Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Auto Dialer (referred from Malware)


  • Please log in to reply

#1
George S

George S

    Member

  • Member
  • PipPip
  • 11 posts
My pc with windows 2000 dials up my internet connection on its own. I have run Adaware, CWshredder, a-squared, and below is my hijackthis log.
These programs did find malware and removed it.

Usually I have to use my dial up connection first, and then after I disconnect, the pc tries to connect again.

I have ZoneAlarm and Generic Host Processes for Win32 Services (svchost.exe) is activated when the pc dials. The only way to stop the dialing is to block this in ZoneAlarm. Of course if I block it, my other computers cannot connect to the internet through this gateway computer.

I wonder if the malware checking programs left something that is causing the dialing. Below is my Hijackthis log.

I really appreciate any help in this.

Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 9:07:29 PM, on 5/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\EARTHL~1\PropelAC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yonc\yonc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\mmc.exe
D:\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\EARTHL~1\PropelAC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINNT\au30setp.exe 3
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Yonc.LNK = C:\Program Files\Yonc\yonc.exe
O4 - Startup: Zone Labs Security.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F151B689-B128-4B8C-82FC-3A2403D291D7}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi there George! My name is Kat, and I will be helping you to get your pc problems straightened out.
After doing some research, I think I have it narrowed down to what is causing your problems, however I cannot be positive without a little analyzation. Could you please do something VERY important for me so we can get this nailed down??

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

I need you to go here:
The Spy Killer Forum

*Click on "New Topic"
*Put your name, e-mail address, and this as the title: "C:\Program Files\Yonc\yonc.exe "
*Put a link to this geeks to go topic in the description box. Also, copy and paste the top part of your post here about the "dials itself to the internet" just that one sentence or two is enough description.
*Then next to the file box. at the bottom, click the "browse" button, then navigate to this file:

C:\Program Files\Yonc\yonc.exe

*Press "Open".

*Click Post.

After it has posted, copy and paste the new topics' address line here in a reply for me. Everything I have found in my searching is ONLY for download sites. NOTHING is found in any of the sites we use to determine if a program is bad.

I will get a near immediate answer to that, and we will proceed to getting you fixed up!
  • 0

#3
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Kat,
Thanks for looking into this problem. I know what yonk is. It is a utility that disconnects from the internet if a certain number of bytes are not transmitted over a given time period. I installed it over a year ago because when an internet connection is made by a pc on my network through this gateway, the gateway computer would never close the connection. Yonk senses that there is no activity and disconnects. Yonk is from emtec.com. I have never had a problem with yonk. Should I still create a topic called yonk if we already know what it is?
  • 0

#4
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Also, yonk.exe has been blocked from the internet in ZoneAlarm. I wonder if Synchronization Manager could have anything to do with the dial ups. I do not have it set to do any synchronizing, but who knows..
  • 0

#5
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
If you are confident that yonc is not a problem, then we'll leave it alone for now. When I searched all the normal databases, such as liutilities.com and answersthatwork.com, the .exe didn't show up. The only place I found it anywhere on the web was for direct downloads of it. I coudln't find anything that told me exactly what it did, and whether it was good or bad.

ok, let's get going with the fixes in your log I know are bad! :tazz:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now close all windows other than HiJackThis, then click Fix Checked.

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):
C:\WINNT\web\related.htm

Reboot normally.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Since the only obvious problem in your log is the Related, let's take a look at a Silent Runners log to see if anything may be lurking there.

*Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

[b]*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.



Post a reply here with a fresh HJT log taken after all above steps were done, a copy of the Ewido log, and a copy of the Silent Runners log.
  • 0

#6
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the results of the scans and new HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:11:50 PM, on 5/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\EARTHL~1\PropelAC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yonc\yonc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *windowsupdate*
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\EARTHL~1\PropelAC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINNT\au30setp.exe 3
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Yonc.LNK = C:\Program Files\Yonc\yonc.exe
O4 - Startup: Zone Labs Security.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{C038E93A-70E8-4EE2-A1B4-B03EAF03961C}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CCS\Services\Tcpip\..\{F151B689-B128-4B8C-82FC-3A2403D291D7}: NameServer = 192.168.0.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


These are cookies that I think AdAware would pick up as well. I get these all the time. I had to stop the scan. I ran it again as shown in the following scan report.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:56:45 PM, 5/10/2005
+ Report-Checksum: 58AA2AA5

+ Date of database: 5/11/2005
+ Version of scan engine: v3.0

+ Duration: 19 min
+ Scanned Files: 35779
+ Speed: 29.94 Files/Second
+ Infected files: 32
+ Removed files: 32
+ Files put in quarantine: 32
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Spector1\Cookies\spector1@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@ads.vnuemedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@ads.xtra.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@bannerspace[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@bravenet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@c2.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@ehg-hasbro.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@ehg-salonmedia.hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@experts-exchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@landing.domainsponsor[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@looksmart[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@network[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@valueclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Cookies\spector1@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Spector1\Local Settings\Temp\Cookies\spector1@bannerspace[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

Found a virus here but the pc continues to dial.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:22:17 PM, 5/11/2005
+ Report-Checksum: B78D27F2

+ Date of database: 5/11/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 70355
+ Speed: 33.39 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINNT\Downloaded Program Files\WinCtlAdX.dll -> Spyware.WinAD.f -> Cleaned with backup


::Report End


Here is Silent Runners report.

