A Virus?

Discussion in 'NOD32 version 1 Forum' started by chadruc, Jun 4, 2003.

Thread Status:
Not open for further replies.
  1. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Hi,

    I've recently installed ZoneAlarm and noticed that an application called xmdm.exe tries to access the internet. Since I didn't have a clue what it is I blocked it. From the logs it seems to try to access port 53, and 8426 on different ip-numbers. When I search for the file (Windows 2000 pro) it can't find it and ZoneAlarm classifies it as a file with invalid date and size 0kb. I've used an updated NOD32 scanner and it found nothing.

    Does anyone know what this is and what I should do about it?

    Chadruc
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi chadruc,

    http://www.annoyances.org/exec/forum/win95/t1047051838

    especially : "I had this problem and it turned out my machine was infected with the Trj/Dcboj virus, which apparently is low risk, so low risk in fact, McAfee missed it! I found it by using the free online scanner at http://www.pandasoftware.co.uk which removed the problem. "

    I hope that's the one,

    Pieter
     
  3. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Thanks!

    I'll try that scanner and let you know if it finds anything.

    Wished one scanner would be enough though ;)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I would advise a good, dedicated Trojan scanner to accompany NOD32.
    Keep us posted,

    Pieter
     
  5. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    I used that scanner and it found nothing.

    When I check the log in ZoneAlarm I see that it does about 20 attempts every 2 minutes.

    Anyone got a suggestion what I should try?
     
  6. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Send xmdm.exe file to support@nod32.com .

    While you are waiting, you could try Kaspersky virus remote check.

    http://www.avp.ru/remoteviruschk.html



    Technodrome
     
  7. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    The problem is that I can't find the file. When I search for it it's gone.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Install a trial version from a good antitrojan, TDS3 for example, manually update the database ("radius") and perform a full scan. Please keep us posted.

    regards.

    paul
     
  9. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Ok.

    I've installed TDS, manually downloaded the databasefile and chose full system scan under system testing. It said that it found a strange file with mutal extension and I chose to delete that file. I've been scanning my computer for quite some time now and according to the logs in ZoneAlarm the xmdm.exe that used to try to access the net about every two minutes hasn't tried for almost 3 hours.

    It doesn't feel good that I haven't gotten a confirmed removal of a specific problem so I'm running a manual scan in the TDS where I added every possible scan with the highest sensitivity that I could find.

    Hopefully I'll find something.

    Regards,
    Chadruc
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi chadruc,

    One other thing... As far as Zone Alarm goes, are you saying the program looks something like the image below (i.e. a program named xmdm.exe that doesn't have any valid file spec info in the "Entry Detail" window)?

    When you get a bad program entry in the ZA Program list, you should delete it from the list (in ZA Program list, highlight the line with xmdm.exe on it, right-click and select "remove"). It could have been a corrupt entry. The next time it tries to get access to the Internet, if it does, you may get more complete (valid) information next time.

    Best Wishes,
    LowWaterMark

    P.S. Oh, this image is just a mock-up. No, I don't have a program with the name xmdm.exe on my system. Sorry.
     

    Attached Files:

  11. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Hello,

    I scanned my computer with TDS, removed a suspicious file and checked the logs before I went to sleep last night and I saw no attempts from the xmdm.exe to access the net.

    This morning when I restarted the computer the xmdm.exe made about 20 attempts. Sigh.

    LowWatermark: Yep that's how it looks except that there are red X:es because it's blocked. I'll try to remove the program and see what happends.

    Any more ideas of what I can do?

    Thanks for the support
    Chadruc
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi chadruc,

    This is a long shot, but who knows?
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  13. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Ok here's the log

    Logfile of HijackThis v1.94.0
    Scan saved at 19:22:04, on 2003-06-05
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Nod32CC] "C:\WINNT\System32\nod32cc.exe" -DONTSHOW
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37771.2238310185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi chadruc,

    Thanks for making me read a clean log. :)

    Regards,

    Pieter
     
  15. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Hello again,

    Sorry Pieter if the log wasnt interesting ;)

    I was somewhat suprised when I got back from work today. The ZA-log was scary, Xmdm.exe tried to access the net. Then 5 blocked incoming attempts. Then Xmdm.exe again, and 5 new ones. Over and over and over again. A netstat -na scolled for ages with ports in the state of LISTENING. I didn't know what else to do so I pulled the network cable. Then I uninstalled everything I'm not reguarly using, deleted loads of files, virusscanned, and wormscanned, got a new ip and restarted. Now I've got 7 blocked incoming the last 3 hours. I don't know if the xmdm.exe 'problem' is gone, but I hope it is.

