Some Program trying to access the internet without permission.

Hi,
I was helping a friend update her computer with Norton Anti Virus and all went well. We also installed Spy Bot Search and Destroy and it scanned and ran well.

Now every time she turns on the computer, when at the desk top and before even doing anything, her computer automatically dials up the internet. This is not normal as it used to be. How can she find out what is causing the dial up connection to internet to go on, without even trying?

She has tried to run scan disk and made sure everything is turned off through Ctrl-Alt-Del with no screen saver running and it still stops and tells her that it has restarted 10 times because windows or another pogram has been writing to this drive, etc., etc., etc.

I even tried to have her run scandisk through the DOS but it also said that it was stopped and restarted 10 times.

The thing we would like to find out is "how to stop her computer from trying to get on the internet ". I also noted that when she double clicks Norton AntiVirus on her desktop it seems to want to connect to the internet instead of just opening the normal window. Could this be the problem.

Thanks for any help.
Jean

 

larsonjean--Not sure I understand what you mean by "dials up the internet ". Do you mean just accesses Internet Explorer? If so, what page is it going to?
Check IE Tools|Internet Options|Connections tab|is "Always dial my default connection" checked? If so uncheck it and check "Never dial a connection "|Apply|OK. If that solves the problem, then stop here.
Or is her dial up modem dialing continously while she is using the PC? In the latter case, it could be a spyware dialer. That could result in a big phone bill. (Did you update SpybotS&D with the latest reference files before running the scans?)
Suggest you download, install and scan with HiJackThis
http://www.spywareinfo.com/~merijn/downloads.html
Then suggest you copy and post the log here. It usually takes some help in interpretation before you delete anything.

 

That may be Norton doing that, if set to Auto Update.

 

Hi
Yes, I think the problem is with Norton. And I do believe we set it for Auto Updates. How do I turn it off and we will update it ourselves?

Yes, I mean it just accesses the internet. I did try going to Options, and unchecking "Always dial my default connection" and checked "never dial" but she didn't like that as when she went on internet explorer it didn't dial anything and she had to first connect through Verizon before opening IE.

Her dial up modem isn't dialing continously but it seems to try to get on line every few minutes or so, enough to stop the scan disk from functioning.

I don't believe she has spyware as she always runs AdAware and yes we did update it and Spybot and ran both of them.

I haven't downloaded HiJackThis yet as I don't think this is the problem.

Jean

 

larsonjean--It depends a bit on the version of Norton, but I suspect you will find a setting to turn off Automatic Updates by clicking the Options button when you open NAV from Start|(All) Programs.

 

We did find how to turn off Automatic Updating in Norton, then turned it off, restarted the computer, then ran "Scan Disk" again and after a few minutes Scan Disk came up with the same message, "It started 10 times, do you want to continue receiving these messages.

Any other ideas?

Jean

 

Jim,

Just in care it could be a spyware dialer I will suggest to my friend to download, install and scan with HiJackThis.

Then we'll post back a copy of the log and hope you can find something in there causing the problem.

Jean

 

Jean,

Did you try running the scan in safe mode? F8 or F5 on bootup.

Regards - Charles

 

larsonjean--And has your friend looked at the System Configurations Utility (Start|Run|type msconfig|OK|Startup tab to see (most of) the programs which run at boot? Anything suspicious there? And what programs are shown as running when she simultaneously clicks Control+Alt+Delete when that dialing starts?

 

Hi, I finally got over to my friend's house today. I am now sure the problem is within Norton Anti Virus. I turned off everything in msconfig and the computer did not try to access the internet but, of course, now Norton is not protecting the computer. These are the four files we turned off so one of them must be the culprit.
ccapp, ccregvfk (these are OK, I think)
ccevtMgr and Script Blocker (one of these is causing the problem, I think)
Any thing that you can come up with to fix this would be appreciated.

I did turn off auto update but this did not help at all.

I did run HiJack This in case this is the problem. Following is the log:
Logfile of HijackThis v1.98.2
Scan saved at 1:43:51 PM, on 10/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

The way we have the computer set now is that all Norton is turned off through MSCONFIG and it does not dial up auto. We were able to run ScanDisk without it restarting 10 times but we do not have the Norton Virus protecting the system.

Jean
Thanks for any help.

 

Due to the use of a HJT log, this thread was moved to Security. I see nothing bad in the log, however it is flawed.
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
It appears you ran it from inside the Zip file, by starting it in Winzip. It works better unzipped into it's own folder.
And something is still left off? Else I wouldn't see this.
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

 

I went over to my friend's house and deleted the old Norton entirely. Then we reloaded a new version 2004 which we bought at Office Depot with rebates.

Now all the problem with the modem starting is gone. We do not exactly know what the problem was but this took care of it.

Thanks for all your help.

Jean