Hi,

I've recently installed ZoneAlarm and noticed that an application called xmdm.exe tries to access the internet. Since I didn't have a clue what it is I blocked it. From the logs it seems to try to access port 53, and 8426 on different ip-numbers. When I search for the file (Windows 2000 pro) it can't find it and ZoneAlarm classifies it as a file with invalid date and size 0kb. I've used an updated NOD32 scanner and it found nothing.

Does anyone know what this is and what I should do about it?

Chadruc

Hi chadruc,

http://www.annoyances.org/exec/forum/win95/t1047051838

especially : "I had this problem and it turned out my machine was infected with the Trj/Dcboj virus, which apparently is low risk, so low risk in fact, McAfee missed it! I found it by using the free online scanner at http://www.pandasoftware.co.uk which removed the problem. "

I hope that's the one,

Pieter

Thanks!

I'll try that scanner and let you know if it finds anything.

Wished one scanner would be enough though ;)

-{ Quote: " quoting: chadruc link=board=35;threadid=9889;start=0#msg64486 date=1054717774]
Thanks!

I'll try that scanner and let you know if it finds anything.

Wished one scanner would be enough though ;)
" }-

I would advise a good, dedicated Trojan scanner to accompany NOD32.
Keep us posted,

Pieter

I used that scanner and it found nothing.

When I check the log in ZoneAlarm I see that it does about 20 attempts every 2 minutes.

Anyone got a suggestion what I should try?

Send xmdm.exe file to support@nod32.com .

While you are waiting, you could try Kaspersky virus remote check.

http://www.avp.ru/remoteviruschk.html



Technodrome

The problem is that I can't find the file. When I search for it it's gone.

-{ Quote: " quoting: chadruc link=board=35;threadid=9889;start=0#msg64549 date=1054747941]
The problem is that I can't find the file. When I search for it it's gone.
" }-

Install a trial version from a good antitrojan, TDS3 (http://tds.diamondcs.com.au) for example, manually update the database ("radius") and perform a full scan. Please keep us posted.

regards.

paul

Ok.

I've installed TDS, manually downloaded the databasefile and chose full system scan under system testing. It said that it found a strange file with mutal extension and I chose to delete that file. I've been scanning my computer for quite some time now and according to the logs in ZoneAlarm the xmdm.exe that used to try to access the net about every two minutes hasn't tried for almost 3 hours.

It doesn't feel good that I haven't gotten a confirmed removal of a specific problem so I'm running a manual scan in the TDS where I added every possible scan with the highest sensitivity that I could find.

Hopefully I'll find something.

Regards,
Chadruc

Hi chadruc,

One other thing... As far as Zone Alarm goes, are you saying the program looks something like the image below (i.e. a program named xmdm.exe that doesn't have any valid file spec info in the "Entry Detail" window)?

When you get a bad program entry in the ZA Program list, you should delete it from the list (in ZA Program list, highlight the line with xmdm.exe on it, right-click and select "remove"). It could have been a corrupt entry. The next time it tries to get access to the Internet, if it does, you may get more complete (valid) information next time.

Best Wishes,
LowWaterMark

P.S. Oh, this image is just a mock-up. No, I don't have a program with the name xmdm.exe on my system. Sorry.

Hello,

I scanned my computer with TDS, removed a suspicious file and checked the logs before I went to sleep last night and I saw no attempts from the xmdm.exe to access the net.

This morning when I restarted the computer the xmdm.exe made about 20 attempts. Sigh.

LowWatermark: Yep that's how it looks except that there are red X:es because it's blocked. I'll try to remove the program and see what happends.

Any more ideas of what I can do?

Thanks for the support
Chadruc

Hi chadruc,

This is a long shot, but who knows?
Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log as a .txt file, and copy and paste its contents into your next post.

Most of what it lists will be harmless, so do not fix anything yet.

