Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Creating Its Own Internet Connection?


  • Please log in to reply
3 replies to this topic

#1 Misterdog

Misterdog

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 30 August 2007 - 10:11 AM

I have an IBM Thinkpad T40, running Windows XP Pro, Version 5.1 with Service Pack 1. I use dial-up Internet access. A few days ago my connection was dropped (happens frequently; service isn't great around here) and when I tried to redial I got the message that the modem was already being used by another application. Puzzled, I went to "Internet Connections" to see what was wrong. My two normal dial-up connections were there, both currently showing disconnected, but there was a third, labeled "Service" that said it was trying to connect. I checked its properties and it had no phone number listed, but was set to re-try every second. I tried to delete it and as soon as I deleted it another, identical, connection showed up in its place. I tried to delete it and it wouldn't delete. I reset its interval to 30 seconds, thinking that would at least give me time to get my real connection running. The computer promptly created another "Service" and was again attempting to connect at 1 second intervals. I reset its interval to 30 seconds and the computer promptly created still another "Service". At this point I had three Internet Connections labeled "Service", none of which I had created, tying up my modem so I couldn't use it properly. Fortunately none of these bogus connections had a phone number associated with it, so no calls were actually made.

My antivirus is Norton Internet Security 2006. I checked Norton's website and learned about the Backdoor.Wualess.C trojan. I wonder if this is what I have. My virus definitions are now up to date, but Automatic Update was apparently turned off for a day or two, which might have let something slip in. I have run several full-system scans and the only thing that shows up is an old IBM vulnerability called eGatherer.dll that I had forgotten to patch. I've since patched it. Meanwhile, my computer continues to do its bizarre thing of trying to create its own "connection" and tying up my modem. The only way I can connect for real is to wait with my finger poised on the connect button until the bogus connection takes its 1-second break and then quick beat it to the punch.

Any suggestions? Is this a virus or just some malfunction in Windows that would be solved by uninstalling and re-installing something? It doesn't seem like a modem problem, because according to my system information I actually have two modems installed on my computer and this "System" connection switches back and forth between them, apparently at random, trying to make its connection.

Should I install Microsoft Service Pack 3 or wait until I resolve this issue?

Thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 AM

Posted 30 August 2007 - 02:31 PM

Welcome to BC Misterdog

Was a name provided for this service or an associated file with path/location?

Have you tried doing your anti-virus scan in "SAFE MODE"?

Download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system. This tool generates a log file (sysclean.log) in the same folder where the scan is completed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Misterdog

Misterdog
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 31 August 2007 - 10:57 AM

Thanks for your suggestions, quietman7. I hope to try them later today. Meanwhile, I'm using a different computer on the Internet. In answer to your question, no, there was no other name provided for this service or an associated file with path/location, at least nothing I could find. It just created an Internet connection that it named "Service".

In digging deeper into my computer last night, though, I discovered two files in the Windows folder, Service32.exe and Sysnet32.exe that were created within a minute of each other on the same day I started having problems. A little web searching led me to information about a couple of worms. Trend Micro's description of WORM_RBOT.BIX sounded like a likely candidate for what I have. Anyway, I'll try to clean it up later today.

Again, thanks for your help.

Edited by Misterdog, 31 August 2007 - 10:59 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 AM

Posted 31 August 2007 - 03:16 PM

Trend Micro should detect/remove both. Technical details and recommended solution here. As you can see, its an older infection and the current virus pattern file for sysclean should not have a problem. Post back if it does and we can provide other instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users