    I read some article today on grc.com about a so called zombie that communicated with a zombie-central to coordinate dos-attacks. They had random names and used random ports. The article was a bit old but the behaviour of the xmdm.exe seemed to fit that profile. Are zombies still used today?

    Thanks for all help in trying to solve this
    Chadruc
     
  16. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Hello again,

    Bad news, xmdm.exe showed up again this morning. :(

    What can I do?
     
  17. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    First netstat -na shows port 1026 - 1383 listening
    Next one shows 1026-1492
     
  18. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    ZA log is spammed with xmdm outgoing attempts on different ipnumber on port 53, 70 and 8426. Pulling the cable now, will check the forum from work.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi chadruc,

    When you notice this program is active again, in HijackThis click Misc > Config > Generate Startuplist.
    That will create a txt file with all the startups and all running processes. Maybe that will give us a clue.

    Regards,

    Pieter
     
  20. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi chadruc

    You might also want to try a process viewer/port mapper to see if that helps determine what is going on.

    Port Explorer
    Vision
    Active Ports

    Regards,

    CrazyM
     
  21. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Ok, Pieter and CrazyM I'll try that when I get back from work.

    I printed the ZA-log from this morning but it doesn't help me much.

    When I've started my computer this happends:

    07:21:36) The Spooler Subsystem is blocked.
    07:21:46) Incoming TCP (flags: S) 2081
    07:22:22) Incoming ICMP (type8/subtype:0)
    07:22:36) Xmdm 53 which I choose to block
    07:22:52) Xmdm DNS, ipnumber 1, 2, 3, 4, 5, 6 on port 8426
    07:22:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426 (one new ipnumber)
    07:22:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
    07:22:52) Xmdm DNS, ip1, 7, 2, 3 8426
    07:22:52) Xmdm to ipnr X.X.X.7 where the X:es are the same as my ipnumber. No portnumber.
    07:22:52) Xmdm DNS

    07:23:34) Incoming UDP 2936
    07:24:14) Incoming TCP (flags:S) 2337
    07:24:44) Incoming UDP 2936

    07:24:52) Xmdm ip1, 2, 3, 4, 5, 6 8426
    07:24:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
    07:24:52) Xmdm DNS, ip1, 7, 2, 3, 4, 5, 6 8426
    07:24:52) Xmdm DNS, ip1, 7, 2, 3 8426
    07:24:52) Xmdm my ipnumber no portnumber
    07:24:52) Xmdm DNS

    07:25:12) Incoming UDP 2936
    07:25:24) Incoming UDP 2936
    07:25:30) Incoming UDP 2936
    07:25:5:cool: Incoming UDP 2936
    07:26:10) Incoming UDP 2936
    07:26:16) Incoming UDP 2936

    07:26:52) Xmdm continues

    Do this tell you anything about what it's doing?

    Chadruc
     
  22. mmk

    mmk Guest

    Hi!

    1.) Forget about ZA. It's a waste of time.
    2.) Donwload and install Spybot Search & Destroy: you can take it to get system startup and process list information.
    http://security.kolla.de
    3.) Choose >Tools >Process list / >System startup and "Export". Please post the results here.
     
  23. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Hello everyone,

    I've installed Search & Destroy 1.2 and it doesn't find bots.

    Both Vision and Active Ports shows that C:\WINNT\System32\xmdm.exe is responsible for opening all those ports.

    This log look something like this:

