Solved

DialUp Connection Popup at Startup

Posted on 2006-07-01
53
1,715 Views
Last Modified: 2008-03-10
Hello everyone,

Every time I start pc, the dialup connection dialog pops up and I want to know which software is triggering it.

I tried looking into the win.ini and system.ini files, at the startup folder and under the startup tab of msconfig. Nothing abnormal.

Can anyone help me figure out the problem please? I am running Windows XP.

Regards
King_Diamond
0
Comment
Question by:King_Diamond
  • 19
  • 11
  • 5
  • +6
53 Comments
 
LVL 97

Expert Comment

by:war1
Comment Utility
Greetings, King_Diamond !

Are you using dialup or broadband?

To disable dialup connection from poping up, go to Internet Explorer > Tools > Internet Options > Connections.  Select "Never dial a connection".  Click OK. Reboot computer.

Best wishes!
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Hello war1.

I am using broadband. Actually I would like to identify the software that is tying to connect to the internet rather than disabling the dialup connection from popping up.

Is there a way to achieve this?
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
Look at your Startup menu in Start > Programs > Startup and see which one is starting the dialup. Look at the icons in your system tray.  Real Player and Windows Media Player like to dial home. So one of these may be using dialup instead of broadband.

For a more thorough check of all startup programs, look at System Configuration Utility. Go to Start > Run and type msconfig
Go to Startup tab.  Select hide Microsoft signed processes.  Then disable one process at a time to determine which one is opening the dialup connection.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
As I said in my question, I already tried all this but had no luck!

Any other ideas please?
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
King_Diamond,

Then use Process Explorer to see which program is starting up the dialup
http://www.sysinternals.com/Utilities/ProcessExplorer.html
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Open Internet Explorer
Then Tools > Internet Options > Connections >

If there's an entry under "Dial-up and Virtual Private Network settings", either remove the entry(s), or put a check in "Never dial a connection"
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Yeh, I agree with callrs. I doubt any software would do this as it is something that may have simply happened by accident. Try going into:
My Computer -> My Network Places (on the side panel) -> View network connections (on the side panel).

See if there are any unnecessary connections that are there. I think that doing what callrs has suggested would work anyway, so try that first.

Regards,

# Nerd
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
war1,
Nice software but didn't manage to solve the problem.

callrs, Nerdx,
I checked the connections. All connections ok. As in my previous post, I would prefer to identify the software that is triggering the popup rather than disabling a connection.

I did a virus and spyware scan as I am thinking that it might be some spyware but nothing was detected.
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
Try doing the virus/spyware scans in safe mode.  (Press F8 on boot-up).
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Like I said before, I highly doubt that this is a spyware/virus issue. It is just a setting that has been triggered somehow and needs to be disabled.

Try this, from the Microsoft Support site:
-----------------------------------------------------------------------------------------------------------------------------------------
Warning Some programs may configure the registry to dial automatically, and by altering this registry value, you may affect the functionality of these programs.

To configure Internet Explorer to not connect by using a modem, follow these steps:

1. Start Internet Explorer. On the Tools menu, click Internet Options.
2. Click the Connections tab, and then click Never dial a connection.
3. Click OK.
To set the AutoConnect value in the registry key to 0, follow these steps:1. Click Start, and then click Run.
2. In the Open box, type regedit, and then press ENTER.
3. Locate and select the following registry key:
HKEY_CURRENT_USER\RemoteAccess\Profile\<ConnectionName>
In the right pane, double-click the AutoConnect value, and then reset the value from 1 to 0.
-----------------------------------------------------------------------------------------------------------------------------------------

Regards,

# Nerd
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
Have you looked at the Task List just after startup (Ctrl Alt Deli) to see if there is anything visible there?
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
What I need is to identify which application that is triggering the popup of the dialog.

