PDA

View Full Version : Help - rogue RNAAPP

WorkIt
March 8th, 2002, 06:53 PM
arrrgghhh! *if anybody could aid me in determining *where* my trouble is coming from, I'd certainly appreciate it! * I currently use Norton Internet Security (among others, hehe). *I keep getting a recurring warning, which I am of course blocking:

Date: 3/7/02 Time: 15:46:29
This one time, the user has chosen to "block" communications. *Details:
Outbound UDP packet
Local address,service is (151.201.152.161,nbname)
Remote address,service is (151.201.152.39,1026)
Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

Date: 3/7/02 Time: 23:00:49
Outbound UDP packet
Local address,service is (matt-s-i1,nbname)
Remote address,service is (12.79.128.70,1157)
Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

Date: 3/8/02 Time: 12:53:34
Outbound UDP packet
Local address,service is (matt-s-i1,nbname)
Remote address,service is (63.215.227.152,1029)
Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

Date: 3/8/02 Time: 13:03:21
Outbound UDP packet
Local address,service is (matt-s-i1,nbname)
Remote address,service is (213.22.73.52,1029)
Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

Date: 3/8/02 Time: 13:23:48
Outbound UDP packet
Local address,service is (matt-s-i1,nbname)
Remote address,service is (64.130.215.189,1036)
Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

as you can see, it is not non-stop, just enough to annoy me. *what makes it REALLY annoying is that i can't figure it out! *I have run virus scans. *I have downloaded and run every instance of trojan detection software available (including a deep scan with TDS-3).
I am not an expert, but I am not a novice...I have looked to see what processes are running, this is the usual list:
Files, which are currently running:
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\EXSHOW95.EXE
C:\WINDOWS\SYSTEM\EXSHOW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBCSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSWS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSCM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\TROJANHUNTER 2.5\TROJANHUNTER.EXE
C:\DOWNLOADS\TFAK5\TFAK.EXE

I have looked everywhere for any kind of modification to these files, in the .ini files, in the registry...nothing unusual in the load or run statements. *

My concern is that it's an OUTBOUND occurence. *On each event, i have traced the remote address. *On two of the events that were traced, the network was BIZSVRCS for verizon, who happens to be my internet provider.

I have tried using a really neat tool that comes with Trojan hunter that extracts memory strings for processes. *Unfortunately, I cannot read them too well (I'm an ancient mainframe programmer!)...but I did see some unusual things. *For example, would RNAAPP really have an "Impersonate" subroutine? *But my knowledge is scarce, and I'm at wits end..

any clues?

*sigh*...i really should go back to school...
UNICRON
March 8th, 2002, 07:53 PM
I found some resources on this exe:

http://www.modemhelp.net/newsletter/dun/combatrnaapp.shtml

http://the-it-mercenary.com/forums/Help/posts/50.html

There is also a trojan names rmaapp.exe Note the 'M' instead of 'N' Info found here:

http://antitrojan.silverhelix.com/page39.html

you seem to be usingDSL as noted by this:

C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE

which means rnaapp.exe isn't even nessessary (so I've read anyhow. better verify that)
WorkIt
March 8th, 2002, 08:28 PM
hi, and thanks...i did look to see if it was perhaps the 'renamed' RNAAPP (RMAAPP), but i'm fine there :-)
i know that since i don't use dialup, there is no reason for RNAAPP to load. *but i was thinking that i have bigger concerns...like what is trying to get outbound? *i read the article suggested, but i doubt if it's a memory issue. *the outgoing attempts are just all over the place (so far today, RNAAPP has tried to connect to IP addresses in Riga (Russia), Islamabad and Mexico City).
there must be *something* directing RNAAPP to these IP addresses...but that's the frustrating part...even if i were to stop RNAAPP from loading, i am still leaving something that is not good on my pc, but what?

Symantec says to run an antivirus (I did this)
I also ran *numerous* trojan detection programs, as well as Ad-Aware...
since it is outgoing, i have to assume that it is something that is residing on my PC...
am i correct?
nuts.