After I installed Spybot on my XP Home system, when I tried to locate a file in Word97, Word tried to dial out to some Internet sites. After the second time this happened, I clicked a check box that wouldn't show the box. Word does not try to dial out now. However, now every time I try to open a file, if the first file in the directory is .htm, Windows tries to convert it (even if I don't open it), and then shuts down. Anyone know how to fix this?

Unchecking a box to not show a connection probably will not stop it from dialing out. WHat kind of file are you trying to open? If it is an html file, then it may want to connect. If you do not know what it is, do not let it connect.

Do you have a network drive? Where is the file located?
Does something try to dial out when you open Word or just a particular file?

I have Sygate PF. It notes that two instances of Word try to connect out.

The first is protocol=UDP, to IP address=127.0.0.1>127.0.0.1, local port= (around 2500-2700), remote port=the same as local port, application=winword.exe.

The second is protocol=TCP, to IP address = 0.0.0.0>64.94.55.00, local port=(around 2500-2700), remote port=443, application=winword.exe.

I did a reverse DNS lookup for the IP address 64.94.55.00 and found that it doesn't map to anything.

I created an advanced rule in Sygate to block all traffic on all ports by Winword. But it doesn't change anything. The traffic appears very briefly and is not logged at all.

The file is an html receipt for something I ordered online. I did not have this problem with the same file before I loaded Spybot. I don't have a network drive. It is on my local C: drive.

Perhaps a silly question, but are you sure it's a locally saved HTML file and not just a link to the site? How did you save the file?

You are sure your Spybot S&D is the legitimate program and not one of the spoofs aren't

you?

Do you remember where you downloaded yours from?

Pat

Download HijackThis from my link below. Unzip/excract it to its own folder and then run the program. Choose ...scan and save log file. Copy th etext of the entire log and paste it into a response. We should be able to see if you have any malware running.

Logfile of HijackThis v1.99.1
Scan saved at 4:19:52 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CallWave\IAM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\SecurityTools\HijackThis\HijackThis1991.exe
C:\WINDOWS\system32\msiexec.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.youravon.com/"); (C:\Documents and Settings\Hoor Siddiqui\Application Data\Mozilla\Profiles\default\9vvq7pst.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Hoor Siddiqui\Application Data\Mozilla\Profiles\default\9vvq7pst.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - (no file) (HKCU)
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bhgpr.com/CFIDE/classes/CFJava.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/26139bb66d8809ff3e22/...tzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEF4FD9-E76E-4D57-9ACE-BB36511735E6}: NameServer = 207.172.3.8 207.172.3.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BEF4FD9-E76E-4D57-9ACE-BB36511735E6}: NameServer = 207.172.3.8 207.172.3.9
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

My suggestion is to post your HT log in the Virus/Malware forum; I see several items that could be deleted, but the ones that jump out at me are the 017s, which may be LOP infections that are an attempted hijacking.

It would be a good idea for HKEY_ED or Angoid to take a look at the log.