PDA

View Full Version : Mystery Program Dialing Internet


Randal
June 19th 04, 01:58 PM
Is there a way to tell what program brings up the internet dialer as soon as
my computer boots up?

Sandi - Microsoft MVP
June 20th 04, 12:25 PM
There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

IMPORTANT: After obtaining the software below, make sure you check for
updates and then run the programmes in safe mode.

You can go to the link below to check your system for parasites (supplied by
Doxdesk.com):
http://inetexplorer.mvps.org/parasite.htm

Malware removal (beginners guide):

First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs.

Second, get AdAware. [..Warning: AdAware is now version 6.181. All previous
versions are NO LONGER SUPPORTED and will not be updated...]

AdAware is available at www.lavasoft.de. Make sure you check for updates
every time you use it.

To be most effective, you must run AdAware while Windows is in safe mode.

Modern malware uses more than one process, and these processes are
'co-dependent'. In other words, when one processes detects that the other
has been shut down, it automatically restarts its sibling, often using a
different name.

Disable the ability of suspect processes to start automatically by using
MSCONFIG (startup tab) before booting into safe mode. Use the information
at the URL below as a guide:

http://www2.whidbey.com/djdenham/Uncheck.htm

Reboot your computer and hold down the F8 key until the boot menu options
appear. Select 'safe mode'. After you are in safe mode, check to make sure
the suspect processes did not start up. If they did start up, we are going
to have to track down *where* they are coming from before going any further.
An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

While still in safe mode, and after you have shut down as many malware
processes as possible, start AdAware. AdAware, when run using default
settings, simply does not cope with new 'intelligent' malware. Make sure
'activate in depth scan' is enabled. Select 'use custom scanning options'
and then click on the 'customize' button. Turn on the following scan
options - scan within archives, active processes, registry (including deep
scan), IE favorites and hosts file. You must also turn on the following
option via the 'tweak' button:

Cleaning engine: 'automatically try to unregister objects prior to deletion'

IMPORTANT: Before letting AdAware delete malware, write down on a piece of
paper exactly where the malware is stored. You will need to delete those
directories after AdAware has done its work, but ONLY IF IT IS NOT A
STANDARD WINDOWS DIRECTORY.

After running AdAware, run it again, this time using the option 'select
drives/folders to scan'. Click on 'select'. Scan your entire hard drive.
Also do the following:

Empty your IE cache and your other temporary file folders, eg:
c:\windows\temp (if using Windows 98) or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp folder will
change depending on your name) - sometimes programmes can be hidden in
there - watch out for mysterious *.exe files or *.dll files in those
folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Programme Files. Check for unusual objects
there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no
style sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

It is possible to turn off third party extensions (Enable third-party
browser extensions (requires restart) at IE tools, internet options,
advanced) to disable *all* plug-ins but troubleshooting will be difficult
and it is only a BANDAID. Nothing gets fixed. There is software that
depends on 'third party browser extensions" to work, including Acrobat,
Microsoft Money, and many other programmes.

Once your computer is clean, and if it applies to your operating system,
create a new restore point. Your old ones may, of course, be infected with
the malware and therefore cannot be used. Run disk cleanup to remove old
restore points (if you operating system has this option you will find it on
the 'more options' tab of the disk cleanup utility).

If you are still having problems:

You can go to the link below to check your system for parasites and
hopefully identify your problem (supplied by Doxdesk.com):

http://inetexplorer.mvps.org/parasite.htm

Download and run the latest version of "Cool Web Shredder"
http://www.merijn.org/files/CWShredder.exe

The more experienced user can try Spybot. Again, it is a free programme
which can be downloaded from: http://spybot.eon.net.au/. Warning: it is NOT
a good programme for the inexperienced. If you want to use this programme,
please get the advice of those more experienced before 'fixing' anything
that it finds.

