strun.exe... spyware? virus? trojan?

Note that I killed strun, so it won't show up in this log as a running process:


Logfile of HijackThis v1.97.5
Scan saved at 7:37:21 PM, on 2/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Harakan Software\VNC\WinVNC.exe
C:\WINDOWS\Explorer2.exe
C:\Program Files\Softick\PPP\Bin\PPPGate.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\chris\Local Settings\Temp\HijackThis.exe

F0 - system.ini: Shell=Explorer2.exe
F2 - REG:system.ini: Shell=Explorer2.exe
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-00B0D0522EB5} - C:\Program Files\Palm\FireConverterBrowserHelperObject.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Harakan Software\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38022.9664583333
O17 - HKLM\System\CCS\Services\Tcpip\..\{5172391B-6EE3-465C-ADF4-056C8614F891}: NameServer = 209.244.0.3 209.244.0.4

Do you know why these are here?

F0 - system.ini: Shell=Explorer2.exe
F2 - REG:system.ini: Shell=Explorer2.exe

Yes, I modified explorer so it would be the "Stop" button instead of the "Start" button.  (Kind of a joke... albeit a bad one.)

Also, I have run Ad-aware, and it didn't find anything.  AVG Free likewise does not display any alerts.

Hmm.  I don't find anything on it either that leads me to believe it's malicious.  Just peculiar that it was there...and then it wasn't?

Still, try this site to recover some wasted resources from running services that you don't need.  Perhaps it will at least boost your performance...
http://www.blackviper.com/WinXP/servicecfg.htm

Yes, I've gone through myself setting services to "manual" based on their description.  (For example, I don't need the "Server" service as I'm not a part of any Windows network.)

In my experience, you cannot delete an EXE while it's running... so there are three possibilities:

1) It is there, but Windows is keeping me from seeing it.
2) The process changed its pathname.  (Not sure if a process can...)
3) I'm wrong, and the program deleted itself and kept running.

My next check will be rebooting (so strun.exe starts again) and looking at netstat to see exactly what it is doing with wsock32.dll.

"Server" service is not necessarily just for a windows network.
If the system is sharing out anything (drives, printers, etc) - this service will need to be enabled...

Well our house does not have any sort of in-home network (except when my brother is home for spring break) so I don't need it most of the time.

I took some snapshots of netstat's output before and after killing it, and here is the result:

# without strun.exe (after killing it)
C:\Documents and Settings\chris>netstat -n -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1723           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5800           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5900           0.0.0.0:0              LISTENING
  TCP    10.0.0.1:139           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5180         0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1645           *:*
  UDP    0.0.0.0:1646           *:*
  UDP    0.0.0.0:1701           *:*
  UDP    0.0.0.0:1812           *:*
  UDP    0.0.0.0:1813           *:*
  UDP    0.0.0.0:3014           *:*
  UDP    0.0.0.0:3032           *:*
  UDP    10.0.0.1:137           *:*
  UDP    10.0.0.1:138           *:*
  UDP    127.0.0.1:3005         *:*
  UDP    127.0.0.1:3006         *:*

# with strun.exe (before killing it)
C:\Documents and Settings\chris>netstat -n -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1723           0.0.0.0:0              LISTENING
>TCP    0.0.0.0:2247           0.0.0.0:0              LISTENING<
  TCP    0.0.0.0:5800           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5900           0.0.0.0:0              LISTENING
  TCP    10.0.0.1:139           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5180         0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1645           *:*
  UDP    0.0.0.0:1646           *:*
  UDP    0.0.0.0:1701           *:*
  UDP    0.0.0.0:1812           *:*
  UDP    0.0.0.0:1813           *:*
  UDP    0.0.0.0:3014           *:*
  UDP    0.0.0.0:3032           *:*
  UDP    10.0.0.1:137           *:*
  UDP    10.0.0.1:138           *:*
  UDP    127.0.0.1:3005         *:*
  UDP    127.0.0.1:3006         *:*

So... what normally runs on port 2247 (if anything) and would you classify this as a trojan/virus or a legitimate server?

Also, I have the Windows XP Internet Connection Firewall enabled, so I'm not worried about anyone using the service (whether a good or bad service) but I would like to know why it's listening, and why it doesn't show up where Process Explorer says it was started from.

I decided to uninstall and reinstall AVG since I had to do a bit of fudging to get it to work, and (lo and behold) it identified the program (during startup) as "Trojan horse BackDoor.Optix.BI".  I am now doing a complete system scan to eradicate the beast.

Thanks for sticking with me, sirbounty.  Grade A for your helpfulness.

I would run a firewall other than the windows XP firewall.  Zone Alarm is a great, free firewall.  http://zonelabs.com

crazycomputers - thanx for the grade.
My apologies for not being with you there at the end (my cable modem died - and as you might imagine I felt helpless! :)
Glad you got it working.

Ouch, yeah.  I'm still on dial-up and every so often my ISP will go down... not fun.  =(

Well glad to see you're back online.  =)