AT&T Global Network Dial Up Software issue

Ok, I can't figure this one out. It's been an ongoing fight to try to track down what the cause of this is.

Background:

• • WinXP PRO Sp1a : Latest Updates
  • User Level: PowerUser
  • Software: AT&T Global Network Dial Up software
  • Issue: Dial Up software pops up at random times while user is working in other applications.
  • Modem off or on; doesn't matter

Action Taken:

• Turned off Automatic Updates for the OS
• Set "never dial" in IE
• No Incoming calls detected or allowed
• checked config for AT&T software to make sure it doesn't auto update or autodial

Gotta reboot.. brb with more info..

 

Spyware?
AV trying to update?

 

Ran Ad-aware and it only found tracking cookies..
Ran AV.. nothing detected (Using AntiVir)
Ran AVAST on it too, nothing
Ran The-Cleaner on it, nothing

No autoupdates on AV.

 

When you stop the dial-up window have you checked task manager for any rogue processes
Maybe Event Viewer see if any service or something is trying to start

Double-checked MSCONFIG for a rogue backdoor or something hidden in there, often disguised as actual windows tasks

Just my 02

 

Nothing in the event manager.

Will check for rogue processes WHILE it's up. Checked in the past and didn't see anything but it wasn't at the time of the event.

MSCONFIG looks clean too.

 

Go to msconfig.

Select selective startup.

Uncheck:

startup items
process win.ini
process system.ini

Go to services tab.

Hide all MS services.

Disable the 3rd party stuff.

Apply, close

Reboot.

Does it still prompt randomly?

 

Will test tomorrow.. let you know. User leaves at 4pm and I can't get on her PC until then.

I did notice this one services (3rd party) .. called "iap" with no description. couldn't find any info on it. Any clues?

 

No. I would go through HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, locate the service, then find out what exe it is using.

 

Roger that...

 

Is it a Dell there is an Iap.exe

http://www.answersthatwork.com/Tasklist_pages/tasklist_i.htm

If it aint a Dell then just ignore this and move along

 

yes it's a DELL : Service disabled.

 

ok, it's gotta be something in her profile because it doesn't do it while I'm logged in as admin...

 

RASAUTOU service is executing the dialer. So something is trying to call out because the modem is off.

 

Lodo...it has a ring to it.


New nickname for Kodo!

 

I'll run the stinger on this machine, but I'm pretty sure that rasautou is a valid os exe.

There is definately something trying to come in. My Rc window on the network icon in the systray is lit solid (incoming packets non-stop in the monitor). I installed ZA but all it said was that it was trying to receive DHCP from local 0.0.0.0 so, I'm cornfused...

 

Hmm, proxy client installed maybe?

Not necessarily a legit one, mind you.

(malware)

 

Thanks for that Star. I disabled everything via the registry.. we'll find out what happens tomorrow because I'm not waiting around for it ..I'm goin home!

Thanks everyone!!

 

Good luck, Lodo, er Kodo. Let us know how it turns out

 

it's legit.. ran stinger and came up clean.. so I'm definately satisfied that it's not a virus.

 

I didn't let it run long enough couldn't leave it on her system with spending the time to really configure it. I'd definately be getting a call in the morning about it.. and I don't want that.

 

no 135 activity was detected.. MSN messenger is disabled and no instances of it loaded. Will check ras log tomorrow.

 

From the peanut gallery

The depth of knowledge expressed in these forums is impressive, and the neighborlyness is rare.
D

 

it worked!!

No more autoras.. yeah.. she's happy, i'm happy, everyone's happy.

Thanks guys!