program dialing internet

[scooby]

Windows 98SE system constantly has program trying to dial the internet. When not plugged in you get the message saying: No connection to the internet is currently available..yada yada yada.

I removed a trojan from this system, have removed all spyware and removed entries from the registry under current user and local machine\software\microsft\windows\currentversion\run, runone and runservices.

Where else could this program be hiding??

THanks

[GaryRouth]

Somewhere in the message should be an indication of which program is requesting the absent connection.

Did you remove the trojan manually? Or did you have AdAware, Search & Destroy, the Cleaner, or some other tool remove it automatically? You could try another removal tool if you suspect another trojan.

But it might be something more benign, like Windows Automatic Updates, RealPlayer, MediaPlayer, Norton or McAffee looking to update files, etc. etc.

The dialer should have a clue in its message. If you see part of the message you can't identify, post it for us here & maybe one of us will recognise its source.
. . . Gary

[bosco]

Do you have a firewall like Sygate or ZoneAlarm? This should tell you What/Which program/file is trying to access the internet.

[scooby]

All i'm getting is:

No Connection to the internet is currently available. To View Internet Content that has been saved on your computer, click Work Offline.

Click Try Again to attempt to connect

[GaryRouth]

Try pressing Ctrl-Alt-Del (just once) as quickly as you can when this is happening. The offending program might show up in the Task List.

I'd also try another run of SpyBot's "Search & Destroy" with it's latest files.

bosco mentioned firewalls. If you do have one, it will list the activity in its logs.

The original trojan might not be all that gone.
They crawl back like cockroaches if given the opportunity.

Best of luck
. . . Gary

[scooby]

thanks gary

it's looking like RNAAPP...which is win98 MS dial-up networking file. It loads at startup and is listed in the tasks. Trying to see where the key is to disable at startup but not listing under run, run-, runservices, etc.

[GaryRouth]

Been looking around some tonight, and it seems that rnaapp doesn't startup by itself: it is called by another program. I'm thinking this behavior may be a leftover from the trojan. Legit RNAAPP is just doing it's job (can't do dialup networking in Win98 without it). The question is: who is asking it to start.


I copy-&-pasted some links that show different sides of rnaapp issues [one of which even turns out to be a virus mascarading as rnaapp or rnapp, I've seen both files mentioned]. There are quite a few things to look for.

Try an online double-check antivirus scan. http://housecall.trendmicro.com House Call is kept up-to-date and sometimes might find something others have missed. It takes a good long while on dialup but not much time at all on broadband.

And try an extra antispyware tool as a doublecheck. AdAware/Search&Destroy/TheCleaner, etc...

----> on a different course: also try browsing through the different tabs in System Configuration. [either Start/Run msconfig , or Start/Programs/Accessories/System Tools/System Information...and from the "Tools" menu, select System Configuration Tool.] The Startup tab should list just about anything starting early on, whether called from a load= line in one of your .ini files, or from an obscure Registry setting. When viewing the System Configuration screens, expand it's window to maximum = you'll notice one of the columns is marked "called from". Any program listed in startup that either would use the modem for dialing or for receiving (as in incoming fax), or for VPN connections, can start rnaapp.

Good luck, hope it works out soon
. . . Gary

Here are the links:
http://www.modemhelp.net/newsletter/...atrnaapp.shtml
http://www.computing.net/security/ww...orum/6497.html
http://forums.zonelabs.com/zonelabs/...essage.id=5431
http://lists.virus.org/dshield-0112/msg00123.html

[Quintz]

I'm having the same problem with an XP computer (This is on a Dell 2ghz (?) celeron computer of my sister's). It did have the MS Blast virus on it, but I went through the steps here and symantec and with all indications it was removed. I'm just purchased a copy of PC-Cillin (saw on a different forum here that talked this was better then Norton's) and will be installing that to see if it can pick something out. I've also run ad-aware and it was clean. I've hit the ctrl-alt-del to check processes and all, but with so much running, I could not see/tell anything out of the ordinary. And the error will not identify the problem causing program.

[scooby]

Thanks Gary, i had seen some of the links before and am verifying in not something else loading it at startup. One thing i don't see in msconfig is the "Called from" option you mentioned.

[GaryRouth]

Sorry about that, scooby: I just checked, and the "called from" column is in System Information, but not in the System Configuration tool. Start System Information as usual, and on that tree-view pane (like Windows Explorer) on the left-hand side, click on the plus (+) sign next to "Software Environment", and then click on "Startup Programs". The "Called From" column is usually the 2nd column. By default, the order is "Name, Called From, Command". It should list programs from startup no matter where they are called from: even from win.ini and such by the load= commands.

Since you've had to remove a few things, see if a visit to Windows Update will ask to re-install any Security Patches - just to make sure nothing else sneaks in while you're troubleshooting this one.

Should be interesting when we find the answer, I imagine lots of folks might be in the same boat.
. . . Gary

[...re: Zone Alarm - strangley enough, one of those links mention that in one version of Zone Alarm, it can load rnaapp at startup. . . .so many things could. If you have RealPlayer on your system, and the StartCenter is loading at startup, it might be checking for updates (which is an option you can set in its Preferences). I find StartCenter unneccessary for the most part anyway, so if you can try not running it at startup and see if anything changes. This is rather a longshot, though, since I imagine it would only attempt to dial once, not continuously.] [you can check the automatic features of QuickTime, Instant Messaging, etc, too...]

[scooby]

Ahh.......yeah i was looking in the system information and don't see any reference to RNAAPP. The only thing that stands out is Rundll32_7. I'm currently updating his computer with latest security patches he did not have. Panda Activescan found four more infected files but the infection was a w97m virus.

[GaryRouth]

Hi again

Found a little more that might still point to resident worms: here's an excerpt from a list at a spywareinfo.com forum:
- Rundll32_7 = rundll32.exe (path) MSIEFR40.DLL,DllRunServer > BrowserAid "Featured Results" hijacker variant

The latest definitions for HiJackThis, and Search&Destroy should remove it for you.

If it doesn't you can see some of the do-it-yourself removals are (especially in the replies by "steam") at this forum link:
http://www.techsupportforums.com/sho...8899#post48899
and http://forums.spywareinfo.com/index.php?showtopic=9996

See if one of those does the trick
. . . Gary