Regards,

Pieter

Ok here's the log

Logfile of HijackThis v1.94.0
Scan saved at 19:22:04, on 2003-06-05
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nod32CC] "C:\WINNT\System32\nod32cc.exe" -DONTSHOW
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37771.2238310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi chadruc,

Thanks for making me read a clean log. :)

Regards,

Pieter

Hello again,

Sorry Pieter if the log wasnt interesting ;)

I was somewhat suprised when I got back from work today. The ZA-log was scary, Xmdm.exe tried to access the net. Then 5 blocked incoming attempts. Then Xmdm.exe again, and 5 new ones. Over and over and over again. A netstat -na scolled for ages with ports in the state of LISTENING. I didn't know what else to do so I pulled the network cable. Then I uninstalled everything I'm not reguarly using, deleted loads of files, virusscanned, and wormscanned, got a new ip and restarted. Now I've got 7 blocked incoming the last 3 hours. I don't know if the xmdm.exe 'problem' is gone, but I hope it is.

I read some article today on grc.com about a so called zombie that communicated with a zombie-central to coordinate dos-attacks. They had random names and used random ports. The article was a bit old but the behaviour of the xmdm.exe seemed to fit that profile. Are zombies still used today?

Thanks for all help in trying to solve this
Chadruc

Hello again,

Bad news, xmdm.exe showed up again this morning. :(

What can I do?

First netstat -na shows port 1026 - 1383 listening
Next one shows 1026-1492

ZA log is spammed with xmdm outgoing attempts on different ipnumber on port 53, 70 and 8426. Pulling the cable now, will check the forum from work.

Hi chadruc,

When you notice this program is active again, in HijackThis click Misc > Config > Generate Startuplist.
That will create a txt file with all the startups and all running processes. Maybe that will give us a clue.

Regards,

Pieter

Hi chadruc

You might also want to try a process viewer/port mapper to see if that helps determine what is going on.

Port Explorer (http://www.diamondcs.com.au/portexplorer/)
Vision (http://www.foundstone.com/knowledge/proddesc/vision.html)
Active Ports (http://www.protect-me.com/freeware.html)

Regards,

CrazyM

Ok, Pieter and CrazyM I'll try that when I get back from work.

I printed the ZA-log from this morning but it doesn't help me much.

When I've started my computer this happends:

07:21:36) The Spooler Subsystem is blocked.
07:21:46) Incoming TCP (flags: S) 2081
07:22:22) Incoming ICMP (type8/subtype:0)
07:22:36) Xmdm 53 which I choose to block
07:22:52) Xmdm DNS, ipnumber 1, 2, 3, 4, 5, 6 on port 8426
07:22:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426 (one new ipnumber)
07:22:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
07:22:52) Xmdm DNS, ip1, 7, 2, 3 8426
07:22:52) Xmdm to ipnr X.X.X.7 where the X:es are the same as my ipnumber. No portnumber.
07:22:52) Xmdm DNS

07:23:34) Incoming UDP 2936
07:24:14) Incoming TCP (flags:S) 2337
07:24:44) Incoming UDP 2936

07:24:52) Xmdm ip1, 2, 3, 4, 5, 6 8426
07:24:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
07:24:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
07:24:52) Xmdm DNS, ip1, 7, 2, 3 8426
07:24:52) Xmdm my ipnumber no portnumber
07:24:52) Xmdm DNS

07:25:12) Incoming UDP 2936
07:25:24) Incoming UDP 2936
07:25:30) Incoming UDP 2936
07:25:58) Incoming UDP 2936
07:26:10) Incoming UDP 2936
07:26:16) Incoming UDP 2936

07:26:52) Xmdm continues

Do this tell you anything about what it's doing?

Chadruc

Hi!

1.) Forget about ZA. It's a waste of time.
2.) Donwload and install Spybot Search & Destroy: you can take it to get system startup and process list information.
http://security.kolla.de
3.) Choose >Tools >Process list / >System startup and "Export". Please post the results here.

Hello everyone,

I've installed Search & Destroy 1.2 and it doesn't find bots.

Both Vision and Active Ports shows that C:\WINNT\System32\xmdm.exe is responsible for opening all those ports.

