A Virus?

Discussion in 'NOD32 version 1 Forum' started by chadruc, Jun 4, 2003.

Thread Status:
Not open for further replies.
  1. chadruc
    Offline

    chadruc Registered Member

    Doh! Sorry about this.

    PID: 144 ( :cool: \SystemRoot\System32\smss.exe


    The preview adds a smiley even though I've Checked the checkbox that I'll be adding code. Hrm if it comes out a smiley again it's suppose to be the number eight followed by )
  2. LowWaterMark
    Offline

    LowWaterMark Administrator

    Hi chadruc,

    Can you check the file properties on C:\WINNT\system32\xmdm.exe? (Right click on it and choose "Properties" and tell us what information if any is on the Version tab.)

    Earlier you said you couldn't find the file. Perhaps you just need to set Windows Explorer to show hidden system files. In Windows Explorer > Tools (menu) > Folder Options... > View (tab) > click "Show hidden files and folders" > OK Then go after this file.

    Once you get a hold of this file you have many options such as emailing it off for analysis.
  3. chadruc
    Offline

    chadruc Registered Member

    I've got the settings to show me both hidden and systemfiles.

    Cant find it though.
  4. chadruc
    Offline

    chadruc Registered Member

    Hello again,

    Since the xmdm.exe keeps getting launched everytime I restart the computer I removed every entry from the startup list from SpyBot.

    The bad news is that xmdm.exe gets started anyway.

    Something that seems strange to me is that even though I removed 'mobsync.exe /logon' it reapears everytime I restart the computer.

    Worm-, Virus- and Spyscanners find nothing so I guess I'll reinstall Windows today. :mad:

    Thanks for trying to help me out.
    Chadruc
  5. mrtwolman
    Offline

    mrtwolman Eset Staff Account

    start regedit and search for "xmdm.exe".... then put the results here in the forum, someone will hopefully be able to help you with your problem
  6. chadruc
    Offline

    chadruc Registered Member

    xmdm.exe is not found in the registry
  7. dsl
    Online

    dsl Guest

    Original content removed

    There is no reason to make members of other boards ridiculous.
  8. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Send this file to us for analysis,

    submit@diamondcs.com.au
  9. chadruc
    Offline

    chadruc Registered Member

    dsl: Ok, I'll try that forum as well.

    Gavin: The problem is that I can't find the file. I.E when I search/look in the directory where ZA/Vision/Active Ports says that it is located I can't find it. I've got the explorer settings to show hidden/system files.

    For you new readers let me summarize the previous posts:

    After installing Zone Alarm I noticed an application called xmdm.exe that tried to access the net. It tried to contact a couple of different ip-numbers mainly on port 8426 and my DNS every other minute. When it was not trying to contact these adresses I recieved incoming pings/udp and tcp packets on various ports. Using netstat I also noticed that my computer was listening to a wide range of ports, and the number of ports I was listening to increased as long as xmdm.exe was running. Typically 1000-2000 before I managed to shut it off.

    Updated Virus-, Worm-, Botscanners found nothing. However I used Vision & Active Ports to confirm that c:\winnt\system32\xmdm.exe was responsible for listening to the ports. I could use those tools to terminate the process. However if I searched for xmdm.exe (before termination and with the setting to see hidden/system files) I couldn't find it. I haven't been able to find any reference to it at all, not in the regestry or anywhere else.

    If I terminated the process with Vision/Active Ports it didn't restart. However when I restarted my computer it started again. Using Search & destroy SpyBot I could see what was launched during startup. I cancelled everything that was suppose to start (Logitech utilities etc) but it still got launched when I restarted my computer.

    If you got any ideas what I could try please let me know.

    Chadruc
  10. Bowserman
    Offline

    Bowserman Infrequent Poster

    Have you searched for 0KB in size files on your computer?

    Regards, Jade.
  11. chadruc
    Offline

    chadruc Registered Member

    Nope, I haven't tried that. I'll do that and post what I find.
  12. Bowserman
    Offline

    Bowserman Infrequent Poster

    Ok. Just did a search on google for xmdm.exe and it is mentioned here:
    http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/621/qid/566821

    Before xmdm.exe started showing up on startup on this guys PC, he was infected with and removed these:

    lovegat virus
    Bat/mumu.worm
    win32/hfind.ipscanner.trojan

    That is as much as I can find on this o_O.

    Maybe someone can help with this info?

    Regards, Jade.
  13. chadruc
    Offline

    chadruc Registered Member

    I got this reply in another forum:

    > "xmdm.exe" (aka "Hacktool.DoS" [NAV] aka "Jolt" or "XDooR 1.5" - not sure > here - [author]) looks like an IRC bot, made to scan, enter and attack.
    >
    > C:\WINNT\system32\xmdm.exe
    >
    > Hacktool.DoS (4 times on the same machine). Backdoor.IRC.Cloner (once on > another computer).

    Will try to find something that can remove those things. Suggestions?
  14. anders
    Offline

    anders Eset Staff Account

    PM me your e-mail address, or e-mail me at anders @ eurosecure.com and mention this thread.

    Regards,
    Anders
  15. chadruc
    Offline

    chadruc Registered Member

    Hello everyone,

    After checking the forums that I've been using to try to solve this issue last night, I made a final attempt to try to solve this problem.

    I got one reference to Hacktool.Dos and after searching the Web I found lots of references from Symantec so I installed thier Virusscanner, updated, and found nothing.

    Someone suggested to search for 0kb files, I did that and found nothing. I had one reference from someone who got a problem with xmdm.exe in another way:

    'XMDM.exe - entry point not found

    The procedure entry point process32Next could not be loaded and the dynamic link library KERNEL32.DLL could not be located'

    So I figured that Windows itself was corrupted and decided to format my harddrive.

    Even though this issue was interesting and I learned a lot from trying to solve it, I felt like I wasn't getting any closer to solving it. The forums started to become silent and I hadn't been able to use my computer for a week.

    If you're reading this and have the same problem I've hopefully helped you get some information of what it is doing and how to at least temporarely shut it down.

    Regards,
    Chadruc
  16. know-it-all
    Online

    know-it-all Guest

    In order to find the file, you must first boot into safe mode. The file is being masked (stealth mode). After booting into safe mode you will find it in your system directory and in your start up folder.
  17. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Yep, Safe Mode will do the trick in all but rare cases of stealthing
    Before deleting please zip a copy ready to send to both myself and NOD32 (samples@nod32.com) or directly to Anders as per his post previously
    Thanks !
  18. rerun2
    Offline

    rerun2 Registered Member

    Is there a legitimate windows exe with a similar name?
Thread Status:
Not open for further replies.