I noticed a window popping up while booting up. The windows stays a fraction of a second so I couldn't figure out what it is. I restarted a million times to try to identify this window. It's a small window, empty, and named either Dialling or Dialog. It stays such a short time that I can't figure out what it is.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Btw I did not install anything new. It just started popping up from "nowhere"!
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Go into My Computer -> Control Panel -> Administrative Tools (classic view) -> Event viewer
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
The error message can be found there, so paste it here then we can look further into that - if it is related to the dialup at startup.

# Nerd
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
Do a brute force search of your Hard Drive for files containing DIAL, preferably in Safe Mode.  Any files found that are executable (e.g., EXE, BAT, COM, etc) could well be the culprit.  A list of files found meeting this criteria would be helpful.  I had a recent experience where a dialer was undetected by virus checker, but was found in the way just outlined.  Loading the file into Notepad revealed it was a compressed EXE (no copyright message apart from the compressing utility's one). Why the author didn't rename the file to something a little less obvious than <something> Dial <something> I cannot think.
0
 
LVL 22

Expert Comment

by:fredshovel
Comment Utility
Have you deleted your former 'dial-up' email account -- in accounts?
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
You said you need to know the program that triggers the connection. But maybe the "Dial whenever a network connection is not present" is what is causing WINDOWS to dial the connection, not necessarily any program.

If you want to identify the window that you saw flash up, try a Windows Syp utility (Google for this e.g. the free http://www.windows-spy.com/ , but I use a different shareware program)
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Exactly. I totally agree with callrs... The sooner you notice that this may not be a virus situation, the quicker you can find a solution. I guarantee it is something so simple you'll laugh in the end :) No software is going to be stupid enough to start that up and do nothing else to 'harm' your system. Don't worry...

The sooner you get that message from startup on here, the sooner it could provide a solution (if it is related).

# Nerd
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
moorhouselondon,
I did the search you mentioned but nothing abnormal.

callrs,
The software you highlighted is pretty much like the one mentioned by war1.

Nerdx,
I checked the event viewer and I found one entry that I don't understand. It's a failure audit and here are the details.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            02/07/2006
Time:            17:12:28
User:            NT AUTHORITY\SYSTEM
Computer:      GRT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  User
 Source Workstation: GRT
 Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The above site is unavailable! I remembered that this week or the last, I did a windows update which was microsoft genuine something. I did a google search about the logon attempt mentioned above and I found the following.

..... In closing, I know who's causing the problem, what's causing the problem, where the problem is occurring, the only thing I don't know is WHY?, Microsoft needs to contact your machine 30 - 40 times a day, some days it's just 12 - 15 times. I'm sure it has nothing to do with installing updates. I had automatic updates turned on, so why does Microsoft, need to contact your machine 12-15 times a day? I did not get an answer from Microsoft, because I run a OEM. machine and Microsoft thinks I will be better served by contacting my OEM.. I asked Microsoft if they were the cause of this - Source: Security, Category: Account Logon, Type: Failure Audit, Event id: 680, User: Me, WorkStation: Computer ** and when I received the reply from Microsoft, they said I would be better served by my OEM. I don't know why Microsoft, doesn't want to say " Oh! Yea, That's Us!! What is Microsoft_Authentication_Package V1_0, An authentication package is a DLL that encapsulates a given form of authentication, such as NTLM or Kerberos. The Local Security Authority calls into the appropriate authentication package during the logon process to find out if the user is authentic, Although a third party can develop an authentication package, few do so. The reason I added this, if you check your security logs their will be an event failure audit - Logon Attempt By: Microsoft_Authentication_Package V1_0, all these events are related and produce the warning event in the system logs - w32time... I hope this may help some people who get this warning in their system logs.

For those who want to read the rest, here is the site : http://thepcyoubuy.proboards23.com/index.cgi?action=recent

Does anyone think that it has something to do with microsoft?
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
King_Diamond,

The popup dialup is not due to Microsoft contacting home.  It can do so without using dialup.  The dialup box is due to some program that you forgot to change from dialup to broadband.  So the program is using dialup to contact homepage.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
war1,

I did not install any program recently and this started happening just this week. Re broadband, I have been using it for more than two years now, so if it had to do with the connection, I guess that it would have happened when this software got installed, don't yo think so?