This log look something like this:

xmdm.exe***768***0.0.0.0***113*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
svchost.exe***408***0.0.0.0***135*********LISTEN***TCP***C:\WINNT\system32\svchost.exe
System***8***0.0.0.0***445*********LISTEN***UDP***
System***8***0.0.0.0***445*********LISTEN***TCP***
lsass.exe***228***X.X.X.X***500*********LISTEN***UDP***C:\WINNT\system32\lsass.exe
MSTask.exe***620***0.0.0.0***1026*********LISTEN***TCP***C:\WINNT\system32\MSTask.exe
xmdm.exe***768***X.X.X.X***1027*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
xmdm.exe***768***0.0.0.0***1028*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
xmdm.exe***768***0.0.0.0***1029*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
.
.
xmdm.exe***768***0.0.0.0***1223*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
System***8***0.0.0.0***1224*********LISTEN***TCP***
xmdm.exe***768***0.0.0.0***1228*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
.
.
xmdm.exe***768***0.0.0.0***1435*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
IEXPLORE.EXE***828***127.0.0.1***1436*********LISTEN***UDP***C:\Program\Internet Explorer\IEXPLORE.EXE
xmdm.exe***768***0.0.0.0***1451*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
.
.
xmdm.exe***768***0.0.0.0***1554*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
IEXPLORE.EXE***956***127.0.0.1***1566*********LISTEN***UDP***C:\Program\Internet Explorer\IEXPLORE.EXE
xmdm.exe***768***0.0.0.0***1568*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
.
.
xmdm.exe***768***0.0.0.0***1671*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
IEXPLORE.EXE***956***0.0.0.0***1683*********LISTEN***TCP***C:\Program\Internet Explorer\IEXPLORE.EXE
xmdm.exe***768***0.0.0.0***1688*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
.
.
.


DWRCS.EXE***472***0.0.0.0***6129*********LISTEN***TCP***C:\WINNT\SYSTEM32\DWRCS.EXE


A good thing with both Vision and Active Port is that I can rightclick and kill the process. Once I've done that it doesn't seem to be starting up again, until I restart my computer.

Weird that it says that xmdm.exe is located in c:\winnt\system32 but I can't find the file there.

Anyone got an idea what I can do next to premanently remove this problem?

Thanks helping me
Chadruc

Oh almost forgot the logs from Spybot. This is what it looks like when I've restarted the computer

Spybot-S&D Startup list report, 2003-06-06 18:03:56

Located: HK_CU:Run, internat.exe
file: internat.exe

Located: HK_LM:Run, Synchronization Manager
file: mobsync.exe /logon

Located: HK_LM:Run, zBrowser Launcher
file: C:\Program\Logitech\iTouch\iTouch.exe
MD5: FD8F1B9E5760660CDD4E6E6A0A8BE902

Located: HK_LM:Run, Logitech Utility
file: Logi_MwX.Exe

Located: HK_LM:Run, NvCplDaemon
file: RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

Located: HK_LM:Run, nwiz
file: nwiz.exe /install

Located: HK_LM:Run, Nod32CC
file: "C:\WINNT\System32\nod32cc.exe" -DONTSHOW

Located: HK_LM:Run, TDS3
file: C:\Program\AntiWorm\TDS3\TDS-3.exe
MD5: B93DD546C76AB4DEDAC080ED01C30F72

Located: Startup (common), ZoneAlarm.lnk
file: C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
MD5: 4872FEEA595DBB7D4F84C4F2880489D0


