OT: Something's phoning?

Whenever my PC starts acting funny the first thing I do is check the c:\windows\ and c:\Program Files and the c:\ root directory for any new programs. Just sort by date and see what has shown up. Change the extension to exk or something weird to disable it until you are sure it doesn't belong. In your case I would also run the regedit program and search on the offending program name so it can be removed from the registry. I also export my entire registry to a file from time to time so I can run comparisons to see what little presents I've picked up.
Steve.

Old Nick wrote in news: snipped-for-privacy@4ax.com:
What OS? Have you updated the definitions for Spybot and Adware? This sounds an awful lot like a spyware/malware dialer. If your OS is w2k or XP, TCPview will show you what process has what port (s) open. Another handy place to check is running processes: In W2k or XP, right click on the clock and go to 'task manager'. This will be a list of what processes are currently running on your machine. In Windows 98, Start-->programs-->accessories--->system tools-->system information-->expand the list-->click on running tasks-->check the 'advanced view' radio button. 2 handy programs for windows made by Mike Lin that people should be aware of. The first is Start-up Control which will allow you, in a simple, easy to understand GUI, to determine what starts when your computer boots up (especially handy for W2k and NT users, as those operating systems lack the msconfig program). See
The second, is a very small program that watches for any software to register itself to run at boot. The program is called Start-up Monitor and is here: It gives you the option of allowing the software to register itself to run, or blocking the request.

On Wed, 03 Mar 2004 10:40:13 GMT, Anthony vaguely proposed a theory ......and in reply I say!:
Win 98 SE. I will try all the things you suggested. Some of the running programmes have some screwy names though.
snip of good ideas. **************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

On Wed, 03 Mar 2004 08:54:06 GMT, "SRF" vaguely proposed a theory ......and in reply I say!:
Yep. Good idea. Worth a look. Thanks.
**************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

The other replys are good ideas, here's another:
On your system, do a cntl-alt-delete to see what is running, copy the names down (you can't do a screen print from here, sorry!) Then match the names against the info on this site: You can also do the list check before and after the dialer program starts up, match the two lists to see what shows up.
One of the problems with Windows (Win 98 in particular) is that there are half a dozen places where programs can be set up for load up at boot time. Real pain to get them all.
You may not have a virus problem, it might be something like your virus protection or windows update going out to check for updates.
Good luck.
Good luck.
Old Nick wrote:

If you open SpyBot in the "Advanced" mode and click on tools, there is a "System Start-up" option in the drop down menu... which lets you see (and control) what starts when windows starts. There is also a "Processes" box that shows what's running (and lets you kill things!). Clicking on an entry will usually bring up a box with additional information on the program, what it does, and whether or not it needs to start with windows. You can "uncheck" the box to prevent programs from starting... and then re-check them if they are not the ones causing problems. The last box on the toolbar generates a system report with a lot of info, too. Just a suggestion, David

(Snip)
How do you compare any two versions of the registry?
Thanks
--Winston

Nick,
It is a little brute force, but take those "screwy names" and pump a few into Google. Really. Typically, such action will land you at one of several sites databasing the various processes that you might find runing on a machine, whether or not they are needed or even malware, and what you might do to delete them. Running through the list completely will give you a good handle on the situation.
Amazing what ends up on your PC after numerous software installs and a couple of years surfing the net. Even with reasonable controls, a couple of items just might slip in under the radar.
Best of luck, David Glos

Don't forget to put the OT on the header for this stuff in r.c.m.
If you start renaming oddly named files, you may end up with a non-bootable machine. I've had this happen a couple of times and it's a bear to get out of that state. Some of these worms/virii will substitute themselves for the default .exe handler in the registry, if you make them disappear, nothing will run. In some cases, they disable or replace regedit, too.
There's a couple of places to check for stuff that starts up at boot time, I've found stuff in the WIN.INI file that's a vestige of the old DOS/Win 3.1 days, but is still functional. "Run=" or "Load=" at the top of the file. Then there's the "Run" and "Services" keys in the registry. If you can't get regedit going to find them, that's a pretty good clue you've been hijacked and need the services of a good anti-virus tool. I usually search on the "Runonce" key and back up one, there's too many hits on just "Run". Note that you can end up with a non-bootable machine by deleting entries here, you have to make sure that what your deleting is a virus program and that you've removed it from all your keys and file associations. Last time I had to kill Swen, I had to install Win2K into a separate directory from CD and use regedt32 to modify the various hives on the first installation. There's direction for that on various web sites, it's not for the faint-hearted. It's also very tedious, I'd be charging top dollar if I was doing it for anyone other than myself or immediate relatives. I'd rather be rodding sewers out than cleaning up after virii.
Stan