The thing is that the default connection is broadband so I don't understand why the dialup connection pops up!
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Why not try a System Restore?

Start -> Programs -> Accessories -> System Tools -> System Restore

Either check back to last week, to see what the problem was, or go further back to a well known good configuration. It should remove the problem, hopefully.

# Nerd
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Hey, I have found the information from the Microsoft Support website. It matches the error you provided:
-----------------------------------------------------------------------------------------------------------------------------------------
CAUSE
Windows XP attempts a limited logon for each account that is displayed on the Welcome screen to determine whether to prompt the user for a password. An attempted logon is logged for each account displayed.
 Back to the top

RESOLUTION
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 (http://support.microsoft.com/kb/322389/EN-US/) How to Obtain the Latest Windows XP Service Pack
To prevent these events from being logged, disable the Welcome screen and use the classic logon screen or turn off auditing of logon events.

For additional information about how to enable or disable the Welcome screen and fast user switching, click the article number below to view the article in the Microsoft Knowledge Base:

279765 (http://support.microsoft.com/kb/279765/EN-US/)

Description of Fast User Switching

To turn off auditing in the Microsoft Management Console (MMC) snap-in for Group Policy: 1. Click Start, click Run, type gpedit.msc, and then click OK.

2. In the left pane, expand the following items:

• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Local Policy
 
3. Click Audit Policy.
4. Double-click Audit Logon Events.
5. Click to clear the Success and Failure check boxes.
6. Click OK.
7. Close the Group Policy window.
-----------------------------------------------------------------------------------------------------------------------------------------
* Information taken from: http://support.microsoft.com/?kbid=305822

The main solution is to probably update to the latest Service Pack for Windows XP - so I recommend you try this first.

Hope this helps/works - GL

# Nerd
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
The pasting turned out terrible, go to the link here instead: http://support.microsoft.com/?kbid=305822

# Nerd
0
 
LVL 97

Assisted Solution

by:war1
war1 earned 20 total points
Comment Utility
King_Diamond,

>> The thing is that the default connection is broadband so I don't understand why the dialup connection pops up! >>

The problem is then due to a recent update, either of Windows or an application.  The fix is as I posted in my first post:

"To disable dialup connection from poping up, go to Internet Explorer > Tools > Internet Options > Connections.  Select "Never dial a connection".  Click OK. Reboot computer."
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Try them both...

# Nerd
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Nerdx,

I already checked the system restore but there are only checkpoints and 1 software distribution servive 2.0 which is associated with windows as far as I know. I will give it a try by selecting the distribution software point and post back. As regards the info re windows, if the error is due to logon and not connecting to the internet, than probably this is not the case. Furthermore, I already have the lastest service pack. Windows is up-to-date.

war1,

I took your advice but will keep it as the last resort as primarily I would like to identify the problem. My philosophy is tackle the problem not turn around with it. I hope you agree.
0
 
LVL 62

Accepted Solution

by:
☠ MASQ ☠ earned 80 total points
Comment Utility
This is getting a long thread so apologies if this has already been done but has any one suggested a HijackThis! log - not necessarily for anything malicious but just as a list of processes being launched at boot?  

The usual suspects for this are Real and ZoneLabs products.  

I can't see that the WGA tool from M$ is the culprit but it does run ahead of login.

Out of interest if you do switch to "never dial a connection" does the problem stop?  You can always put the setting back and just use war1's suggestion as a diagnostic tool initially.
0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
Hehe MASQUERAID, I believe nobody has suggested the use of HijackThis throughout this post... I was going to, but thought it wouldn't be necessary, but I think it would be wise.

