1. When Windows starts or perhaps later a user starts an application, something causes a connection:
a. When a program is used that automatically checks for updated components or Web pages.
b. When a program is located in the "StartUp" folder that is supposed to dial an ISP.
c. If a computer is infected with a Trojan horse virus such as System32.exe or Win32.Bymer that starts when you start your computer. Note that most antiviral programs do not detect or remove Trojan horse viruses.
d. If Symantec WinFax or HotFax Message Center is installed on and improperly configured on a computer.
e. Using a Lexmark printer. The Lexmark printer software may add Lexstart.exe to the "Run" registry key to handle print commands that are send to the printer. This can cause "Dial-Up Networking" to prompt a dial.
f. If Microsoft Personal Web Server 4.0 and the Microsoft Distributed Transaction Coordinator (MSDTC) service is loaded from the registry.
g. If a beta version of RealNetworks RealAudio 5 on your computer.
h. If Microsoft Internet Explorer is configured to connect by using a modem and the following registry key is set to yes Y.
Note: Change the option to "No" (an N, which would look like "N" in the right window). To get to that location, start the registry editor and start clicking the + (plus sign) before each of the words preceding the backslash in the following line:
2. Several installation wizards asks if a user wants so and so loaded at startup. These same programs usually give you the option to reverse that option. Check the help file or documentation for any programs you can identify that loads and turn that option off.
3. If a user has enabled remote connections, a system might try to initiate an Internet connection or at the start of some applications. This behavior is often referred to as "AutoDial" or "AutoConnect". If this is the only concern, then editing the Registry is one way to circumvent this anomaly which you want to disable, [Q191901].
4. And using AOL Instant Messenger (AIM). Open it, find the boxes for and uncheck "Start Instant Messenger when Windows Starts" and "Reconnect Automatically".
5. To determine from where and how programs are started, [Q186049] and "Modem Attempts to Dial When Windows Starts (Q175312)."
Note: Remember. We're talking about where a program loads from, not about Internet Explorer.
6. Do not delete items listed in the Registry's "RUN" key. If you have further questions about a specific item which appears to be something besides a program activated for background operation, come back to the forum with another question. Else, export that key to a safe place in case it needs to be imported should system problems occur.
a. If either or both the Run= or Load= lines are or appear blank, delete the line(s) totally. Windows doesn't care and they'll be created whenever necessary by the operating system.
b. If one of these lines contain a program listing, disable the entire line by inserting a semicolon and a blank space before it at the left margin, and exit to save the file. After rebooting, make a test run to see if the anomaly disappeared. If it still occurs and the other line also had something entered, edit it similarly and reboot. If after both lines have been disable and the anomaly remains, re-edit the file to remove your entries. Reboot again before doing anything else.
c. If either or both of these lines contain multiple program entries copy the entire line to a separate line below it and place semicolon and space before it at the left margin. Return to the original entry and delete one of the multiple entries, exit to save, reboot, and make a test run. If the first removal didn't work, delete what is left on the original line and type in the second item still shown on the archived copy you pasted below it. Give things a test again. Still didn't work, then delete the testing line, remove the semicolon and space before that archive line to return the system as it was previously, exit and save.
d. You do have the option of running a program otherwise listed on a Run= or Load= line, particular when there are multiple listings should you want to.
(1) Simply create an icon in the Startup folder and assign the same action as that contained on the line.
(2) If you only need to run the program on occasions, or perhaps not at all, simply create a shortcut somewhere where you can start the program on demand.
(3) Simply delete the Win.ini file line entries and don't worry about it.
7. Is Outlook installed with the Corporate Workgroup/Other option?
a. To determine your installation type, on the Help Menu click About Microsoft Outlook. In About Microsoft Outlook you should see "Corporate" if you have the Corporate Workgroup installation. If you are using Windows "NT" or it is not installed, skip this paragraph. Otherwise, keep reading.
b. The Microsoft Outlook 98 Internet E-mail Service, does not automatically call your Internet Service Provider (ISP) using dial-up networking to check for new mail but it could, [Q190172].
