Anyone run across this strange behaviour :

Pressing the navigation buttons sometimes pops up a dos prompt window that i think tries to run a command that is not found. This is of course most disturbing. I am using IE5.5 on WinME.

How about using system file checker?

I am no hacker so don't take me for verbatim.

Just reading "Hacking Exposed." Though what I am going to quote isn't your situation, it sounds like it could be a variation.

"For example, an intruder could replace regedit.exe in winnt\system32 with a batch file named regedit.cmd. When an unsuspecting Administrator comes along and calls 'regedit' from the command line to perform some other task, the batch file is launched."

"Trojan Countermeasures Keep an eye out for fishy behavior like command shells briefly flashing before application fail to launch."

Seems to me that you have some variation of above, but, what do I know?

[This message has been edited by bobcat (edited 09-11-2000).]

The problem still persists. Here's what I have so far :

1) I remind you that I'm running WinME... So NO system file checker here (it is replaced by 'System File Protection' (go to www.winsupersite.com (http://www.winsupersite.com) for details).
2) I tried a new anti-virus program (H +BEDV AntiVir). Before that I run a scan with Norton Antivirus. Both came up with nothing.
3) I run 2 trojan detectors (Moosoft's 'The cleaner' and Tauscan). 'The cleaner' came up with "CC Invader" and cleaned it, but the problem remains (perhaps because of the Norton Deleted files protection ???). Tauscan came up with nothing.
4) I've used 'Conceal PC Firewall' for a while and now switched to ZoneAlaram.

Any more ideas ?

(I'll try to turn off Norton Protection and re-run 'The cleaner'...)

check your startup group in msconfig and i bet you'll find an entry for StartIE ... this is a common symptom for the qaz trojan that's making its rounds.

Sorry, no such luck.

(BTW, if you REALLY want to know what's going on at startup, use "Startup Control Panel" by Mike Lin)

Just for the record - I am not at all sure that this is not some sort of IE bug/feature/whatever. If this was a trojan, ZoneAlarm would notify me of any attempt to reach the Net by a new program (or so I hope).

Just a suggestion -- use "Find" on My Computer & search for
*.pif
files. It's possible one of these is getting called somehow. Also, you could try deleting any entry in c:\windows\pif (won't hurt anything).

The Windows\PIF directory is empty.

As for searching for PIFs on my HDs... Too many to count but none look suspicious or recent enough.

New findings...

I used FileMonitor (from the www.sysinternals.com (http://www.sysinternals.com) site) to check out the file activity on my system. Turns out that IE was trying to execute SC.EXE but failed to find it. I changed the path (in WinME it's somewhere in the registry, I forget where now) so no more old directories where specified. The only thing this action caused was that the MS-DOS window poping up now indicates that it is indeed SC.EXE (found in my windows\system directory) that is running, and ZonAlarm alerts me that it is trying to reach the Net.
I searched for SC.EXE all over the registry and found it only at [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU], which is (I think) the very same built-in search tool I used to search for SC.EXE in the first place...
As far as I can tell, SC.EXE is a command-line service control program for WinNT found in its resource kit.

Any suggestions ?