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"Propel Accelerator" = "C:\PROGRA~1\EARTHL~1\PropelAC.exe" ["Propel"]
"NeroCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"VortexTray" = "C:\WINNT\au30setp.exe 3" ["Aureal, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "c:\winnt\apppatch\slayerui.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssstars.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\yosemite1.bmp"


Startup items in "Spector1" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\Spector1\Start Menu\Programs\Startup
"Yonc" -> shortcut to: "C:\Program Files\Yonc\yonc.exe" [null data]
"Zone Labs Security" -> shortcut to: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"shutdown" -> launches: "C:\shutdown.exe" ["http://www.beyondlogic.org"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

I am wondering if there is something legitimate that is running that is not spyware. Also, I am currious about O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon. I deleted it using HJT and it comes back.
  • 0

#7
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi again! I'm sorry that it took me this long to get back to you. I admit, that I am totally stumped, and asked for help from some of our Experts. After looking over your logs, everyone agrees that you have no malware showing in any of them. This is what was suggested:

Is it possible that the user accidentally set the computer to redial automatically (maybe using that Yonc program --- redialing seems to be one of its applications; see here:)
Yonc

What number the computer is dialing when it dials out? Is it the normal Earthlink number? If so, then probably nothing is malicious; a setting just needs to be tweaked somewhere.

After checking these things, if you feel you would like to try one other scan to check for any hidden Malware, then here is another thing you can do.


I need you to download MWav

This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log will be extremely BIG so there is no way to copy the whole thing. I just need the infected items list.
  • 0

#8
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
My home network runs through the pc that is dialing out. I have Internet Connection Sharing enabled so my other pcs can access the dial-up connection through this gateway. (Slow browsing but it works).

When non of my connected pcs are turned on, I discovered that if I disable the network, this gateway computer does not dial out. The Zone Alarm icon in the system tray does not flash. When I enable the network, Zone Alarm gets active and the pc dials. Zone Alarm does not indicate that a program is trying to access the internet. So I think it has something to do with the local area network not being happy unless it connects to the internet. Is this possible? Is there a setting I need to change? Do I need to post this in a different area now? Thanks!!!
  • 0

#9
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
In Zone Alarm the Services and Controller App icon at the top flashes. Here is what SERVICES.exe is running: 220 SERVICES.EXE Svcs: Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkWks, Wmi Is one of these causing the LAN to need an internet connection?
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
YOu are clean of Malware now, so I am going to move this thread over to the Networking section. I honestly don't know much about networks, and I want to make sure you get the best possible advice!!

Good luck to you!!
  • 0

Advertisements


#11
Dan

Dan

    Trusted Tech

  • Retired Staff
  • 1,771 posts
By 'dials up my internet connection on its own', do you mean -
1) When you start up your computer, it automatically attempts to establish a connection; or
2) Whilst connected, it attempts to reconnect; or
3) You disconnect yourself from the internet, and then it tries to re-establish a connection; or
4) A different situation, in which case could you please just tell me what happens.

Have you recently upgraded to SP2? How long has this been occurring? Did it just suddenly start occurring out of the blue, or has it been an ongoing issue?

I have a feeling that it is this Yonc.exe application which is causing the connections;
-Have you tried disabling Reconnect on remote disconnect?
-When Yonc is not running, does this still occur?
-In Safe Mode with Networking, does the problem persist (once you have established a connection)?

If you disconnect the Host computer from the network, and run it normally, does it still try to reconnect on its own?

At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load.
Therefore, because the problem stops occurring when you block svchost, it would suggest that it is an 'OnStartup' application that is causing this problem -- I think it's Yonc. When you remove Yonc from the start up list, does the problem persist?
  • 0

#12
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Dan G,

I have SP4.
Yonk has been blocked in Zone Alarm for quite some time. I did remove it from start up and the pc dials.

By dials, from a cold start, the system will come up. ONLY after I connect to the internet does the computer reconnect to my ISP. I have found that if I disable my network, the computer does not dial. If I disconnect the LAN cable, the commuter does not dial. So I think that my LAN wants the internet as part of its network.

I also stop dialing by going to the sharing tab of my ISP connection and unchecking on-demand dialing. However this makes it impossible to establish an internet connect from a pc on my network. I can see that the pc is trying to connect but without on-demand dialing, ZA just blinks.