8. If remote connection is enabled in Win95/8, a system might try to initiate an Internet connection at startup. To turn off remote connections in Win95/8, set the registry key EnableRemoteConnect to N. You can do this by running "DCOMCNFG" in Win98, clicking the Default Security tab, and clearing the Enable remote connection check box should it fail to run, [Q177394].
9. You may experience any one or more of the following symptoms when deceptive software such as spyware or unauthorized adware is installed on the system, [Q827315]:
? When you start your computer, or when your computer has been idle for many minutes, your Internet browser opens to display Web site advertisements.
? When you use your browser to view Web sites, other instances of your browser open to display Web site advertisements.
? Your Web browser's home page unexpectedly changes.
? Web pages are unexpectedly added to your Favorites folder.
? New toolbars are unexpectedly added to your Web browser.
? You cannot start a program.
? When you click a link in a program, the link does not work.
? Your Web browser suddenly closes or stops responding.
? It takes a much longer time to start or to resume your computer.
? Components of Windows or other programs no longer work.
WARNING: As always, make sure every utility you use is fully updated. In addition, if you've never been through an eradication process, you're in for a surprise.
10. First, please read the article concerning "Unsolicited Commercial Software."
11. Second, perform as a minimum the first five items listed below. And note, there may be enough intrusion to cause all kinds of frustration in getting these programs to install and then clean a system. If there is a huge amount of cleaning to perform, limit the amount removed at one time and run the program again. If the programs don't install correctly the first time, uninstall from the Add/Remove applet in the Control Panel and install again.
Note: If you try using CWShredder, HijackThis, as well Spybot S&D, Ad-aware and several other anti-spyware utilities and a trojan is installed which prevents their running, download PepiMK's "CoolWWWSearch.SmartKiller" removal tool, uncompress the zip file and run the program. In fact, this is the very first thing I would do anyway.
Caveat: Problems connecting? Try the "Computer Cops" site and find the files in question.
Note: If Housecalls doesn't run for whatever reason, you might as well abort and go to the next and try this site later.
b. "Adaware." Your attention is invited to "Unable to Log On To Windows XP After Removing wsaupdater.exe."
c. Spybot S&D:
Note: Receiving an error "SO Exploit: . . ." (data source object) caused by the active secutity setting "Download unsigned ActiveX controls", it could be set to "Disable" or "Prompt" or ignore the produced error.
d. "CWShredder v1.59.1" or "CWShredder v2."
Warning: It is being reported in the "Virus Alerts" forum, "Testers from several security forums are reporting issues with the new CWShredder (version 2). It is recommended to use the original program until further notice."
e. "McAfee AVERTStinger."
f. "Hijack This" - 1 or "Hijack This" - 2.
Note: Posting a log concerning #f should only be at the direction of a forum moderator IMO. For your reading pleasure, "Hijack Removal", and the Viruses and Security Alerts Forum moderator's message concerning "HiJackThis log postings." In addition, you may find the site "Help2Go" informative concerning certain problematic items and receive recommendations but use their suggestions with caution or else. . .
12. Download and use "IIEFix" - a general purpose fix for Internet Explorer (Win 98/ME/2000/XP):
a. Registers Urlmon.dll, Mshtml.dll, Actxprxy.dll, Oleaut32.dll, Shell32.dll, Shdocvw.dll, [Q281679].
b. Refreshes Internet Explorer using IE.INF method. Note:
(1) "Unable to Install Internet Explorer 6 on Windows XP (Q304872)"
(2) "How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP (Q318378)"
c. Initiates "SFC /Scannow" (Win2K&XP), [Q310747].
13. The article [Q320454] discusses and contains information about the "Microsoft Baseline Security Analyzer" tool (MBSA) (click to see a screen shot) that centrally scans Windows-based computers for common security misconfigurations and generates a "report" (click to see an example).
14. "ShieldsUP" is the Internet's quickest, most popular, reliable, most powerful, complete and trusted free online Internet security checkup and information service where at this site you can check your system for vulnerability and begin learning about using the Internet safely.
15. Supplemental reading:
a. "Setting Up Security Zones."
b. "Chapter 27 - Security Zones."
c. "Changes to Functionality in Microsoft Windows XP Service Pack 2."
d. "Basic Spyware, Trojan And Virus Removal."
e. "Removal Instructions for . . ." is a helpful site that will be helpful in your learning more.