-------------------

Spybot-S&D process list report, 2003-06-06 18:03:37

PID: 0 ( 0) [System]
PID: 8 ( 0) System
PID: 144 ( 8) \SystemRoot\System32\smss.exe
PID: 168 ( 144) CSRSS.EXE
PID: 188 ( 144) \??\C:\WINNT\system32\winlogon.exe
PID: 216 ( 188) C:\WINNT\system32\services.exe
PID: 228 ( 188) C:\WINNT\system32\lsass.exe
PID: 292 ( 928) C:\WINNT\Explorer.EXE
PID: 400 ( 216) C:\WINNT\system32\svchost.exe
PID: 432 ( 216) C:\WINNT\system32\spoolsv.exe
PID: 464 ( 216) C:\WINNT\SYSTEM32\DWRCS.EXE
PID: 476 ( 216) C:\WINNT\System32\svchost.exe
PID: 512 ( 216) C:\WINNT\System32\nod32cc.exe
PID: 532 ( 216) C:\WINNT\System32\nod32m2.exe
PID: 548 ( 216) C:\WINNT\System32\nvsvc32.exe
PID: 568 ( 216) C:\WINNT\system32\regsvc.exe
PID: 584 ( 216) C:\WINNT\system32\MSTask.exe
PID: 632 ( 216) C:\WINNT\system32\ZoneLabs\vsmon.exe
PID: 704 ( 216) C:\WINNT\System32\WBEM\WinMgmt.exe
PID: 736 ( 216) C:\WINNT\System32\mspmspsv.exe
PID: 748 ( 216) C:\WINNT\system32\svchost.exe
PID: 900 (1052) C:\Program\Logitech\MouseWare\system\em_exec.exe
PID: 980 ( 292) C:\Program\Logitech\iTouch\iTouch.exe
PID: 1108 ( 292) C:\WINNT\System32\internat.exe
PID: 1124 ( 292) C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
PID: 1180 ( 292) C:\Program\Spybot - Search & Destroy\SpybotSD.exe


----------
Active Ports shows this:

System***8***0.0.0.0***445*********LISTEN***UDP***
System***8***0.0.0.0***1031*********LISTEN***TCP***
System***8***0.0.0.0***445*********LISTEN***TCP***
lsass.exe***228***213.114.220.23***500*********LISTEN***UDP***C:\WINNT\system32\lsass.exe
svchost.exe***400***0.0.0.0***135*********LISTEN***TCP***C:\WINNT\system32\svchost.exe
DWRCS.EXE***464***0.0.0.0***6129*********LISTEN***TCP***C:\WINNT\SYSTEM32\DWRCS.EXE
MSTask.exe***584***0.0.0.0***1026*********LISTEN***TCP***C:\WINNT\system32\MSTask.exe
xmdm.exe***760***213.114.220.23***1027*********LISTEN***TCP***C:\WINNT\system32\xmdm.exe
IEXPLORE.EXE***1176***127.0.0.1***1033*********LISTEN***UDP***C:\Program\Internet Explorer\IEXPLORE.EXE

Didn't want that to be a cool smiley. It's suppose to look like this

PID: 188 ( 144) \??\C:\WINNT\system32\winlogon.exe

Doh! Sorry about this.

PID: 144 ( 8) \SystemRoot\System32\smss.exe


The preview adds a smiley even though I've Checked the checkbox that I'll be adding code. Hrm if it comes out a smiley again it's suppose to be the number eight followed by )

Hi chadruc,

Can you check the file properties on C:\WINNT\system32\xmdm.exe? (Right click on it and choose "Properties" and tell us what information if any is on the Version tab.)

Earlier you said you couldn't find the file. Perhaps you just need to set Windows Explorer to show hidden system files. In Windows Explorer > Tools (menu) > Folder Options... > View (tab) > click "Show hidden files and folders" > OK Then go after this file.

Once you get a hold of this file you have many options such as emailing it off for analysis.

I've got the settings to show me both hidden and systemfiles.

Cant find it though.

Hello again,

Since the xmdm.exe keeps getting launched everytime I restart the computer I removed every entry from the startup list from SpyBot.

The bad news is that xmdm.exe gets started anyway.

Something that seems strange to me is that even though I removed 'mobsync.exe /logon' it reapears everytime I restart the computer.

Worm-, Virus- and Spyscanners find nothing so I guess I'll reinstall Windows today. >:(

Thanks for trying to help me out.
Chadruc

start regedit and search for "xmdm.exe".... then put the results here in the forum, someone will hopefully be able to help you with your problem

xmdm.exe is not found in the registry

Original content removed

There is no reason to make members of other boards ridiculous.

