|
|
#1
March 8th, 2002, 06:53 PM
|
|||
|
|||
Help - rogue RNAAPP
arrrgghhh! *if anybody could aid me in determining *where* my trouble is coming from, I'd certainly appreciate it! * I currently use Norton Internet Security (among others, hehe). *I keep getting a recurring warning, which I am of course blocking:
Date: 3/7/02 Time: 15:46:29 This one time, the user has chosen to "block" communications. *Details: Outbound UDP packet Local address,service is (151.201.152.161,nbname) Remote address,service is (151.201.152.39,1026) Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE" Date: 3/7/02 Time: 23:00:49 Outbound UDP packet Local address,service is (matt-s-i1,nbname) Remote address,service is (12.79.128.70,1157) Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE" Date: 3/8/02 Time: 12:53:34 Outbound UDP packet Local address,service is (matt-s-i1,nbname) Remote address,service is (63.215.227.152,1029) Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE" Date: 3/8/02 Time: 13:03:21 Outbound UDP packet Local address,service is (matt-s-i1,nbname) Remote address,service is (213.22.73.52,1029) Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE" Date: 3/8/02 Time: 13:23:48 Outbound UDP packet Local address,service is (matt-s-i1,nbname) Remote address,service is (64.130.215.189,1036) Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE" as you can see, it is not non-stop, just enough to annoy me. *what makes it REALLY annoying is that i can't figure it out! *I have run virus scans. *I have downloaded and run every instance of trojan detection software available (including a deep scan with TDS-3). I am not an expert, but I am not a novice...I have looked to see what processes are running, this is the usual list: Files, which are currently running: C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE C:\WINDOWS\SYSTEM\EXSHOW95.EXE C:\WINDOWS\SYSTEM\EXSHOW.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBCSD.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSWS.EXE C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSCM.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\TROJANHUNTER 2.5\TROJANHUNTER.EXE C:\DOWNLOADS\TFAK5\TFAK.EXE I have looked everywhere for any kind of modification to these files, in the .ini files, in the registry...nothing unusual in the load or run statements. * My concern is that it's an OUTBOUND occurence. *On each event, i have traced the remote address. *On two of the events that were traced, the network was BIZSVRCS for verizon, who happens to be my internet provider. I have tried using a really neat tool that comes with Trojan hunter that extracts memory strings for processes. *Unfortunately, I cannot read them too well (I'm an ancient mainframe programmer!)...but I did see some unusual things. *For example, would RNAAPP really have an "Impersonate" subroutine? *But my knowledge is scarce, and I'm at wits end.. any clues? *sigh*...i really should go back to school... |
|
#2
March 8th, 2002, 07:53 PM
|
||||
|
||||
|
Re: Help - rogue RNAAPP
I found some resources on this exe:
http://www.modemhelp.net/newsletter/dun/combatrnaapp.shtml http://the-it-mercenary.com/forums/Help/posts/50.html There is also a trojan names rmaapp.exe Note the 'M' instead of 'N' Info found here: http://antitrojan.silverhelix.com/page39.html you seem to be usingDSL as noted by this: C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE which means rnaapp.exe isn't even nessessary (so I've read anyhow. better verify that)
__________________
Not every thing that can be counted counts, and not everything that counts can be counted. |
|
#3
March 8th, 2002, 08:28 PM
|
|||
|
|||
|
Re: Help - rogue RNAAPP
hi, and thanks...i did look to see if it was perhaps the 'renamed' RNAAPP (RMAAPP), but i'm fine there :-)
i know that since i don't use dialup, there is no reason for RNAAPP to load. *but i was thinking that i have bigger concerns...like what is trying to get outbound? *i read the article suggested, but i doubt if it's a memory issue. *the outgoing attempts are just all over the place (so far today, RNAAPP has tried to connect to IP addresses in Riga (Russia), Islamabad and Mexico City). there must be *something* directing RNAAPP to these IP addresses...but that's the frustrating part...even if i were to stop RNAAPP from loading, i am still leaving something that is not good on my pc, but what? Symantec says to run an antivirus (I did this) I also ran *numerous* trojan detection programs, as well as Ad-Aware... since it is outgoing, i have to assume that it is something that is residing on my PC... am i correct? nuts. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
