PDA

View Full Version : Dialup starts automatically



jferg
02-11-2004, 08:45 PM
When I turn on PC my dialup starts and keeps on trying to start when I keep shuting it down.
How do I fix please?
Jeff

45South
02-11-2004, 08:47 PM
Sounds like a virus or spyware
Search the FAQ's at the top of the page there is heaps on how to fix it

jferg
02-11-2004, 08:49 PM
Thanks I'll give it a go

45South
02-11-2004, 08:58 PM
Here is the link
Spyware Removal FAQ (http://pressf1.pcworld.co.nz/thread.jsp?forum=1&thread=52134&message=323275)

Shortstop
02-11-2004, 09:36 PM
Could be that Oldie but Goody.

TO STOP DIAL UP ON START-UP: In Internet Explorer select TOOLS- INTERNET OPTIONS-ADVANCED-Scroll to SECURITY-UNCHECK “ check for publisher’s revocation certificate”

CeeBee
02-11-2004, 09:38 PM
Hi Go to internet explorer on desk top (Win 9X), RIGHT click and go to properties and "connections", Ensure U havent ticked the box with "Connect when network connection IS NOT present" This will prob fix it.

Cheers CeeBee

jferg
02-11-2004, 09:51 PM
Have XP so will try shortstops reply..did new install last week after reformat

jferg
02-11-2004, 09:55 PM
Thank you shortstop. It was checked.
Do you play shortstop,shortstop?

Thanx all

jferg
02-11-2004, 10:11 PM
OOPPSS...That didn't fix it.
Unchecked that box then rebooted.....thennnn it bloody started to dial up again, I closed then wanted to start again, I closed etc etc

Pheonix
02-11-2004, 10:37 PM
Maybe an Anti-virus or firewall (zonealarm) trying to "phone home" to check for updates?

jferg
02-11-2004, 10:56 PM
Just disabled both the above then rebooted and it still starts the dial up!

Jim B
02-11-2004, 11:04 PM
To disable autodial, follow these steps:

Click Start, and then click Control Panel.

If you are using Category View, click Network and Internet Connections.

Click Network Connections, and then on the Advanced menu at the top, click Dial-up Preferences.

Click the Autodial tab.

Click to clear the check boxes that are listed under Enable autodial by location.

Click to select the Always ask me before autodialing check box (if not already selected).
.
Click to select the Disable autodial while I am logged on check box.

Click OK, and then close the Network Connections dialog box.

Rob99
02-11-2004, 11:23 PM
Do you have a website link in Start > All programs > Startup?

Spacemannz
03-11-2004, 08:10 AM
Hmm it sounds like it might be a dialler. If its still dialling out. I would either go to start/run and type msconfig. Then go to the startup tab. See if there are any strange entries there. And untick it.

Or press (Ctrl-Alt-Del) to bring up task manager and tell us whats there. If its still dialling out, and running, it'll be in here.

If it is a dialler, and its still in your system, you'll soon find out when u get your next phonebill!

jferg
03-11-2004, 06:12 PM
Yes, found it in Task manager.
If I cancel Process, it starts up again.
Did a search for the file then deleted it but still comes back.
At work tonight but think the file name in "rasdial" or "rasauto"
something like that.
How do I kill it?

jferg
03-11-2004, 06:26 PM
Just rang telecom "shaking"
But NO tolls or 0900 numbers have been rung...whew!
I did update drivers after new istall of windows (video and soundblaster) can't remember which one but one wanted to have something like a live update...things get a little fuzzy now so might go to web sights to track which one it is.

jferg
03-11-2004, 06:27 PM
Nothing in startup

_david_
03-11-2004, 06:32 PM
gday,

have you run adaware and spybot? they will almost definitely find it if you have a dialer running a muck. Perhaps you have not been billed for anything as you have always been there to cancel the dialing.

dave.

jferg
03-11-2004, 06:38 PM
No, sometimes the wifeE turns it on and leaves it
and have run adware but not spybot

Spacemannz
03-11-2004, 06:43 PM
According to Google, rasauto is a trojan or a dialler.

I think the entry for it is in the registry somewhere. Thats where and how it runs, when u boot up Windows.