I am using a program called Active Ports and when the computer tries to connect itself, SERVICES.exe is flashing. Services.exe also flashes in Zone Alarm.
  • 0

#13
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Hi George,

Hope you don't mind me poking in here. :tazz:

Would you please see if you can narrow the connection initiation down to 1 or more network PC's. Disconnect all and then reconnect one at a time. If you find 1 as the culprit, run an MWAV scan on it and let us know the results, please.
  • 0

#14
George S

George S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the virus portion of MWav. It looks like I do have a number of viruses that the other virus checkers did not identify. The free version of MWav does not get rid of the virus. I suppose I'll delete the items it says are viruses.

One thing that surprised me, many of the viruses are in the subfolders of temporary internet files. In IE, I clicked to clear the temporary files, yet it does not clear the subfolders. Why are there these subfolders?

Here is the virus report.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Roings Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\hrtbeat.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\miniclipGameLoader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\WinCtlAdX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\ZIntro.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\system32\MFImgVwr.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Intuit\Shared\ARHELP.CNT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\hrtbeat.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\ZIntro.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\miniclipGameLoader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\WinCtlAdX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\system32\MFImgVwr.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Activision". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Activision\Star Trek - Armada". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Program Files\Activision\Star Trek - Armada\uninstall". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\Context.test" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: No Action Taken.
Entry "HKCR\Context.test.1" refers to invalid object "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\WinCtlAdX.Installer" refers to invalid object "{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}". Action Taken: No Action Taken.
File C:\WINNT\TEMPOR~1\Content.IE5\SVQ9ON2F\SmileyCentralFWBInitialSetup1.0.0.8-2[1].cab tagged as "not-a-virus:AdWare.ToolBar.MyWebSearch". Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\7EODHXS8\a1[1].htm infected by "Trojan-Clicker.JS.Linker.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\OJHXS8IY\1[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\OJHXS8IY\adv343[1].htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\OJHXS8IY\archive[1].jar infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\OJHXS8IY\counter[1].gif infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\OJHXS8IY\prompt[1].php infected by "Trojan-Downloader.JS.WinAD.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\QLVZUMN3\22[1].exe infected by "Trojan.Win32.Dialer.bk" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\QLVZUMN3\prompt[1].htm infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5\QLVZUMN3\toolbar[1].exe tagged as "not-a-virus:AdWare.ToolBar.Perez.e". Action Taken: No Action Taken.
File C:\WINNT\system32\drivers\etc\hosts.bak infected by "Trojan.Win32.Qhost.al" Virus! Action Taken: No Action Taken.
File C:\WINNT\Temporary Internet Files\Content.IE5\SVQ9ON2F\SmileyCentralFWBInitialSetup1.0.0.8-2[1].cab tagged as "not-a-virus:AdWare.ToolBar.MyWebSearch". Action Taken: No Action Taken.
File D:\CAVEDOG\TOTALA\CC\Ccquery.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CAVEDOG\TOTALA\downloaded maps\AbysmalLake.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CAVEDOG\TOTALA\downloaded maps\Cloudious Prime.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CAVEDOG\TOTALA\downloaded maps\LongLakes.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CAVEDOG\TOTALA\downloaded maps\Ponds.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CAVEDOG\TOTALA\downloaded maps\StarfishIsle.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Quake III Arena\Check for Q3A Updates.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLED\Dd3\Setup\Mid\Msap3.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLED\Dd4\NavHelper\v2.0.3\NHelper.dll tagged as "not-a-virus:AdWare.NavExcel.d". Action Taken: No Action Taken.
File D:\RECYCLED\Dd4\NavHelper\v2.0.3\NHUninstaller.exe tagged as "not-a-virus:AdWare.NavExcel". Action Taken: No Action Taken.
File D:\RECYCLED\Dd4\NavHelper\v2.0.3\NHUpdater.exe tagged as "not-a-virus:AdWare.NavExcel.b". Action Taken: No Action Taken.
File D:\RECYCLED\Dd6\DVDsetup.exe tagged as "not-a-virus:AdWare.NavExcel.d". Action Taken: No Action Taken.
  • 0

#15
noahdfear

noahdfear

    Malware Expert

  • Expert
  • 1,316 posts
  • MVP
Logon to the Admin account in safe mode, make sure you're viewing hidden files and folders, then navigate to the C:\Documents and Settings\Spector1\Local Settings\Temporary Internet Files\Content.IE5 folder through Windows Explorer, select all and delete.
Do the same for C:\WINNT\Temporary Internet Files\Content.IE5
Empty the recycle bin.

Would you zip and email me a copy of that hosts.bak file please. Click here. Enter GTG-hosts.bak in the subject line.

And the results of re-connecting 1 PC at a time??
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP