IE starts at boot up

[kevin s]

P3/1000 Win2000 IE6.0xIE starts at (actually after, I guess) boot. It doesn't show up in the startup group. Where do I look to turn this thing off?

[Ed_P]

Was IE 6 running when you shut the pc down?What website is IE 6 opening when it starts?

[kevin s]

nope. starts at the homepage. not hijacked.Can I go into the startup section of the registry and "rem" the line items? Both are program related, not system.

[nlinecomputers]

Most likely this is a spyware/adware/malware problem.First update your Anti-Virus program and do a full scan. Or visit http://housecall.trendmicro.com/ to do an online scan. (It's often worth doing even if you do have an AV program as it can pick up things others can't)I would download Spybot S&D update and run that followed by running Ad-Aware.If those two don't clean you out and clear up your problem the we would need to see what is called a hijackthis log. Download and run HijackThis and do what is called a log output and post that here. (Use the forums' CODE function not QUOTE...) It is usually safe to put a check mark by any search and start page setting it lists which you haven't put there yourself and choose fix. Do the same for any hosts file entries. If it lists anything as O5, O6, or O7, fix those as well. Please ask for advice before using HijackThis to change anything else.

[eyerish]

IE starts at boot. Just finished the same problem on a friends computer. she did a lot of downloads, games devices etc. something wants her ONLINE AT STARTUP. AOL messenger, Yahoo messenger the Weather Channel are always my first checkout to remove the checkmark to START WHEN WINDOWS STARTS in the preferences or options section. some programs are famous for taking over your system. good luck

[Ed_P]

Both are program related

Both? Does MSConfig exist in W2K? If so, Start>Run>msconfig will show what's being started and allows tasks to be deactivated. If nothing obvious shows up then updating your av and scanning the hd or running trend Micro's Housecall followed by a search for spyware using Adaware and SpyBot should be done. If you run ZoneLabs' ZoneAlarm it should show what's accessing the net from within the pc.Is the pc connected to a dial up ISP or broadband?

[Rons]

Win2k doesn't come with msconfig but it can be added:http://windows.about.com/gi/dynamic/offsit.../downloads.htmlTowards the bottom of the page.Running Hijack This as Nathan suggested is a better option for problems with I.E.

[kevin s]

Took the "Hijack This" suggestion. Here is the log for those smarter than me (all a' ya'):

Logfile of HijackThis v1.97.7Scan saved at 2:02:02 PM, on 5/14/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WIN2000\System32\smss.exeC:\WIN2000\system32\winlogon.exeC:\WIN2000\system32\services.exeC:\WIN2000\system32\lsass.exeC:\WIN2000\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WIN2000\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WIN2000\System32\svchost.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WIN2000\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WIN2000\system32\MSTask.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WIN2000\System32\WBEM\WinMgmt.exeC:\WIN2000\system32\svchost.exeC:\WIN2000\Explorer.EXEC:\WIN2000\system32\Promon.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exeC:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeC:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exeC:\WIN2000\system32\hpoipm07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exeC:\PROGRA~1\WinZip\winzip32.exeC:\HIJACK\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL=http://broadband.zoomtown.com/]http://broadband.zoomtown.com/[/URL]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2000\System32\msdxm.ocxO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Promon.exe] Promon.exeO4 - HKLM\..\Run: [TaskMan] C:\WIN2000\Fonts\rundll32.exeO4 - HKLM\..\Run: [Explorer] C:\WIN2000\Fonts\explorer.exeO4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [System32-Driver] csrs32.exeO4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - HKLM\..\Run: [Vidriver] C:\WINNT\SYSTEM32\hjbfec.exeO4 - HKLM\..\RunServices: [System32-Driver] csrs32.exeO4 - HKCU\..\Run: [System32-Driver] csrs32.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcDcToday.ocxO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [URL=http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38081.4319444444]http://v4.windowsupdate.microsoft.com/CAB/...8081.4319444444[/URL]O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstBanr.ocxO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [URL=http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/URL]O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstFred.ocxO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcPreview.ocx

Edited May 14, 2004 by ross549

[Ed_P]

Remove this:

O4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exe

.

[nlinecomputers]

You've got a trojan downloader.Several of the items is your hijack file are suspect.

O4 - HKLM\..\Run: [TaskMan] C:\WIN2000\Fonts\rundll32.exeO4 - HKLM\..\Run: [Explorer] C:\WIN2000\Fonts\explorer.exe

Explorer running in the FONT directory?

O4 - HKLM\..\Run: [System32-Driver] csrs32.exeO4 - HKLM\..\Run: [Explorer Updater] IEXPLORE.exeO4 - HKLM\..\RunServices: [System32-Driver] csrs32.exeO4 - HKCU\..\Run: [System32-Driver] csrs32.exe

You can check and remove them with HijackThis but I suspect that a hidden service will just restore them.Download spybot and Ad-Aware and run both without delay. Visit the housecall site as well. You system needs to be purged and not all the items will show up on any of these tools. YOU MUST RUN THEM ALL.Do that and then post a new hijack log after you have done the three things listed in my first post!

[kevin s]

Thanks nline*. I have spybot and have run it, but I don't have ad-aware on this machine yet. I am current on Win updates, Norton Antivirus and Norton firewall software. I'll run the Hijack program to clean up the meanies, then run everything again, per your directions.Yeah, some stuff definitely looked wierd, but I didn't know what to grenade. This helps a lot.

[Ed_P]

According to Trend Micro who own PC-cillin you have the Worm SDBOT.RD. You might check the Norton AV site to see what they have to say about it. Maybe they haven't updated their virus patterns yet or you missed one of their AV updates. It was only discovered 4/22.

[nlinecomputers]

Thanks nline*. I have spybot and have run it, but I don't have ad-aware on this machine yet. I am current on Win updates, Norton Antivirus and Norton firewall software. I'll run the Hijack program to clean up the meanies, then run everything again, per your directions.Yeah, some stuff definitely looked wierd, but I didn't know what to grenade. This helps a lot.

You should note that Spybot issued a brand new version ,1.3,just the day before yesterday. Unless you have the new one you are going to miss things. Ditto with Ad-Aware. Also both programs need to be updated just like AV programs before you use them.

[nlinecomputers]

According to Trend Micro who own PC-cillin you have the Worm SDBOT.RD.  You might check the Norton AV site to see what they have to say about it.  Maybe they haven't updated their virus patterns yet or you missed one of their AV updates.  It was only discovered 4/22.

Good find Ed. One more reason to run Housecall as TrendMicro thinks this thing is NOT in the wild. That will inform them that is now started to spread. Norton sucks at finding this kind of trojan. Get AVG or even PC-Cillin. AVG is free.

[kevin s]

Fixed. (and advice taken)Thanks, all.

[nlinecomputers]

No Problem. Glad it is now working for you. Do you mind reposting using the CODE marks a new copy of Hijackthis? I'd like to make sure your system is fully purged. These little buggers are getting tricker by the second and often you think your clean only to have the program redownload the missing parts and fully reinfect you all over again.

[kevin s]

Will do. It's one of the computers here at work. I'll have to wait until the culprit ('er computer user) goes to lunch.

[kevin s]

Here 'ya go. Look better?Logfile of HijackThis v1.97.7Scan saved at 10:14:29 AM, on 5/17/2004Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WIN2000\System32\smss.exeC:\WIN2000\system32\winlogon.exeC:\WIN2000\system32\services.exeC:\WIN2000\system32\lsass.exeC:\WIN2000\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WIN2000\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WIN2000\System32\svchost.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exeC:\WIN2000\system32\regsvc.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exeC:\WIN2000\system32\MSTask.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WIN2000\System32\WBEM\WinMgmt.exeC:\WIN2000\system32\svchost.exeC:\WIN2000\Explorer.EXEC:\WIN2000\system32\Promon.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exeC:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeC:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exeC:\WIN2000\system32\hpoipm07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exeC:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exeC:\Program Files\Autodesk Architectural Desktop 3.3\acad.exeC:\HIJACK\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [http://broadband.zoomtown.com/]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2000\System32\msdxm.ocxO3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Promon.exe] Promon.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exeO9 - Extra button: Related (HKLM)O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcDcToday.ocxO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [http://v4.windowsupdate.microsoft.com/CAB/...8081.4319444444]O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstBanr.ocxO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab]O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\InstFred.ocxO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3.3\AcPreview.ocx

[nlinecomputers]

Looks clean to me. There might be a few items you need to remove to improve boot time but your end users may want them. But spyware wize it is clean.I would advise you to download and install SpywareBlaster and SpywareGuard. They both help block spyware from being installed. Running Mozilla instead of IE would also help prevent that crap from comming back.

[kevin s]

Thanks, again. I'm the only one here using firefox right now. I'll also take a look at those other two programs.