Network Connections - Problem!

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello All

Got a bit of a problem I think.

When I start up my 'confuser' [Windows XP Pro] and before I make my connection to my ISP [Pipex Broadband 3x], I get a small screen displayed with the heading :

Network Connections.

This says 'You [or a program] have requested information from [here I get the web address of various sites see list below]. Which connection do you want to use?

I think this is called up by RASAUTOU.exe which appears to be a Microsoft programme.

Question is how do I find out what is calling this programme to run.

If I cancel the dialog box, or End The Process through TaskManager, another dialogue opens in a few seconds with a different WebPage being requested.

I think this must be a virus of some sort, can anyone throw any light on this or reccomend a programme that will clear this up?

Kind Regards

W. H.

Some of the addresses which are 'requested' :

iundl.de
sg.windows
di.asia.com
schlund.net
congentco.com
level3.com
lib.nthu.eddu.tw
212.23.32.29

I have visited some of these and they seem to be quite 'normal' sites!
 

PoloMint

Super Minty Mod
Joined
Dec 31, 1999
Messages
1,588
Reaction score
1
Points
0
My Satellite Setup
1200cc with 100,000,000,000 neurons and 100,000,000,000,000 connections
My Location
Fife, Scotland
rasautou.exe is in fact part of Windows XP and is not a virus, however it deals with autodialing and internet connection selections when a program attempt to access the internet, which is the part of it you are seeing. As a result the name of any virus/spyware that is trying to get online is in effect hidden behind rasautou.exe.

You should do a full virus and spy/adware scan. If you don’t have an antivirus program installed then trend micro do a free online scan to get you started.

EDIT the house call link is censored, (not because of the program, it just by chance has seca in the URL and so is censored) so the URL is

http://hous e call.trendmicro.com/ (without the spaces)

After that download adaware (free, use the update feature after you have installed it and before you run it) http://download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button and then spybot search and destroy http://www.safer-networking.org/index.php?page=download

After running all of those your system should be pretty clean.

Have you got a firewall? If not then you should probably get one, that would tell you what program is trying to access the internet and should stop any program getting access without you knowing.

Hope this helps.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello PM

Thanks for that - the House Call one is new to me so will give it a try.

I tried a bit of trial and error, and found that I have a programme in the StartUP called 'msconfg.exe' - NOT 'msconfig.exe' , and when I disable this the problem seems to stop.

I think it is/was a virus of some sort because the oly system was slowing right down.

I had already run SpyBot and AdAware, but although they came up with some minor items, they didn't seem to find the real problem.

Hope that 'msconfg.exe' isn't important!

Will load that House Call now and see what it comes up with.

Thanks again

W.H.

PS. Guess you saw my post re Office 2003.
 

rolfw

Believe it when I see it Admin.
Staff member
Joined
May 1, 1999
Messages
38,292
Reaction score
1,615
Points
113
My Satellite Setup
Technomate 5402 HD M2 Ci, DM7000s, Transparent 80cm Dish, Moteck SG2100 DiseqC motor, lots of legacy gear. Meters: Satlook Digital NIT, Promax HD Ranger+ spectrum analyser.
My Location
Berkshire
Also go to Symantec's page and do a search in their virus database, you may find some information by putting in the msconfg.exe file name.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello Both

Thanks again for your help.

That HouseCall is quite thorough isn't it.

Seems that I have PE_PARTIE.A amongst other things.

HouseCall is 'cleaning about 3200 files at the moment, it seems to have infected every .exe file that is on my system [Ugh!].

There are also a few old ones there as well in some folders that have come over from previous installations - one of them is DOS_AGABOT.GEN and I can't remember there was another I think.

I think what happened was, my ISP were having a few problems, and I though it was my FireWall [ZoneAlarm], so I turned it off for a few minutes to check it out. [Or perhaps SWMBO has been looking at the mature content sites again.]

Anyway will have to investigate that 'msconfg' thing when I have sorted this lot out, may be something to do with this or may be separate.

Will advise when I have more info.

Regards

W.H.
 

PoloMint

Super Minty Mod
Joined
Dec 31, 1999
Messages
1,588
Reaction score
1
Points
0
My Satellite Setup
1200cc with 100,000,000,000 neurons and 100,000,000,000,000 connections
My Location
Fife, Scotland
House call is quite good at searching, but if you have several viruses rather than many instances of the same one then there may be some that it will not be able to clean.

If so you might need to get specific virus removers for each virus, just by searing in Google for the virus name and 'removal' or by getting a move powerful piece of antivirus software. But wait and see what house call manages before trying anything else, a lot of the time it can clean everything.
 

BGonaSTICK

Retired Moderator
Joined
Dec 22, 2003
Messages
5,145
Reaction score
0
Points
36
Age
50
My Satellite Setup
Dreambox 7000, Skystar2
My Location
Brighton
If you think about it, the malicious code has to start each time you boot windows. Looking in the startup folder is a good place to begin, for EACH user on XP.