Another excellent programme that allows you to examine your system and
*create a results log for experts to examine* is HijackThis, available from:
http://209.133.47.12/~merijn/files/HijackThis.exe (direct download)

MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine

--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org

"Randal" > wrote in message
...
> Is there a way to tell what program brings up the internet dialer as soon
> as
> my computer boots up?
>
>

Randal
June 23rd 04, 12:23 AM
I have gone through this email and run adaware and unchecked numerous
programs in msconfig startup. I continue to have a program attempt to dial
the internet immediately after start up. Is there any way to know what is
calling the dialer?

"Sandi - Microsoft MVP" > wrote in message
...
> There are many people who have helped this FAQ improve over time - MVPs
and
> newsgroup users. I thank all of you who have made the newsgroups,
> anti-malware websites and dedicated mailing lists into such a wonderful
> resource.
>
> IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX
from
> the URL below - some malware can kill your internet connection when it is
> removed, and this software should get things going for you again:
> http://www.cexx.org/lspfix.htm
>
> IMPORTANT: After obtaining the software below, make sure you check for
> updates and then run the programmes in safe mode.
>
> You can go to the link below to check your system for parasites (supplied
by
> Doxdesk.com):
> http://inetexplorer.mvps.org/parasite.htm
>
> Malware removal (beginners guide):
>
> First, go to Control Panel, add/remove programs. Check for malware
entries
> and use the uninstall programs.
>
> Second, get AdAware. [..Warning: AdAware is now version 6.181. All
previous
> versions are NO LONGER SUPPORTED and will not be updated...]
>
> AdAware is available at www.lavasoft.de. Make sure you check for updates
> every time you use it.
>
> To be most effective, you must run AdAware while Windows is in safe mode.
>
> Modern malware uses more than one process, and these processes are
> 'co-dependent'. In other words, when one processes detects that the other
> has been shut down, it automatically restarts its sibling, often using a
> different name.
>
> Disable the ability of suspect processes to start automatically by using
> MSCONFIG (startup tab) before booting into safe mode. Use the information
> at the URL below as a guide:
>
> http://www2.whidbey.com/djdenham/Uncheck.htm
>
> Reboot your computer and hold down the F8 key until the boot menu options
> appear. Select 'safe mode'. After you are in safe mode, check to make
sure
> the suspect processes did not start up. If they did start up, we are going
> to have to track down *where* they are coming from before going any
further.
> An experienced computer technician can use programme such as AutoStart
> Viewer for in-depth diagnosis:
> http://www.diamondcs.com.au/index.php?page=asviewer
>
> While still in safe mode, and after you have shut down as many malware
> processes as possible, start AdAware. AdAware, when run using default
> settings, simply does not cope with new 'intelligent' malware. Make sure
> 'activate in depth scan' is enabled. Select 'use custom scanning options'
> and then click on the 'customize' button. Turn on the following scan
> options - scan within archives, active processes, registry (including deep
> scan), IE favorites and hosts file. You must also turn on the following
> option via the 'tweak' button:
>
> Cleaning engine: 'automatically try to unregister objects prior to
deletion'
>
> IMPORTANT: Before letting AdAware delete malware, write down on a piece of
> paper exactly where the malware is stored. You will need to delete those
> directories after AdAware has done its work, but ONLY IF IT IS NOT A
> STANDARD WINDOWS DIRECTORY.
>
> After running AdAware, run it again, this time using the option 'select
> drives/folders to scan'. Click on 'select'. Scan your entire hard drive.
> Also do the following:
>
> Empty your IE cache and your other temporary file folders, eg:
> c:\windows\temp (if using Windows 98) or C:\Documents and
> Settings\<name>\Local Settings\Temp (the path to your temp folder will
> change depending on your name) - sometimes programmes can be hidden in
> there - watch out for mysterious *.exe files or *.dll files in those
> folders.
>
> Go to IE Tools, Internet Options, Temporary Internet Files {Settings
> Button}, View Objects, Downloaded Programme Files. Check for unusual
objects
> there.
>
> Go to IE Tools, Internet Options, Accessibility. Make sure there is no
> style sheet chosen (under User Style Sheet - format documents using my
style
> sheet). If the option is turned on, turn it OFF.
>
> It is possible to turn off third party extensions (Enable third-party
> browser extensions (requires restart) at IE tools, internet options,
> advanced) to disable *all* plug-ins but troubleshooting will be difficult
> and it is only a BANDAID. Nothing gets fixed. There is software that
> depends on 'third party browser extensions" to work, including Acrobat,
> Microsoft Money, and many other programmes.
>
> Once your computer is clean, and if it applies to your operating system,
> create a new restore point. Your old ones may, of course, be infected
with
> the malware and therefore cannot be used. Run disk cleanup to remove old
> restore points (if you operating system has this option you will find it
on
> the 'more options' tab of the disk cleanup utility).
>
> If you are still having problems:
>
> You can go to the link below to check your system for parasites and
> hopefully identify your problem (supplied by Doxdesk.com):
>
> http://inetexplorer.mvps.org/parasite.htm
>
> Download and run the latest version of "Cool Web Shredder"
> http://www.merijn.org/files/CWShredder.exe
>
> The more experienced user can try Spybot. Again, it is a free programme
> which can be downloaded from: http://spybot.eon.net.au/. Warning: it is
NOT
> a good programme for the inexperienced. If you want to use this
programme,
> please get the advice of those more experienced before 'fixing' anything
> that it finds.
>
> Another excellent programme that allows you to examine your system and
> *create a results log for experts to examine* is HijackThis, available
from:
> http://209.133.47.12/~merijn/files/HijackThis.exe (direct download)
>
> MS have released a limited KB article regarding what they call 'deceptive
> software'.
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315
>
> Here is advice specific to:
>
> home page hijackings
> http://inetexplorer.mvps.org/answers.htm#home_page
>
> pop-up ads
> http://inetexplorer.mvps.org/data/popup.htm
>
> search engine hijackings
> http://inetexplorer.mvps.org/answers4.htm#search_engine
>
> --
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
> http://inetexplorer.mvps.org
>
> "Randal" > wrote in message
> ...
> > Is there a way to tell what program brings up the internet dialer as
soon
> > as
> > my computer boots up?
> >
> >
>