Send this file to us for analysis,

submit@diamondcs.com.au

dsl: Ok, I'll try that forum as well.

Gavin: The problem is that I can't find the file. I.E when I search/look in the directory where ZA/Vision/Active Ports says that it is located I can't find it. I've got the explorer settings to show hidden/system files.

For you new readers let me summarize the previous posts:

After installing Zone Alarm I noticed an application called xmdm.exe that tried to access the net. It tried to contact a couple of different ip-numbers mainly on port 8426 and my DNS every other minute. When it was not trying to contact these adresses I recieved incoming pings/udp and tcp packets on various ports. Using netstat I also noticed that my computer was listening to a wide range of ports, and the number of ports I was listening to increased as long as xmdm.exe was running. Typically 1000-2000 before I managed to shut it off.

Updated Virus-, Worm-, Botscanners found nothing. However I used Vision & Active Ports to confirm that c:\winnt\system32\xmdm.exe was responsible for listening to the ports. I could use those tools to terminate the process. However if I searched for xmdm.exe (before termination and with the setting to see hidden/system files) I couldn't find it. I haven't been able to find any reference to it at all, not in the regestry or anywhere else.

If I terminated the process with Vision/Active Ports it didn't restart. However when I restarted my computer it started again. Using Search & destroy SpyBot I could see what was launched during startup. I cancelled everything that was suppose to start (Logitech utilities etc) but it still got launched when I restarted my computer.

If you got any ideas what I could try please let me know.

Chadruc

Have you searched for 0KB in size files on your computer?

Regards, Jade.

Nope, I haven't tried that. I'll do that and post what I find.

Ok. Just did a search on google for xmdm.exe and it is mentioned here:
http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/621/qid/566821

Before xmdm.exe started showing up on startup on this guys PC, he was infected with and removed these:

lovegat virus
Bat/mumu.worm
win32/hfind.ipscanner.trojan

That is as much as I can find on this ???.

Maybe someone can help with this info?

Regards, Jade.

I got this reply in another forum:

> "xmdm.exe" (aka "Hacktool.DoS" [NAV] aka "Jolt" or "XDooR 1.5" - not sure > here - [author]) looks like an IRC bot, made to scan, enter and attack.
>
> C:\WINNT\system32\xmdm.exe
>
> Hacktool.DoS (4 times on the same machine). Backdoor.IRC.Cloner (once on > another computer).

Will try to find something that can remove those things. Suggestions?

-{ Quote: "Will try to find something that can remove those things. Suggestions?" }-

PM me your e-mail address, or e-mail me at anders @ eurosecure.com and mention this thread.

Regards,
Anders

Hello everyone,

After checking the forums that I've been using to try to solve this issue last night, I made a final attempt to try to solve this problem.

I got one reference to Hacktool.Dos and after searching the Web I found lots of references from Symantec so I installed thier Virusscanner, updated, and found nothing.

Someone suggested to search for 0kb files, I did that and found nothing. I had one reference from someone who got a problem with xmdm.exe in another way:

'XMDM.exe - entry point not found

The procedure entry point process32Next could not be loaded and the dynamic link library KERNEL32.DLL could not be located'

So I figured that Windows itself was corrupted and decided to format my harddrive.

Even though this issue was interesting and I learned a lot from trying to solve it, I felt like I wasn't getting any closer to solving it. The forums started to become silent and I hadn't been able to use my computer for a week.

If you're reading this and have the same problem I've hopefully helped you get some information of what it is doing and how to at least temporarely shut it down.

Regards,
Chadruc

In order to find the file, you must first boot into safe mode. The file is being masked (stealth mode). After booting into safe mode you will find it in your system directory and in your start up folder.

Yep, Safe Mode will do the trick in all but rare cases of stealthing
Before deleting please zip a copy ready to send to both myself and NOD32 (samples@nod32.com) or directly to Anders as per his post previously
Thanks !

Is there a legitimate windows exe with a similar name?