It looks like it installs itself as a service.

Hmm altho rasautou (notice the u) and rasauto.dll are part of XP, (I think), and so is rasdial. BUT I dont think it runs normally in the background.

jferg
03-11-2004, 06:49 PM
when the wife gets home after 7, I will call her to find out exact file name

RoIdY
03-11-2004, 06:58 PM
download hijackthis and run it.. save log and post the log on this web again
maybe you have missed something the many eyes here can find and diagnose for you
it definately sounds like you have a dialer/trojan on your machine and its running either through regedit at start or msconfig

jferg
03-11-2004, 07:59 PM
Will do that when I get home tomorrow.
Just got WifeE to check file name in task manager that is the culprit.

It is "Rasautou.exe"

Last night I deleted it but it's back

Spacemannz
03-11-2004, 08:21 PM
Nope i think this file is safe. As i have the same file here.

It must be something else or a program you may have installed that uses the modem and dials out. Its rasauto.exe u have to worry about.

jferg
03-11-2004, 08:25 PM
OK, so I have to find out what is using RASAUTOU.exe to dial out

Easy I'll use a sledgehammer!!

No not really I'll try spybot tomorrow

45South
03-11-2004, 08:57 PM
I don't think you have gone thru the available FAQ's & recommendations yet, otherwise your problems would be gone by now

jferg
04-11-2004, 09:48 AM
Here is the Log from hijack this

Logfile of HijackThis v1.98.2
Scan saved at 9:38:24 AM, on 11/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\TaskBar\CTLTask.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tvnz.co.nz/view/tvnz_index_skin/tvnz_index_group
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\TaskBar\CTLTask.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098906823951
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15A62A64-9567-4761-B553-CF8591F290E0}: NameServer = 203.96.152.4 203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{15A62A64-9567-4761-B553-CF8591F290E0}: NameServer = 203.96.152.4 203.96.152.12

Spacemannz
04-11-2004, 10:10 AM
Are you on a network at all jferg?? Or is this pc youre on it. Just 1 PC??

That hijackthis log looks OK.

I would check all the programs that uve installed. Look in their prefs / options, and see if any are configured to update / dial out or something at a preset time or something.

Whatever it maybe, might be configured to dial about the same time u boot your system??

mark c
04-11-2004, 01:43 PM
If you leave it to dial out and connect where does it go to? I had something like this once and I always Ctl+Alt+Del to shut it down straight away but then I left it to do it's thing and then found out what it was. (Cool Web Search) Having identified it I could do something about it. HTH:D

Pheonix
04-11-2004, 02:02 PM
No malware that I can see either, but brought to light 3 applications that could be looking for updates..

1/ Windows auto update
2/ Nero
3/ Sound Blaster

Try turning off their "auto-update/autocheck for new versions" features.

jferg
04-11-2004, 10:18 PM
It's a standalone
Once dialed up it doesn't connect to anything that I can see
and I'll check out those 3 update files
Thanks

It is a real pain thou
I've started uninstalling programs that I think might be the cause

metla
04-11-2004, 10:33 PM
> It's a standalone
> Once dialed up it doesn't connect to anything that I
> can see
> and I'll check out those 3 update files
> Thanks
>
> It is a real pain thou
> I've started uninstalling programs that I think might
> be the cause


Stop rihgt there,Its obviously a program running in the background,Dont go uninstalling everything,just disable everything under startup and reboot,if it doesn't dial up(99 percent chance it wont)then start re-enabling the items one by one untill it tries to dial up,then u have your culprit,should only take a few minutes....

jferg
05-11-2004, 04:19 PM
Ok...Opened msconfig
Disabled all startup programs, rebooted but dial up still started
Back to msconfig and reenabled programs
Disabled allprograms under the services tab
Rebooted and it had stopped AHA!
By Process of illimination..Telephony had to be enabled to track down culprit.
Turns out that all but "Remote access auto conection manager" by microsoft can be enabled in the services tab, stops the dialup starting on bootup.
In otherwords "Remote access auto conection manager" program in the services Tab in msconfig starts the Dialup.
Is this file necessary? How can I get rid of it? and Are my conclusions plusable?

Jeff