Forum Home
Press F1
 
Thread ID: 50811 2004-11-02 07:45:00 Dialup starts automatically jferg (3232) Press F1
Post ID Timestamp Content User
287170 2004-11-03 05:49:00 when the wife gets home after 7, I will call her to find out exact file name jferg (3232)
287171 2004-11-03 05:58:00 download hijackthis and run it.. save log and post the log on this web again
maybe you have missed something the many eyes here can find and diagnose for you
it definately sounds like you have a dialer/trojan on your machine and its running either through regedit at start or msconfig 		RoIdY (6252)
287172 2004-11-03 06:59:00 Will do that when I get home tomorrow.
Just got WifeE to check file name in task manager that is the culprit.

It is "Rasautou.exe"

Last night I deleted it but it's back 		jferg (3232)
287173 2004-11-03 07:21:00 Nope i think this file is safe. As i have the same file here.

It must be something else or a program you may have installed that uses the modem and dials out. Its rasauto.exe u have to worry about. 		Spacemannz (808)
287174 2004-11-03 07:25:00 OK, so I have to find out what is using RASAUTOU.exe to dial out

Easy I'll use a sledgehammer!!

No not really I'll try spybot tomorrow 		jferg (3232)
287175 2004-11-03 07:57:00 I don't think you have gone thru the available FAQ's & recommendations yet, otherwise your problems would be gone by now 45South (4769)
287176 2004-11-03 20:48:00 Here is the Log from hijack this

Logfile of HijackThis v1.98.2
Scan saved at 9:38:24 AM, on 11/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\TaskBar\CTLTray.exe
C:\Program Files\Creative\TaskBar\CTLTask.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = tvnz.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\TaskBar\CTLTask.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - www.creative.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - v5.windowsupdate.microsoft.com
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - www.creative.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{15A62A64-9567-4761-B553-CF8591F290E0}: NameServer = 203.96.152.4 203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{15A62A64-9567-4761-B553-CF8591F290E0}: NameServer = 203.96.152.4 203.96.152.12 		jferg (3232)
287177 2004-11-03 21:10:00 Are you on a network at all jferg?? Or is this pc youre on it. Just 1 PC??

That hijackthis log looks OK.

I would check all the programs that uve installed. Look in their prefs / options, and see if any are configured to update / dial out or something at a preset time or something.

Whatever it maybe, might be configured to dial about the same time u boot your system?? 		Spacemannz (808)
287178 2004-11-04 00:43:00 If you leave it to dial out and connect where does it go to? I had something like this once and I always Ctl+Alt+Del to shut it down straight away but then I left it to do it's thing and then found out what it was. (Cool Web Search) Having identified it I could do something about it. HTH:D mark c (247)
287179 2004-11-04 01:02:00 No malware that I can see either, but brought to light 3 applications that could be looking for updates..

1/ Windows auto update
2/ Nero
3/ Sound Blaster

Try turning off their "auto-update/autocheck for new versions" features. 		Pheonix (280)
1 2 3 4