If the code has infected other executables, then your task can grow exponentially, but the other two common places that code is run from are in the registry.

If you click START then Run, type in 'regedit' without the quotes, and navigate to :-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .

This is the hook in the registry used to start many programs on startup.

There is also :-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce which will (guess what) run code once only. Often a spyware setup program will be run from here, infecting or installing other code for use in subsequent boots.

It definitely a great idea to get to know everything that SHOULD reside in these two places, so that you can easily spot what doesn't belong.

Find the name of the file being executed in each case, (exe, dll etc.) and locate it using windows explorer. Pause the cursor over it and you'll get a feel for whether it's 'genuine' or 'unwanted'.

If you find suspect material, backup your registry (use FILE/EXPORT) and delete the entry. Test the function of your machine for a day or two, then remove the next one etc. backing up as you go. Using this method, you can often remove stuff that is not detected by the popular scanners.

If everything goes pear-shaped, just restore the registry to the last working version. Use safe-mode if you really screw it up.

Hope this helps.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello All

Remember Derek & Clive?

Well this is the worst job I ever had!

Have now been up all night running HouseCall, and I think I am about to get to the end of the 'cleaning process'.

Some advice if you can help.

A lot of the time seems to have been spent cleaning System Volume Folders.

Would I be right in thinking that these contain the data for System Resore Points?

If so then as under the circumstance [every .exe file on the system infected], I don't suppose they would be much use anyway, and I could have deleted them before I ran the cleaning process thus saving me a few hours of time.

Is this right?

Regards

W.H.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello Again

Just another quick thought - might prevent someone else doing the same.

I was trying to boot to my second XP configuration at the wekend, and it would go pass the Windows Is Opening screen, so I thought I would do a quick re-install from my primary XP configuration.

Problem was that before I knew it I was re-installing my primary, and I did it without Auto Update, so effectively I reduced my system to a bare SP1 with none of the subsiquent updates which I had downloaded over the years.

I have updated completely this morning, and guess that this should have been the first thing I did otherwise I might have got re-nfected whilst I was claening out the earlier problem.

A new question here though, does Windows Update store the downloaded stuff somewhere so that I can update my second installation without having to go online?

Regards

W.H.

PS. HouseCall has just finished, and has told me all file are now clear!!
 

PoloMint

Super Minty Mod
Joined
Dec 31, 1999
Messages
1,588
Reaction score
1
Points
0
My Satellite Setup
1200cc with 100,000,000,000 neurons and 100,000,000,000,000 connections
My Location
Fife, Scotland
Good news that your system is all clean now!

The system volume info files are indeed windows restore points and disabling system restore would have removed all of them - saving you some time.

Windows Updates are stored in folders called WUTemp (normally in root of C:) but they are only stored there temporarily, when the updates are installed they should be automatically deleted.

Even if you copied the files before they were deleted, I am not sure how, of even if, they would manually install on another XP installation (without going through windows update page).

Big updates like SP1 can be completely downloaded from the MS website and installed from a file, that way you can install it several times on several machines without having to re download it, but I am not sure if the small updates can also be done that way. But as you have already got them installed on one XP system and it would mean downloading them again it doesn’t really help you much anyway.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Thanks All

For 'holding my hand' through this one.

BTW re. Derek & Clive.

If you would like a link - then let me know in S. H.

Got them a couple of weeks ago.

Regards to all

W.H.

PS. Is 2old about at all nowadays?
 

rolfw

Believe it when I see it Admin.
Staff member
Joined
May 1, 1999
Messages
38,292
Reaction score
1,615
Points
113
My Satellite Setup
Technomate 5402 HD M2 Ci, DM7000s, Transparent 80cm Dish, Moteck SG2100 DiseqC motor, lots of legacy gear. Meters: Satlook Digital NIT, Promax HD Ranger+ spectrum analyser.
My Location
Berkshire
2old dropped in a couple or three months back, but think that his web time is very limited nowadays, certainly miss his input.
 

w hole

Regular Member
Joined
Jan 1, 2000
Messages
591
Reaction score
0
Points
0
My Location
uk
Hello All

Just noticed that I have a whole load of files with extension .RB0

They seem to be the original infected versions of all my .exe files.

I assume that now I have 'cleaned' them all, I can delete all these .RB0 files, can anyone confirm?

Regards

W.H.
 

PoloMint

Super Minty Mod
Joined
Dec 31, 1999
Messages
1,588
Reaction score
1
Points
0
My Satellite Setup
1200cc with 100,000,000,000 neurons and 100,000,000,000,000 connections
My Location
Fife, Scotland
Should be safe enough to delete them W.H.

Just to be safe it might be a good idea to move them all to a folder somewhere, reboot and make sure everything seems to work before deleting them.
 
Top