Spurios dialups on SOHO network

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

My customer keeps getting unknown dialup requests.
I have installed a temporary solution for a client which comprises 2 Dell
Pcs and a Netgear switch. This is while he awaits decision on full server
network. Only one PC has a dialup connection to the Internet, and it is this
one that is getting the spurious RPCs; I believe from the the other PC. I
have done all of the obvious, i.e. stopped windows updates, Symantec live
update etc. I have run all of my analysis tools, malware removers,
virus/trojan removers. I have blocked all startups etc (MSconfig). I have
checked the registry and manually cleaned that of all deleted SW. I am
flummoxed, and the customer very irritated (the temporary dialup connection
is shared with a FAX which is very busy). Has anyone any ideas? Is there a
way to identify/trap the cause of the dialup requests please.

Thanks, Jon
 
JDdotcom said:
My customer keeps getting unknown dialup requests.
I have installed a temporary solution for a client which comprises 2 Dell
Pcs and a Netgear switch. This is while he awaits decision on full server
network. Only one PC has a dialup connection to the Internet, and it is this
one that is getting the spurious RPCs; I believe from the the other PC. I
have done all of the obvious, i.e. stopped windows updates, Symantec live
update etc. I have run all of my analysis tools, malware removers,
virus/trojan removers. I have blocked all startups etc (MSconfig). I have
checked the registry and manually cleaned that of all deleted SW. I am
flummoxed, and the customer very irritated (the temporary dialup connection
is shared with a FAX which is very busy). Has anyone any ideas? Is there a
way to identify/trap the cause of the dialup requests please.

Thanks, Jon
Click to expand...

Hi, Jon -

You're on the right track - I might offer a couple of suggestions,
though.

First, since this is only a two-node network, if one machine is hosting
the dialup connection then disconnecting the client (or disabling
Internet Connection Sharing) will tell you which machine is requesting
the connection. If you disconnect the client and the problem goes
away, then the problem was with the client ;-)

You're correct that *something* is asking for Internet access. If
you've disabled the obvious and the problem persists then it might be
time to dig a little deeper. If you look in Task Manager for anything
strange (especially anything running in a user context instead of under
the system account) you might be able to narrow things down a little
more. Check the user's (and All Users) startup folder, peek at the
registry under

HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run

(there are other places but this one is most common)

If it's a service that's run under the svchost wrapper then opening a
command prompt window and running 'tasklist /svc' will tell you what
all those instances of svchost are really doing.

Another thing you might try is to make sure SP2 is installed on the
machines and raise the firewall on both boxes - you can't do this
unless the machine has SP2 installed, though - pre-SP2 firewalls will
break your LAN. Maybe the firewall will give you a heads-up on which
application is requesting access. It's worth a shot ;-)

Good luck!
 
First I apologize for being vague and not more specific - have not used
dial-up recently and a little out of touch. However did have the sesame
experience - turned out to be the client com puter (as you suspect) - dial
up properties had an option, along with "never dial a connection " and
others, along the lines of dialing when a network connection was available
or non-av ailable (again vague).
 
My customer keeps getting unknown dialup requests.
I have installed a temporary solution for a client which comprises 2 Dell
Pcs and a Netgear switch. This is while he awaits decision on full server
network. Only one PC has a dialup connection to the Internet, and it is this
one that is getting the spurious RPCs; I believe from the the other PC. I
have done all of the obvious, i.e. stopped windows updates, Symantec live
update etc. I have run all of my analysis tools, malware removers,
virus/trojan removers. I have blocked all startups etc (MSconfig). I have
checked the registry and manually cleaned that of all deleted SW. I am
flummoxed, and the customer very irritated (the temporary dialup connection
is shared with a FAX which is very busy). Has anyone any ideas? Is there a
way to identify/trap the cause of the dialup requests please.

Thanks, Jon
Click to expand...

Jon,

Did your malware detection involve both computers? Did it involve HijackThis,
and expert advice (that's the essential, final step)?
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html>

As Allan says, check for non malicious automatic startups. But don't waste time
manually searching one registry key. Get Autostart Viewer (free) from
DiamondCS, and Autoruns (free) from SysInternals. There are 4 well known
autostart lists, and a few not so well known.
<http://www.diamondcs.com.au/index.php?page=asviewer>
<http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml>

If the customer has a dialup connection, recommend that he get a NAT router to
manage the connection properly. Separate the host and client.
<http://nitecruzr.blogspot.com/2005/05/sharing-your-dialup-internet-service.html>
 
I,

I have had good luck with installing Ethereal (www.ethereal.com), a free
network packet analyzer. It will show you all packets going over the
ethernet connection, you should be able to pick out requests for
external servers, and get a good idea what program is involved from the
server address (eg update.mcafee.com or whatever). This should help
identify problems on the client, not sure what you can tell about
problems residing on the dialup pc though....

Martijn
 
I,

I have had good luck with installing Ethereal (www.ethereal.com), a free
network packet analyzer. It will show you all packets going over the
ethernet connection, you should be able to pick out requests for
external servers, and get a good idea what program is involved from the
server address (eg update.mcafee.com or whatever). This should help
identify problems on the client, not sure what you can tell about
problems residing on the dialup pc though....

Martijn
Click to expand...

Martijn,

When you reply to a post, you should include a relevant portion of that post.
In your case, maybe you should be replying to the OP, not to me.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Replying>

Jon,

Did your malware detection involve both computers? Did it involve HijackThis,
and expert advice (that's the essential, final step)?
<http://nitecruzr.blogspot.com/2005/05/dealing-with-malware-adware-spyware.html>

As Allan says, check for non malicious automatic startups. But don't waste time
manually searching one registry key. Get Autostart Viewer (free) from
DiamondCS, and Autoruns (free) from SysInternals. There are 4 well known
autostart lists, and a few not so well known.
<http://www.diamondcs.com.au/index.php?page=asviewer>
<http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml>

If the customer has a dialup connection, recommend that he get a NAT router to
manage the connection properly. Separate the host and client.
<http://nitecruzr.blogspot.com/2005/05/sharing-your-dialup-internet-service.html>
 
Yeah, I misclicked, I meant to reply to the 'root' posting by the OP.
Sorry...

Martijn

PS I really prefer top posting though! :o)
Click to expand...

Martijn,

I thought so. Many post here like you did, but for the others, I'd bet it's
intentional (they do it repeatedly).

Don't you love Usenet? Once you make a mistake, and it posts, it's there for
eternity (Googled forever).

ps Thank you for not top posting here 8-)

A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Because it changes the order you read a conversation.
Q: Why is top-posting so annoying?
A: Top-posting!
Q: What is the most annoying thing in newsgroups?
 
Bottom posting has it roots in the "Bulletin Boards" of old. Take a look
back at the way things were say twenty years ago. Now think about how a
bulletin board system was programmed.

Today... bottom posting is actually a waste of resources in many ways. i.e.
Those that use Usenet on a PDA will limit the lines downloaded to say 30 per
post. Ahh... now you see just one reason why one might want to top post.
Not much fun scrolling down thru quotes on a PDA to fine a reply. Or how
about not even getting to the new topic unless the entire quoting is
downloaded.

Bottom posting also leads to over quoting in that there are far to many
people that quote endlessly and mindlessly.

Things change, times change and so do Usenet posting protocols.

What really is difficult to understand is why there are so many netcops that
waste their time with... <pause> ...netcopin'.

So... top posting netcops are the most annoying think in newsgroups. And
sockpuppets can be annoying but netcops are the most annoying.

Trying to config. PC-Cillin and or ZA on a home network... can also be
annoying.

Over
 
Back
Top