Tries to connect automatically after 10 seconds ..why ?

[enter_the_matrix]

hey guys
I have XP...The problem with my computer is that when i switch it on and start working on anything...immmediately after 30 seconds or so...my computer starts to connect to the internet automatically...since i am using BSNL broadband...it fails to connect coz i switch off the modem..(it connects if the modem is on..and then i can work smooth but i dont want to be connected all time while using my pc)...
I cancel the connection but then it starts trying to connect to the internet after every 10-15 second gap and i have to cancel it every time..
this is so irritating..
i have uninstalled the modem driver and installed it again...made a new connection again...but the problem persists..
please help me someone
Raman
raman82@gmail.com :roll:

[Vishal Gupta]

May be some spyware s/w is trying to connect to net!
Type msconfig in Run dialog box and goto Startup tab, and check whether is there ne suspicious s/w listed?
If yes, then uncheck the checkbox and apply it.
U can also post a screenshot of the startup tab, so that all of us can find that which s/w is causing that problem?

[club_pranay]

i am not sure but please try this way...
go to the internet explorer, tools....then internet options
go to the connections tab
here u'll see your modem dialup settings..
in this window, click on "never dial a connection"
"apply" and "ok"
pls reply if the problem remains.

[enter_the_matrix]

thanx for the possible solutions guys...no they didn't worked out..
Well, Pranay...i tried what u have suggested...but the connection already is set on "never dial a connection"
and Vishal, i find no suspicious s/w listed there..

[anandk]

club-pranays soln shud have wrkd...
...u know what, download 'active ports' from www.ntutility.com or a similar utility to show u who is trying to connect. realplayer, etc often try to connect 'suo moto'. once u'v found out who the asshxxx is, u can remove him from the startup, and disable 'auto connect' from its program settings also. try it. lets see if this helps.

get hijackthis utility and give here log file .. here many persons are powerful to analise it..
and check whether any dialer is in ur system . scan with antispyware with latest updates .

or onething let it connect first by keeping modem on. and then using TCPVIEW utility check all active connection .. is any suspicious?

try it

[enter_the_matrix]

Here is the log file extracted by HIJACKTHIS utility
have a look




Logfile of HijackThis v1.99.1
Scan saved at 4:42:35 PM, on 8/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\System32\mwupdate32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\netddeclnt.exe
C:\WINDOWS\netinfo.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\dfgj\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.d ll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Win32 Classes -
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe

[enter_the_matrix]

hey, i tried TCPVIEW utility too...
it shows some..."NETONE" AND "MWUPDATE" ALL THE TIME
mwupdate is MICROSOFT WINDOWS UPDATE..hey may be microsoft windows XP is trying for some updates or something and its automatically connecting the internet for some updates...but while i am connected, i see no updates...tried CTRL+ALT+DEL...but shows no updates...so why this MWUPDATE utlility is running in background ?>
its getting so confusing...

[siriusb]

Maybe this is ur malware:
http://www.file.net/process/ycomp5_6_2_0.dll.html

[enter_the_matrix]

hey..the link u gave showed that this is a malware caused due to yahoo toolbar installation....which i did a few days back (as i was installing yahoo messenger)...
but can that link refers to a page which describes the malware but doesn't give a hint abt removing it except for the SPYDOCTOR utility which is shown in the end !!
how do i remove this malware ?

[shivaranjan.b]

Try the following software to remove spyware:

1. SpyBot Search and Destroy click Here

2. Lavasoft Adware Removal Tool see here

These are the some of the best malware removal tool and they are free. The only lack is realtime scanning........

Happy malware busting pal

[anandk]

spyware infected > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
also perhaps mwupdate32.exe (!)
http://www.castlecops.com/s10931-mic...s_updates.html

download, install, update and run microsoft anti-spy AND (adaware OR spybot). click www.download.com

[swatkat]

Hi,

Boot in SAFE Mode. Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service Network DDE Client (NetDDEclnt) and click "Properties". Here, under "Status" dialog box, click "Stop". And, under "Startup type" dialog box, select "Disabled". Click "Apply" and "OK". Next, navigate this serivce and do the same netinfo.


Run HijackThis and click "Do only a System Scan". Next, select these entries:-

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [microsft windows updates] mwupdate32.exe
O4 - HKLM\..\RunServices: [microsft windows updates] mwupdate32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Win32 Classes -
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\System32\netddeclnt.exe
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe

Close all other progams, and click "Fix Checked" in HijackThis.


Delete these files:-
C:\WINDOWS\System32\mwupdate32.exe
C:\WINDOWS\System32\netddeclnt.exe
C:\WINDOWS\netinfo.exe


Reboot to Normal Mode and post a fresh log. Also, check whether your System auto dials or not, and post back.

[shivaranjan.b]

How to analyse the hijak this log file?

[expertno.1]

see this
http://forums.spywareinfo.com/lofive...hp/t16960.html

mwupdate32.exe is suspicious ..