Suspicious file

[pr0nflakes]

Recently i have noticed a suspicious file in my system32 directory, it's name is pra.exe ( 101,176 btyes ) and it has no version information available when i right click on it. it also keeps trying to access the internet but zonealarm stops it. another thing i noticed is the fact that i cant actually see the file in windows explorer, nor does it exsist according to dos. i've had both zonealarm antivirus and norton antivirus scan the file, and it came up cean and spybot found no problems with it either. has anyone any idea what this could be?

 

[vop]

Consider running 'Hijack This'. Processes such as 'Browser Helper Objects' (BHOs) are often based upon source files that contain multiple (hidden) source file payloads (almost like 'zip' files). It is almost like running a EXE or DLL file directly from a ZIP folder.


You might also try Process Explorer v8.4

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Perhaps it may help you find out what handles (including files) that controlling processes have opened, which DLLs they have loaded, and more. Do a search on handle EXE if necessary.

 

[pr0nflakes]

i tried that process explorer (after removing the software policy that i set up that stopped pra.exe from running)
and it didnt tell me much :/

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805

pra.exe(516)

\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}

\BaseNamedObjects\WininetConnectionMutex
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
where a few lines that i thought might be of intrest.
under hijackthis it's listed under (soundman) but why would my sound card tray icon make such an attempt to hide itself?

anyway i'll post the whole log just incase
Logfile of HijackThis v1.97.7
Scan saved at 17:28:10, on 23/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
K:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
K:\WINDOWS\System32\pra.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MicroStar\Bluetooth Software\BTTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Bemused\BemusedServer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\fanspeed\fanspeedNT.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Zip files\Downloads\PTFB.exe
K:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
K:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MicroStar\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagic.exe
C:\Program Files\PowerQuest\PartitionMagic 8.0\PMagicnt.exe
K:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GMM Computer Technologies\Window Shades\WSTrayIcon.exe
C:\Program Files\Outlook Express\msimn.exe
K:\Documents and Settings\SuicideSolution\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SoundMan] pra.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [SOUNDMAN] pra.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LeechGet] "C:\Program Files\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SOUNDMAN] pra.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: BemusedServer Application.lnk = C:\Program Files\Bemused\BemusedServer.exe
O4 - Startup: Shortcut (2) to PTFB.exe.lnk = C:\Zip files\Downloads\PTFB.exe
O4 - Startup: Shortcut to SOUNDMAN.EXE.lnk = C:\WINDOWS\SOUNDMAN.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All using Mass Downloader - C:\Program Files\Mass DownloaderAdd_All.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\Program Files\Mass DownloaderAdd_Url.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Mass Downloader (HKLM)
O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

http://www.creative.com/SU/ocx/12119/CTSUEng.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38072.2569907407

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

http://www.creative.com/SU/ocx/12119/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1C60EC9E-403B-47A7-B557-DBEC3BB90E69}: NameServer = 217.10.137.165,217.10.137.141
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C60EC9E-403B-47A7-B557-DBEC3BB90E69}: NameServer = 217.10.137.165,217.10.137.141

btw the nameserver's are legitemate (my isp cant manage things as somplex as having working dns :/ )

*edit my soundcard manager is called soundman.exe and my sound works just fine without pra.exe running

 

[vop]

HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32?

RASAPI - Do you have a remote access service (RAS) running? Maybe something related to your ISP?

 

[vop]

I would research what are legitimately found HJT entries for 'Soundman':

http://www.google.ca/search?hl=en&ie=UTF-8&q=soundman+"logfile+of+hijackthis"+xp&btnG=Search&meta=

and fix all items that do not contain those same entries.

Alternatively, you could remove 'soundman' drivers and fix any remaining HJT references to 'soundman'. Then reload a clean set of drivers.

 

[pr0nflakes]

im not sure if i have RAS enabled or not, but i connect via a router over ethernet so i doubt its related, but i do have bluetooth wireless running so it could be related to that.
i've disabled it from starting and set a software restriction policy for it so it can't rin it's just i cant delete it (even from recovery console, it just refuses to acknowledge the file's existance :/

 

[Zech]

I am not sure if this is helpful.

But I was curious about your pra.exe file, and so I googled it and came up with this website (

http://fasternet.com.br/medbyte/galeria/aulas/).

Based on Google's translation, I think the site offers some free painting lessons and the installer programs have names similar to your file (eg. pra3.exe, pra4.exe, pra5.exe, etc.).

Perhaps you can start your investigation from there.

 

[pr0nflakes]

After uninstalling zonealarm (seems to be unstable these days) and installing kerio personal firewall, i managed to pull the following log regarding the connection attempt:
[11/7/2004 20:29:30]

Direction: outgoing
Local Point: 0.0.0.0, port 1047
Adapter: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
Remote Point: 193.136.99.11 [193.136.99.11], port 9562
Protocol: TCP

Application path: K:\WINDOWS\SYSTEM32\PRA.EXE
Description: pra
File version:
Created: 2004/6/1, 22:27:47
Modified: 2004/6/1, 22:27:46
Accessed: 2004/7/11, 19:29:27

RuleId = 67108885

After examening(sp?) the log, i tried to open 193.136.99.11 in my browser and i get a strange page that seems to be some kind of webmail login.
port 1047 is aparrently registered to Sun's NEO Object Request Broker, and port 9562 is unnasigned and a quick search of google doesn't bring up anything for port 9562

so i'm thinking... this is looking more and more dodgy by the minute, so i ran a whois on the ip and is comes up as this:

inetnum: 193.136.96.0 - 193.136.103.255
netname: UTL-1
descr: Universidade Tecnica de Lisboa
country: PT
admin-c: PS9149-RIPE
tech-c: CM1681-RIPE
tech-c: FA889-RIPE
tech-c: JP8810-RIPE
tech-c: RMB26-RIPE
status: ASSIGNED PA
remarks: created 19940822
mnt-by: AS1930-MNT
mnt-lower: AS1930-MNT
changed: ipadm@fccn.pt 20000531
changed: ipadm@fccn.pt 20000601
changed: ipadm@fccn.pt 20000630
changed: ipadm@fccn.pt 20010301
changed: ipadm@fccn.pt 20030513
source: RIPE

What i'm wondering now is: should i contact the admin for that ip block and report it?

*edit- it seems to be trying to access every local port in sequential order to try to connect to the net. it's now on 1780 and counting....

oh and i couldnt find anything blatently obvious with the hex editor.

im really stuck as to what it is now.
i'll appologise now for the lack of any spelling/grammar in the report, i've had a few too many