Howdy folks, I have been up to one annoyance for the last days; dialing up when windows is still starting. I really tried to find out what is causing that stupidity but finally I have to confess I failed. Start up folder, programs which are running, registry.....no viruses....everything seems to be alright. ZA is not blocking any program attempting to connect on net either. So I need an advice, Thank you. StartupList report, 11.12.2002, 2:38:44 StartupList version: 1.40.1 Started from : C:\PROGRAM FILES\STARTUPMANAGER\STARTUPLIST.EXE Detected: Windows 98 Gold (Win9x 4.10.199 Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\REGPROT\REGPROT.EXE C:\OHJELMATIEDOSTOT\HIDEFOLDERS\HF.EXE C:\WINDOWS\ptsnoop.exe C:\OHJELMATIEDOSTOT\ZONE LABS\ZONEALARM\ZONEALARM.EXE C:\OHJELMATIEDOSTOT\GUIDESCOPE\GUIDE.EXE C:\OHJELMATIEDOSTOT\MSN MESSENGER\MSNMSGR.EXE C:\OHJELMATIEDOSTOT\OPERA\OPERA.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM\DLLHOST.EXE C:\PROGRAM FILES\STARTUPMANAGER\STARTUPLIST.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Käynnistä-valikko\Ohjelmat\Käynnistys] Reboot.exe WATCH.exe.lnk = C:\WINDOWS\TWAIN_32\A4S2600X\WATCH.exe Shell folders Common Startup: [C:\WINDOWS\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys] ZoneAlarm.lnk = C:\Ohjelmatiedostot\Zone Labs\ZoneAlarm\zonealarm.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVG_CC = C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\avgcc32.exe /startup SystemTray = SysTray.Exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE CountrySelection = pctptt.exe RegProt = c:\regprot\regprot.exe /start hf = C:\OHJELMATIEDOSTOT\HIDEFOLDERS\HF.EXE /s PTSNOOP = ptsnoop.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Avgserv9.exe = C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383} [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load= run= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\KAARET~1.SCR drivers=mmsystem.dll,power.drv,FSDID32.DLL -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 7/12/2002, 17:53:26) -------------------------------------------------- C:\AUTOEXEC.BAT listing: REM --- By HiSpeed CD-ROM Drive installation program. 11/4/101 --- @C:\OHJELM~1\GRISOFT\AVG6\bootup.exe rem mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi) rem keyb su,,C:\WINDOWS\COMMAND\keyboard.sys mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi) mode con codepage select=850 keyb su,,C:\WINDOWS\COMMAND\keyboard.sys -------------------------------------------------- C:\CONFIG.SYS listing: Himem.sys EMM386.exe rem device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1) ;REM --- By HiSpeed CD-ROM Drive installation program. 10/21/101 --- LASTDRIVE=Z REM --- By HiSpeed CD-ROM Drive installation program. 11/4/101 --- device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1) Country=358,850,C:\WINDOWS\COMMAND\country.sys -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MSCD000 -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: not hidden (arrow overlay: NO!) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Regedit.exe has no CompanyName property! It is either missing or named something else. - Regedit.exe has no OriginalFilename property! It is either missing or named something else. - Regedit.exe has no FileDescription property! It is either missing or named something else. Registry check failed! -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\OHJELM~1\STARDO~1\SDIEINT.DLL - {FFFFFEF0-5B30-21D4-945D-000000000000} (no name) - C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} (no name) - C:\OHJELM~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} -------------------------------------------------- Enumerating Download Program Files: [CV3 Class] InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL CODEBASE = http://windowsupdate.microsoft.com/R1044/V31Controls/x86/w98/fi/actsetup.cab [Live365Player Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL CODEBASE = http://www.live365.com/players/play365.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX CODEBASE = http://a840.g.akamai.net/7/840/537/20000128/housecall.antivirus.com/housecall/xscan53.cab [Cameractl Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CAMERA.OCX CODEBASE = http://www.lochness.scotland.net/push.cab [QuickTime Object] InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [Register Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWUTILS.DLL CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37573.7085532407 -------------------------------------------------- End of report, 8 483 bytes Report generated in 0,129 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Hi Krusty, First, a couple of background questions (the obvious ones, which I'm sure you have thought of already, but I have to ask ). 1. Have you installed or upgraded any software lately? 2. How is your dial-up networking connectoid set, especially in the IE options screen (see image below)? If you set it to "Never dial a connection..." and reboot, does it still happen? 3. When was your last virus/trojan scan, and with what tool? 4. Are you still running Zone Alarm 3.1.395? Have you read the thread regarding the ZA auto-dial on bootup bug? See it here: https://www.wilderssecurity.com/showthread.php?t=3775 Let us know the answers to these questions if you can. I'm sure people are looking over you Startuplist even as we speak. Best Wishes, LowWaterMark
Hi LowWaterMark, and Thanx for your fast reply It really seems to be ZA bug .....I have been searching for the all settings and all possible trojans.....found nuttin; I use "AVG" and "Ants, Anti-Trojan". Yes indeed, now I think of it, the annoyance appeared just right after I updated ZA but I couldn´t figure out it just might be good old ZA . In that case I might better let it be this way it is, as long as it is not causing any other problems. It can not get connected on net anyway; password is in my head only. Thank You again LowWaterMark -Ari
Well, hopefully Zone Labs will get that fix out soon. I know they have been working on it for a while now. Many people have found that if they set the "Never dial a connection" button, it stops ZA dialing on bootup. You may want to try that if you haven't already, even though you seem to have it under control... Best Wishes, LowWaterMark
Hi Krusty, Could you do me a favor? Pleas download BHODemon from: http://www.definitivesolutions.com/bhodemon.htm Run it and select this one: (no name) - C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91 click details and more details and let me know what it says. If you do not know to which program it belongs try disabling it in the Details screen. If you do know, I would like to know as well. Thanx in advance, Pieter
Hello Pieter and Tony Odigo indeed, I use that IM occasionally, nice feature to find people all over the world, but it´s a spyware I know. The folder Cydoor, Adcache. I used to launch "Spyblocker" as Odigos best friend; it really blocked ads from the server. Ok here´s the details.....By the way, I like very much this BHO feature. Not dialing anymore when starting up, I just disabled autodialing. -Ari Details for BHO C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL ---------------------------------------------------------------------------------------- CLSID: {6754A456-BAD9-11D4-93D3-00B0D03A2F91} File Size (bytes): 53248 Time Accessed: 2002/12/11 0:0:0 Time Modified: 2001/2/18 10:23:28 Time Created: 2002/7/8 2:31:51 Drive Number: 2 Comments: odigo browser dll CompanyName: Odigo FileDescription: OdigoBHO Module FileVersion: 1.0 InternalName: OdigoBHO LegalCopyright: Copyright 2000 LegalTrademarks: OLESelfRegister: ( OriginalFilename: OdigoBHO.DLL PrivateBuild: 100 ProductName: OdigoBHO Module ProductVersion: 3.0 SpecialBuild: $
Thnx Krusty, for providing that info. This BHO was not on Tony´s list yet. I´m guessing it will be after the next update Regards, Pieter
LOL, how funny, definitivesolutions.com uses leader.linkexchange.com services and my proxy blocked the banner. Ziff Davis uses doubleclick services Why is that I wonder, blocking those ads makes my browser jamming sometimes.....bad services.... -Ari besides Ziff D has been spamming me some time Now I typed rubbish It wasn´t Ziff Davis .....but : http://www.pcmag.com/