Below is a sight worth going to, and they may have a solution for you. Essentially, there are a lot of nasty things virus checkers don't find, etc. try to boot into safe mode once in a while and run the virus scan from there. Incidentally, if you do find an unwanted program and cannot delete it from Windows, reboot into DOS mode, navigate to it's location and delete it from DOS.
Another source to look for running programs is: Accessories>system tools> system information>software environment>running tasks.
Good luck! Lurker

BTW, my laptop often phones in when I fire it up because the VirusScan program is set-up to check for updates daily at a certain time; and to try at the next "opportunity" if the computer is turned off at the specified time. So, it tries to call in the next time windows starts. David

On 3 Mar 2004 10:13:29 -0800, snipped-for-privacy@americanisp.net (Stan Schaefer) vaguely proposed a theory ......and in reply I say!:
errr...I did.
I can turn this off. If it can make me spend hours hunting down into what may be hanging around on 80GB of data space, it's probably more trouble than simply letting it try to do whatever it does.
I should probably check my firewall log more often (although what _that_ would tell me without hours of research I am not sure). **************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

On Wed, 3 Mar 2004 14:56:21 -0600, "David Courtney" vaguely proposed a theory ......and in reply I say!:
Thought of that one. Not that. Thanks **************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

On Wed, 3 Mar 2004 09:21:15 -0600, "David Courtney" vaguely proposed a theory ......and in reply I say!:
I have a little proggie that allows viewing and killing of operations. trouble is, some of the names are so obscure, and the verbal description non-existant, that you can simply lock up your PC.
I was hoping for something that would tell me what was trying to dial, when it tried to dial.
**************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

On Wed, 03 Mar 2004 08:42:11 -0600, Roy J vaguely proposed a theory ......and in reply I say!:
hmmm...could be Windows. It's not the Virus software. I am way up to date with the updates, so I _hope_ it's not a virus.
The trouble with the "before and after" idea is that it's completely random. Many programmes spawn all sorts of other dlls and programmes. You could epsnd _weeks_ trying to work out what was what.
**************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

On Wed, 3 Mar 2004 11:16:59 -0700, "Lurker" vaguely proposed a theory ......and in reply I say!:
I'll check it. I will also update my spycheckers.
**************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?

Win98 has a program called RPCSS.EXE or Microsoft remote procedure call service.
It seems to have little use, but it attempts to access the internet at startup.
I noticed it on my zonealarm log and tracked it down.
I don't like my computer calling it's friends without my express permission.
go to for some info. It may be what is causing your problem.
Paul K. DIckman
Old Nick wrote in message ...

You will need a text compare program, the one I use is called Beyond Compare. A number of the higher end programming editors also have this feature. Once you have a "new" export of the registry as a text file you just run the compare against the old version and the differences will be highlighted.
Steve.

On Wed, 03 Mar 2004 15:16:24 +0800, Old Nick vaguely proposed a theory ......and in reply I say!:
Thanks for all the info. Here's some feedback.
Look for PowerReg Scheduler in your Startup Folder In Win 98 it's Windows\StartMenu\Programs\Startup.
Obviously look for it elsewhere.
I checked the Web and lo and behold, there were lots of links to it.
Must update my spycheckers.
Wankers, all of em.
I am really _really_ pissed off about this. It is willing to actually use my phone calls, and my internet connection time, to carry out out its asswipe little schemes.
**************************************************** sorry
.........no I'm not! remove ns from my header address to reply via email
Spike....Spike? Hello?