Rasautou.exe emergency?

I have found Rasautou.exe in my processes using 98% of my cpu and accessing my explore.exe yet my firewall hasnt stopped it and my Avast antivirus hasnt warned me about anything but I know that in some cases it can be malware can someone help please?

here are some logs from comodo from around the time this happened:

Date/Time :2007-10-25 20:10:33Severity :MediumReporter :Application MonitorDescription: Application Access Denied (iexplore.exe:212.139.132.24: :dns(53))Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP OutDestination: 212.139.132.24::dns(53)

Date/Time :2007-10-25 20:10:33Severity :MediumReporter :Application MonitorDescription: Application Access Denied (iexplore.exe:0.0.0.0: :1619)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP InDestination: 0.0.0.0::1619

Date/Time :2007-10-25 20:10:32Severity :MediumReporter :Application MonitorDescription: Application Access Denied (iexplore.exe:127.0.0.1: :1618)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP OutDestination: 127.0.0.1::1618

Date/Time :2007-10-25 20:10:31Severity :MediumReporter :Application MonitorDescription: Application Access Denied (iexplore.exe:127.0.0.1: :1618)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: UDP InDestination: 127.0.0.1::1618

Date/Time :2007-10-25 20:10:30Severity :MediumReporter :Application MonitorDescription: Application Access Denied (svchost.exe:255.255.255.255: :bootp(67))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP OutDestination: 255.255.255.255::bootp(67)

Date/Time :2007-10-25 20:10:30Severity :MediumReporter :Application MonitorDescription: Application Access Denied (svchost.exe:79.74.124.116: :dhcp(68))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.74.124.116::dhcp(68)

Your log shows what looks like an attempt to establish a VPN connection to a customer machine that is connected to Tiscali UK. Specifically a DSL subscriber of as9105.com. If you’re not a Tiscali UK customer, and you don’t know anybody who is, or you know you don’t have a VPN, then you’ve got some malware that is trying to call home.

Otherwise, I’d suspect a VPN setup that has an incorrect retry-to-connect-on-failure setting.

If you have a properly configued VPN (meaning, it isn’t malware), then if you go to the Control Panel, select Network Connections, you’ll get a list of adapters and VPN’s and such. If there is an entry for “Virtual Private Network”, then that is probably your problem. Either change the parameters to something reasonable, or at worst, delete the connection.

Otherwise, you’ve got a malware infection that needs to be cleaned up. Running a HiJackThis scan would be the next step, and then getting some help in doing the cleanup in one of the several web forums that specialize in HiJackThis log analysis.

I checked my network settings and there is only my Tiscali connection present but for some reason I had a process called Rasautou.exe running at 98% cpu I terminated it after finding it could be malware, do you know what type of malware it is please?

If the process running was %SYSTEMROOT%\rasautou.exe, which on my machine is c:\windows\system32\rasautou.exe, then the program is part of Windows, and is working at the direction of something else.

If you search your computer for rasautou.exe, and find it in some other location (aside from one of the Windows update directories), then there is definite problem. That could be from any one of a number of forms of malware. A real quick, and very inconclusive, google search turns a reference to “backdoor.win32” variant. Only a HiJackThis analyst could tell you any specifics and be right about it. I don’t have those qualifications.

Should explorer.exe be using cpu time when I am not doing anything, is it normal?

will Comodo firewall block malware trying to send outgoing data (ie will it alert me to it happening and let me block it?)

On the machine that I’m using, explorer.exe bounces around between 0 and 2% of cpu. I suspect that is because Task Manager is displaying things, and that is making explorer.exe do some work. If you’re seeing anything substantially beyond that, then I’d say there is a problem.

From my experience, CFP will block traffic that it doesn’t recognize, either by packet type or by application trying to send the packet. Malware is known to try to fake both, with varying degrees of success. More often than not, the malware fails one or the other, in my experience.