Download HijackThis: http://download.hijackthis.eu/hijackthis_199.zip
Paste logfile: http://www.hijackthis.de

You can either find the problem yourself, or post a link here. Like I said near the beginning of this question, I doubt it is virus related - but just a program error.

# Nerd
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Masqueraid,

Nerdx is right. I tried hijack this but nothing abnormal. I tried various options, mostly have been metioned here but nothing yet. As Nerdx said, it doesn't seem to be a virus or spyware but some software connecting to the internet, my opinion at least!

As regards the "never dial a connection" suggested by war1, yes I tried the suggestion and it works, that is, the dialog does not pop up. It is why I said that I will keep it as a last resort. I'm sorry that I wasn't clear about it.

Nerdx,

I still have to try the restore option. I'm sorry I didn't get back with feedback but the problem is on my home pc and I had to get away for work. My apologies. However, I will post when back home.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
Try disabling the WGA tool as this is one of your newest updates & could be the culprit
http://www.betanews.com/article/Microsoft_Admits_WGA_Phones_Home/1149798507

Removal tool & manual removal instructions here:
http://www.firewallleaktester.com.nyud.net:8090/removewga.htm


NB if you remove WGA you will be prompted to reload it if you go to the Windows Update site (otherwise you will get nothing but the security patches) and if you have automatic updates switched on M$ will push it down to you at your next update session.
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Just realized something from way up:
>>callrs, The software you highlighted is pretty much like the one mentioned by war1.
Actually, it's not. Windows Spy is not the same as a process explorer. A windows spy utility logs the handle, title, etc, of every window that exists, and can also log all popups even if they only flash on-screen for a split second..
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
"If it ain't broke, don't fix it" is my philosophy in many cases.  If you are confident that it is not malware and War1's suggestion is a perfect workaround, I would be inclined not to go to a System Restore.  System Restore is an applet that has been written by Microsoft.  Does it cater for all known system configurations, including things like Updates?  Will it guarantee to do anything different to what is happening now?  System Restore is a good safety net when you really, really do need it, I do agree, but jumping out of tall buildings because there is a safety net down below is not something I would contemplate (sometimes I get vertigo just getting out of bed in the mornings lol).

PS Apparently there is a Class Action suit being prepared against MS for the Genuine Advantage tool on the grounds that it might be considered malware.  Source WServerNews Issue 583.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Nerdx,

I tried the system restore but no luck.


Masqueraid,

I really thought it was as your post. Infact I downloaded the file from the site you suggested to confirm whether the WGA notification was installed, which it was. I removed it successfully however the problem was not solved. Hence, though it seems that WGA Notification "calls home" on every boot-up, it seems that my problem is being cause by some other software.


callrs,

I also tried windows spy. You were right, it's different. I did a thorough search in the many windows highlighted by the software but I didn't recognise any abnormal software or software that I did not install myself.


moorhouselondon,

I'm sorry but I don't agree with your philosophy. Actually, the problem ain't the connection window popping up. I don't know what info this "invisible" software is trying to send. And if I select "never dial a connection", does this unknown software still sends the info when I connect to the internet? The thing is that, as mentioned in the site highlighted by Masqueraid for WGA notification, this software is somehow by-passing my firewall. If someone took the hassle to develop such a software, I don't think that the info transmitted is just IP and time like WGA Notification seems to do, don't you think?
0
 
LVL 31

Expert Comment

by:moorhouselondon
Comment Utility
You can use a packet sniffer such as Ethereal to determine exactly what is inside the packet being sent, but unfortunately it needs to either be activated at startup, or you must have a pc that sits between your pc and the firewall to pass on the packets, or temporarily use a 10Mb hub to ferret out packet activity (the use of pc's with network cards set to promiscuous mode is no longer viable to capture packets from other neighbouring pc's).

>I'm sorry but I don't agree with your philosophy.
It is good to have a world with various opinions.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
I can put it in the startup menu but I think that it will run too late as it happened with windows spy and process explorer. I had to restart so many times to capture the "window activity" just once!

