Can't disconnect!

I've been working on my girlfriend's dad's computer. They were so hopelessly overrun with adware, spyware, and viruses that the whole system was nearly impossible to use. Browsing the internet was impossible due to all the browser hijacks running on his system.

I brought over a disc with all kinds of software on it, but mainly AdAware, Spybot, and AVG. The final results: over 600 objects found in Adaware and Spybot, and a total of 61 viruses. I have no idea what the hell these people are doing with their computer.

I had him buy AdAware Plus so he could have that Ad-Watch program it comes with. He needs it since he won't run these tests very often.

So the final problem is that of his modem. It seems it's impossible to get his dialup modem to stop attempting to connect. He's always had this problem, so I think it's unrelated to the crap that was on his system. During one reboot, the Windows GUI hadn't finished loading and his modem was already attempting to connect to his provider. Then if you attempt to disconnect from the service, it will, but it'll just start connecting again.

What could the problem be?

Look to see if he has anything that he is (by default) trying to access remotely. A network share. An IP address. It might be that there is something there (spyware? virus?) that is trying to call home over IP, and his network settings are rigged to try an autoconnect on demand.

Can't you simply tell the dial-up connection to "Never dial"? Then he can just manually connect with an icon when he wants to. Having windows set to automatically dial is so dangerous and irritating, I don't see why people like that feature at all.

Odds are, the thing that's trying to dial is a program in the startup group, the load= or run= lines in the win.ini, or a program in the run sections of the registry. Maybe it's even AVG or Ad-Aware trying to look for the latest updates. So your only defense would be to disable the automatic dialing or remove the offending programs.

I'll look, but I haven't heard of that "Never Dial" option before. Interesting.

How would I create that icon??

Microsoft keeps moving the location of the options around in each version of Windows. I'm not sure where it lies in your version. On my OS (windows 2000) you do it thusly:

Run Internet Explorer. Select Tools, Internet Options, Connections. You should see a box with the dial-up connection in it. Hopefully there's only the one. You can set its settings from there. The "Never Dial a Connection" is the first option.

To create the desktop icon for dialing, you have to locate the dial-up-networking screen. Again, microsoft keeps changing the way you reach this screen, so you'll have to find it yourself. On win2k, you reach it thusly:

Start, Settings, Control Panel, Network and Dial-up Connections. On that screen should be the icon for the dial-up account. Use the right mouse button to drag that to the desktop and select "Create Shortcut Here".

I used SpyBot on a relative's computer last week - it found five porn diallers and one resident keylogger! I ran AdAware afterwards and it picked up a few cookies and crap files.

Gareth

I really only used Spybot because this computer was in such bad shape. In general I dislike using it because I ran it on my system once and felt that it had too broad an opinion on what is spy/adware. It found several files in games on my systems which were links to game demos and such. They weren't hurting anyone, but it was picky.

Thanks for the help, Tony. This is XP, but the procedure is the same.

*edit*
Found the correct properties menu. It's annoying that there's a different properties menu for the same connection depending on if you get to it through IE or Network Connections. I think it's getting solved.

I seem to remember there being some way to see exactly what is being run at startup (aside from the "Startup" program folder). What was it?

I seem to remember there being some way to see exactly what is being run at startup (aside from the "Startup" program folder). What was it?

I listed them earlier in the thread. The ways something can run at startup are:

- Startup group.
- Load= and Run= lines in win.ini.
- A group of registry entries with names all starting with RUN.

The location of the run registries are HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, and there are several of them.

The trick with messing with the registry is that there are some entries which are supposed to be there and you'll kill your system if you delete the wrong ones. Since the correct answer to this question varies from system to system, this is the farthest I can go with support on this. Perhaps there's a web site that covers this in detail that someone could link for you.

If you run win98, I believe you can run `msconfig' (ditched win98 in 2000 or so) ...
Start > Run > "msconfig" > ok

MSConfig also works in XP, and is a much better way to get rid of startup items compared to editing the registry by hand.

I've seen the mess MSConfig makes of the run entries in the registry, and actually I prefer to do it by hand.

(MSConfig copies off prior versions of the sections into new key names when you make edits. I understand why they do it, I'm just (a) more of a hands-on guy, and (b) anal retentive about not leaving crap on the system I don't need to.)

Oh, being that it is an NT based OS (XP), it has one last place to check for startup items, the Services section of computer managment. To make the task a bit easier to find forreign services, use MSConfig and go to the services tab. At the bottom, hit the "Hide All Microsoft Services" and you should be left with only 3rd party ones.

Also, for the sake of completeness while we're in the registry, Tony mentioned the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
...

But failed to mention:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
...

Which is where programs like AIM like to hide.

http://www.mlin.net/StartupCPL.shtml
Something similar to MSConfig I assume.
I haven't used it as I work through the registry most of the time.

I didn't realize that a key under CurrentUser would even work. Thanks for the heads-up.