|
|
#26
June 6th, 2003, 12:19 PM
|
|||
|
|||
Re:A Virus?
Doh! Sorry about this.
PID: 144 ( 8) \SystemRoot\System32\smss.exe The preview adds a smiley even though I've Checked the checkbox that I'll be adding code. Hrm if it comes out a smiley again it's suppose to be the number eight followed by ) |
|
#27
June 6th, 2003, 04:09 PM
|
|||
|
|||
|
Re:A Virus?
Hi chadruc,
Can you check the file properties on C:\WINNT\system32\xmdm.exe? (Right click on it and choose "Properties" and tell us what information if any is on the Version tab.) Earlier you said you couldn't find the file. Perhaps you just need to set Windows Explorer to show hidden system files. In Windows Explorer > Tools (menu) > Folder Options... > View (tab) > click "Show hidden files and folders" > OK Then go after this file. Once you get a hold of this file you have many options such as emailing it off for analysis. |
|
#29
June 10th, 2003, 02:35 AM
|
|||
|
|||
|
Re:A Virus?
Hello again,
Since the xmdm.exe keeps getting launched everytime I restart the computer I removed every entry from the startup list from SpyBot. The bad news is that xmdm.exe gets started anyway. Something that seems strange to me is that even though I removed 'mobsync.exe /logon' it reapears everytime I restart the computer. Worm-, Virus- and Spyscanners find nothing so I guess I'll reinstall Windows today.  Thanks for trying to help me out. Chadruc |
|
#32
June 10th, 2003, 05:32 AM
|
|||
|
|||
|
Re:A Virus?
Original content removed
There is no reason to make members of other boards ridiculous. |
|
#33
June 10th, 2003, 05:50 AM
|
||||
|
||||
|
Re:A Virus?
Send this file to us for analysis,
submit@diamondcs.com.au |
|
#34
June 10th, 2003, 06:26 AM
|
|||
|
|||
|
Re:A Virus?
dsl: Ok, I'll try that forum as well.
Gavin: The problem is that I can't find the file. I.E when I search/look in the directory where ZA/Vision/Active Ports says that it is located I can't find it. I've got the explorer settings to show hidden/system files. For you new readers let me summarize the previous posts: After installing Zone Alarm I noticed an application called xmdm.exe that tried to access the net. It tried to contact a couple of different ip-numbers mainly on port 8426 and my DNS every other minute. When it was not trying to contact these adresses I recieved incoming pings/udp and tcp packets on various ports. Using netstat I also noticed that my computer was listening to a wide range of ports, and the number of ports I was listening to increased as long as xmdm.exe was running. Typically 1000-2000 before I managed to shut it off. Updated Virus-, Worm-, Botscanners found nothing. However I used Vision & Active Ports to confirm that c:\winnt\system32\xmdm.exe was responsible for listening to the ports. I could use those tools to terminate the process. However if I searched for xmdm.exe (before termination and with the setting to see hidden/system files) I couldn't find it. I haven't been able to find any reference to it at all, not in the regestry or anywhere else. If I terminated the process with Vision/Active Ports it didn't restart. However when I restarted my computer it started again. Using Search & destroy SpyBot I could see what was launched during startup. I cancelled everything that was suppose to start (Logitech utilities etc) but it still got launched when I restarted my computer. If you got any ideas what I could try please let me know. Chadruc |
|
#35
June 10th, 2003, 07:25 AM
|
||||
|
||||
|
Re:A Virus?
Have you searched for 0KB in size files on your computer?
Regards, Jade.
__________________
Ghost Security Products DiamondCS Products -------- Trojan/Malware Submission |
|
#37
June 10th, 2003, 08:37 AM
|
||||
|
||||
|
Re:A Virus?
Ok. Just did a search on google for xmdm.exe and it is mentioned here:
http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/621/qid/566821 Before xmdm.exe started showing up on startup on this guys PC, he was infected with and removed these: lovegat virus Bat/mumu.worm win32/hfind.ipscanner.trojan That is as much as I can find on this  .Maybe someone can help with this info? Regards, Jade.
__________________
Ghost Security Products DiamondCS Products -------- Trojan/Malware Submission |
|
#38
June 10th, 2003, 11:22 AM
|
|||
|
|||
|
Re:A Virus?
I got this reply in another forum:
> "xmdm.exe" (aka "Hacktool.DoS" [NAV] aka "Jolt" or "XDooR 1.5" - not sure > here - [author]) looks like an IRC bot, made to scan, enter and attack. > > C:\WINNT\system32\xmdm.exe > > Hacktool.DoS (4 times on the same machine). Backdoor.IRC.Cloner (once on > another computer). Will try to find something that can remove those things. Suggestions? |
|
#39
June 10th, 2003, 04:01 PM
|
|||
|
|||
|
Re:A Virus?
Quote:
PM me your e-mail address, or e-mail me at anders @ eurosecure.com and mention this thread. Regards, Anders
__________________
Best regards, Anders nod32 antivirus |
|
#40
June 11th, 2003, 03:55 AM
|
|||
|
|||
|
Re:A Virus?
Hello everyone,
After checking the forums that I've been using to try to solve this issue last night, I made a final attempt to try to solve this problem. I got one reference to Hacktool.Dos and after searching the Web I found lots of references from Symantec so I installed thier Virusscanner, updated, and found nothing. Someone suggested to search for 0kb files, I did that and found nothing. I had one reference from someone who got a problem with xmdm.exe in another way: 'XMDM.exe - entry point not found The procedure entry point process32Next could not be loaded and the dynamic link library KERNEL32.DLL could not be located' So I figured that Windows itself was corrupted and decided to format my harddrive. Even though this issue was interesting and I learned a lot from trying to solve it, I felt like I wasn't getting any closer to solving it. The forums started to become silent and I hadn't been able to use my computer for a week. If you're reading this and have the same problem I've hopefully helped you get some information of what it is doing and how to at least temporarely shut it down. Regards, Chadruc |
|
#41
July 17th, 2004, 02:23 AM
|
|||
|
|||
Re: A Virus?
In order to find the file, you must first boot into safe mode. The file is being masked (stealth mode). After booting into safe mode you will find it in your system directory and in your start up folder.
|
|
#42
July 20th, 2004, 02:36 AM
|
||||
|
||||
|
Re: A Virus?
Yep, Safe Mode will do the trick in all but rare cases of stealthing
Before deleting please zip a copy ready to send to both myself and NOD32 (samples@nod32.com) or directly to Anders as per his post previously Thanks ! |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
