crazycomputers
asked on
strun.exe... spyware? virus? trojan?
I'm not paranoid or anything, but I have noticed a decrease in my computer's performance from time to time. After starting the Windows XP Task Manager to look at what was using all my CPU, the program "strun.exe" was the culprit. It was owned by me (not SYSTEM), but I cannot find any direct or indirect reference to it either in the registry, or by searching my hard disk.
I downloaded Sysinternals' Process Explorer NT to see where the file resides. It said "C:\windows\system32\strun .exe". By now you can probably guess that the file was not there. I have Windows configured to show ALL files (even "protected operating system files") but it still did not show. I tried using attrib from a command prompt to see if it was there, but attrib didn't display it either.
Even more startling, Process Explorer showed that strun.exe was using "wsock32.dll" - clearly a tipoff.
Has anyone else had experience with this file, and is it dangerous or not?
I downloaded Sysinternals' Process Explorer NT to see where the file resides. It said "C:\windows\system32\strun
Even more startling, Process Explorer showed that strun.exe was using "wsock32.dll" - clearly a tipoff.
Has anyone else had experience with this file, and is it dangerous or not?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do you know why these are here?
F0 - system.ini: Shell=Explorer2.exe
F2 - REG:system.ini: Shell=Explorer2.exe
F0 - system.ini: Shell=Explorer2.exe
F2 - REG:system.ini: Shell=Explorer2.exe
ASKER
Yes, I modified explorer so it would be the "Stop" button instead of the "Start" button. (Kind of a joke... albeit a bad one.)
ASKER
Also, I have run Ad-aware, and it didn't find anything. AVG Free likewise does not display any alerts.
Hmm. I don't find anything on it either that leads me to believe it's malicious. Just peculiar that it was there...and then it wasn't?
Still, try this site to recover some wasted resources from running services that you don't need. Perhaps it will at least boost your performance...
http://www.blackviper.com/WinXP/servicecfg.htm
Still, try this site to recover some wasted resources from running services that you don't need. Perhaps it will at least boost your performance...
http://www.blackviper.com/WinXP/servicecfg.htm
ASKER
Yes, I've gone through myself setting services to "manual" based on their description. (For example, I don't need the "Server" service as I'm not a part of any Windows network.)
In my experience, you cannot delete an EXE while it's running... so there are three possibilities:
1) It is there, but Windows is keeping me from seeing it.
2) The process changed its pathname. (Not sure if a process can...)
3) I'm wrong, and the program deleted itself and kept running.
My next check will be rebooting (so strun.exe starts again) and looking at netstat to see exactly what it is doing with wsock32.dll.
In my experience, you cannot delete an EXE while it's running... so there are three possibilities:
1) It is there, but Windows is keeping me from seeing it.
2) The process changed its pathname. (Not sure if a process can...)
3) I'm wrong, and the program deleted itself and kept running.
My next check will be rebooting (so strun.exe starts again) and looking at netstat to see exactly what it is doing with wsock32.dll.
"Server" service is not necessarily just for a windows network.
If the system is sharing out anything (drives, printers, etc) - this service will need to be enabled...
If the system is sharing out anything (drives, printers, etc) - this service will need to be enabled...
ASKER
Well our house does not have any sort of in-home network (except when my brother is home for spring break) so I don't need it most of the time.
I took some snapshots of netstat's output before and after killing it, and here is the result:
# without strun.exe (after killing it)
C:\Documents and Settings\chris>netstat -n -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3014 *:*
UDP 0.0.0.0:3032 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3006 *:*
# with strun.exe (before killing it)
C:\Documents and Settings\chris>netstat -n -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
>TCP 0.0.0.0:2247 0.0.0.0:0 LISTENING<
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3014 *:*
UDP 0.0.0.0:3032 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3006 *:*
So... what normally runs on port 2247 (if anything) and would you classify this as a trojan/virus or a legitimate server?
I took some snapshots of netstat's output before and after killing it, and here is the result:
# without strun.exe (after killing it)
C:\Documents and Settings\chris>netstat -n -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3014 *:*
UDP 0.0.0.0:3032 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3006 *:*
# with strun.exe (before killing it)
C:\Documents and Settings\chris>netstat -n -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
>TCP 0.0.0.0:2247 0.0.0.0:0 LISTENING<
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1645 *:*
UDP 0.0.0.0:1646 *:*
UDP 0.0.0.0:1701 *:*
UDP 0.0.0.0:1812 *:*
UDP 0.0.0.0:1813 *:*
UDP 0.0.0.0:3014 *:*
UDP 0.0.0.0:3032 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3006 *:*
So... what normally runs on port 2247 (if anything) and would you classify this as a trojan/virus or a legitimate server?
ASKER
Also, I have the Windows XP Internet Connection Firewall enabled, so I'm not worried about anyone using the service (whether a good or bad service) but I would like to know why it's listening, and why it doesn't show up where Process Explorer says it was started from.
ASKER
I decided to uninstall and reinstall AVG since I had to do a bit of fudging to get it to work, and (lo and behold) it identified the program (during startup) as "Trojan horse BackDoor.Optix.BI". I am now doing a complete system scan to eradicate the beast.
Thanks for sticking with me, sirbounty. Grade A for your helpfulness.
Thanks for sticking with me, sirbounty. Grade A for your helpfulness.
I would run a firewall other than the windows XP firewall. Zone Alarm is a great, free firewall. http://zonelabs.com
crazycomputers - thanx for the grade.
My apologies for not being with you there at the end (my cable modem died - and as you might imagine I felt helpless! :)
Glad you got it working.
My apologies for not being with you there at the end (my cable modem died - and as you might imagine I felt helpless! :)
Glad you got it working.
ASKER
Ouch, yeah. I'm still on dial-up and every so often my ISP will go down... not fun. =(
Well glad to see you're back online. =)
Well glad to see you're back online. =)
ASKER
Logfile of HijackThis v1.97.5
Scan saved at 7:37:21 PM, on 2/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\PGPsdk
C:\WINDOWS\System32\svchos
C:\Program Files\Harakan Software\VNC\WinVNC.exe
C:\WINDOWS\Explorer2.exe
C:\Program Files\Softick\PPP\Bin\PPPG
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
C:\WINDOWS\msagent\AgentSv
C:\Program Files\Opera7\opera.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\WINZIP\winzip3
C:\Documents and Settings\chris\Local Settings\Temp\HijackThis.e
F0 - system.ini: Shell=Explorer2.exe
F2 - REG:system.ini: Shell=Explorer2.exe
O2 - BHO: Firepad FireConverter - {6427806D-3820-11D5-9939-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCh
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPG
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\Harakan Software\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.ex
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O17 - HKLM\System\CCS\Services\T