T R
June 23rd 04, 09:33 PM
"Randal" > wrote in
...
> I have gone through this email and run adaware and unchecked numerous
> programs in msconfig startup. I continue to have a program attempt to dial
> the internet immediately after start up. Is there any way to know what is
> calling the dialer?

Install a firewall like zonealarm and set it up to block all traffic. Clear
the logs of the firewall. Reboot your pc, and let the dialer dial!
Disconnect after a few minutes and examine the logs of the firewall.
It will show the program that attempts to dial, and the ip-address to which
it is trying to connect.

Remember that msconfig shows only programs that start when there is an entry
in the registry. Auto-updaters (like windows update) are not visible with
msconfig. Other programs, like rundll.exe or rundll32.exe, may be infected
with a dialer. So, run an up-to-date anti-virusprogram.

Grtz,

TR

Randal
June 24th 04, 10:03 PM
Great! Thanks.
"T R" <.@.> wrote in message
l...
> "Randal" > wrote in
> ...
> > I have gone through this email and run adaware and unchecked numerous
> > programs in msconfig startup. I continue to have a program attempt to
dial
> > the internet immediately after start up. Is there any way to know what
is
> > calling the dialer?
>
> Install a firewall like zonealarm and set it up to block all traffic.
Clear
> the logs of the firewall. Reboot your pc, and let the dialer dial!
> Disconnect after a few minutes and examine the logs of the firewall.
> It will show the program that attempts to dial, and the ip-address to
which
> it is trying to connect.
>
> Remember that msconfig shows only programs that start when there is an
entry
> in the registry. Auto-updaters (like windows update) are not visible with
> msconfig. Other programs, like rundll.exe or rundll32.exe, may be infected
> with a dialer. So, run an up-to-date anti-virusprogram.
>
> Grtz,
>
> TR
>
>
>