I am downloading it but it's very slow! So I have to wait!

>>I'm sorry but I don't agree with your philosophy.
>It is good to have a world with various opinions.
Granted.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
The problem seems to be getting worse! I didn't have much HDD space, 2GB, but now it's down to 155MB! I only installed windows spy and process express, nothing else. To make it worse, I delete some files to free up some space and guess what? The free space was of 133MB!

Something is definitely happening. Anyone has any ideas?
0
 
LVL 5

Expert Comment

by:bastibartel
Comment Utility
Hi Nerdx,

check the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\*your-username*\Software\Microsoft\Windows\CurrentVersion\Run

or get the software
http://toolsandmore.de/?dl=autostartmanager-setup.exe
(it is in german though)

Cheers!
Sebastian
0
 
LVL 5

Expert Comment

by:bastibartel
Comment Utility
.. plus the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

0
 
LVL 5

Expert Comment

by:Nerdx
Comment Utility
>> Hi Nerdx, check the registry keys...

bastibartel, I believe this question belongs to King_Diamond - not me :)

# Nerd
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
bastibartel,

All registry keys mentioned checked. Contains software I know about.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
This is sounding increasingly malevolent

What firewall are you using?

The free version of Zone Alarm has got me out of a hole more than once in this situation.
Install and ask it to ingore any pre set rules and report any connections

Then switch to "never dial" so instead of launching the dial up anonymously whatever this is will get checked by ZA (which launches before connections are allowed), restart & see literally what comes up.

war1, you're more up to speed on rootkits than me, worth a hunt?  This is certainly stealthy.
0
 
LVL 5

Expert Comment

by:bastibartel
Comment Utility
I'd recommend Spybot S&D very strongly.
http://www.safer-networking.org/en/download/index.html

Cheers,
Sebastian
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
I just tried zone alarm but no luck. Only programs under the run key popped warnings, the ones I know with.

Tried also spybot. Again, nothing.

However I noticed two new files which I don't know what they are and were created a couple of weeks ago. They are underfolder Application Data/vcl/cache and are named CACHEDIR.TAG and plugins-04041e.dat. Could they be the culprit?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
What size is the folder?
'vcl' or 'vlc'?
Do you have VideoLAN installed?
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Size 138K, folder vlc.

Have TVUPlayer installed.
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Problem found.

Well I ran hijack this again and found a malware file named algchk.exe. Guess I confused it with windows alg.exe. I deleted the file and removed its registry key. The dialup connection is not popping up anymore but the window that flashes at startup is still there. So I am wondering whether I deleted every instance of this malware.

Did anyone had this malware or anyone knows how to remove all its instances?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
First check HJT log again to see if it has respawned either as something else or algchk.exe again. A lot of malwares have a parent file that checks on boot if its child has been removed and replaces it.

Particularly check any Winlogon references in HJT and make sure that they point at the legitimate windows file
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Masqueraid,

I did run HJT again but nothing suspicious except for the following log.

O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

I did remove WGA Notify. Could the flashing window be related? I removed it as stated by you.

I'm trying to tackle the problem a piece at a time, perhaps I will have a good system again hopefully! It really slowed down my system and can't understand where my few disk space had vanished yet!
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
Anyone has any other suggestion please?
0
 
LVL 1

Author Comment

by:King_Diamond
Comment Utility
I did a windows update and seems to have cleared the remaining problem.

Thanks to everyone.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
fredshovel - can you have a look here please?  http://www.experts-exchange.com/Hardware/Components/Q_26542874.html?cid=239
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have the problem that a lot of tasks are stacking up fairly quickly? A good way to reduce your big task list is to apply the 3 minute rule. Its fairly simple: if someone asks you to do a specific task, and you know for a fact that it will …
Finding a job can be stressful - searches, resume tweaks, and networking events can be super boring. Luckily we're here to help you land your dream job!
The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now