Files\Autodesk Architectural Desktop 3.3\acad.exeC:\HIJACK\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [http://broadband.zoomtown.com/]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2000\System32\msdxm.ocxO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Promon.exe] Promon.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcDcToday.ocxO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [http://v4.windowsupdate.microsoft.com/CAB/...8081.4319444444]O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstBanr.ocxO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab]O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstFred.ocxO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcPreview.ocx Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 18, 2004 Share Posted May 18, 2004 Looks clean to me. There might be a few items you need to remove to improve boot time but your end users may want them. But spyware wize it is clean.I would advise you to download and install SpywareBlaster and SpywareGuard. They both help block spyware from being installed. Running Mozilla instead of IE would also help prevent that crap from comming back. Quote Link to comment Share on other sites More sharing options...
kevin s Posted May 18, 2004 Author Share Posted May 18, 2004 Thanks, again. I'm the only one here using firefox right now. I'll also take a look at those other two programs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.