    xmdm.exe   768   0.0.0.0   113         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    svchost.exe   408   0.0.0.0   135         LISTEN   TCP   C:\WINNT\system32\svchost.exe
    System   8   0.0.0.0   445         LISTEN   UDP   
    System   8   0.0.0.0   445         LISTEN   TCP   
    lsass.exe   228   X.X.X.X   500         LISTEN   UDP   C:\WINNT\system32\lsass.exe
    MSTask.exe   620   0.0.0.0   1026         LISTEN   TCP   C:\WINNT\system32\MSTask.exe
    xmdm.exe   768   X.X.X.X   1027         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    xmdm.exe   768   0.0.0.0   1028         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    xmdm.exe   768   0.0.0.0   1029         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    .
    .
    xmdm.exe   768   0.0.0.0   1223         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    System   8   0.0.0.0   1224         LISTEN   TCP   
    xmdm.exe   768   0.0.0.0   1228         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    .
    .
    xmdm.exe   768   0.0.0.0   1435         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    IEXPLORE.EXE   828   127.0.0.1   1436         LISTEN   UDP   C:\Program\Internet Explorer\IEXPLORE.EXE
    xmdm.exe   768   0.0.0.0   1451         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    .
    .
    xmdm.exe   768   0.0.0.0   1554         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    IEXPLORE.EXE   956   127.0.0.1   1566         LISTEN   UDP   C:\Program\Internet Explorer\IEXPLORE.EXE
    xmdm.exe   768   0.0.0.0   1568         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    .
    .
    xmdm.exe   768   0.0.0.0   1671         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    IEXPLORE.EXE   956   0.0.0.0   1683         LISTEN   TCP   C:\Program\Internet Explorer\IEXPLORE.EXE
    xmdm.exe   768   0.0.0.0   1688         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    .
    .
    .


    DWRCS.EXE   472   0.0.0.0   6129         LISTEN   TCP   C:\WINNT\SYSTEM32\DWRCS.EXE


    A good thing with both Vision and Active Port is that I can rightclick and kill the process. Once I've done that it doesn't seem to be starting up again, until I restart my computer.

    Weird that it says that xmdm.exe is located in c:\winnt\system32 but I can't find the file there.

    Anyone got an idea what I can do next to premanently remove this problem?

    Thanks helping me
    Chadruc
     
  24. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Oh almost forgot the logs from Spybot. This is what it looks like when I've restarted the computer

    Spybot-S&D Startup list report, 2003-06-06 18:03:56

    Located: HK_CU:Run, internat.exe
    file: internat.exe

    Located: HK_LM:Run, Synchronization Manager
    file: mobsync.exe /logon

    Located: HK_LM:Run, zBrowser Launcher
    file: C:\Program\Logitech\iTouch\iTouch.exe
    MD5: FD8F1B9E5760660CDD4E6E6A0A8BE902

    Located: HK_LM:Run, Logitech Utility
    file: Logi_MwX.Exe

    Located: HK_LM:Run, NvCplDaemon
    file: RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

    Located: HK_LM:Run, nwiz
    file: nwiz.exe /install

    Located: HK_LM:Run, Nod32CC
    file: "C:\WINNT\System32\nod32cc.exe" -DONTSHOW

    Located: HK_LM:Run, TDS3
    file: C:\Program\AntiWorm\TDS3\TDS-3.exe
    MD5: B93DD546C76AB4DEDAC080ED01C30F72

    Located: Startup (common), ZoneAlarm.lnk
    file: C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
    MD5: 4872FEEA595DBB7D4F84C4F2880489D0


    -------------------

    Spybot-S&D process list report, 2003-06-06 18:03:37

    PID: 0 ( 0) [System]
    PID: 8 ( 0) System
    PID: 144 ( :cool: \SystemRoot\System32\smss.exe
    PID: 168 ( 144) CSRSS.EXE
    PID: 188 ( 144) \??\C:\WINNT\system32\winlogon.exe
    PID: 216 ( 18:cool: C:\WINNT\system32\services.exe
    PID: 228 ( 18:cool: C:\WINNT\system32\lsass.exe
    PID: 292 ( 92:cool: C:\WINNT\Explorer.EXE
    PID: 400 ( 216) C:\WINNT\system32\svchost.exe
    PID: 432 ( 216) C:\WINNT\system32\spoolsv.exe
    PID: 464 ( 216) C:\WINNT\SYSTEM32\DWRCS.EXE
    PID: 476 ( 216) C:\WINNT\System32\svchost.exe
    PID: 512 ( 216) C:\WINNT\System32\nod32cc.exe
    PID: 532 ( 216) C:\WINNT\System32\nod32m2.exe
    PID: 548 ( 216) C:\WINNT\System32\nvsvc32.exe
    PID: 568 ( 216) C:\WINNT\system32\regsvc.exe
    PID: 584 ( 216) C:\WINNT\system32\MSTask.exe
    PID: 632 ( 216) C:\WINNT\system32\ZoneLabs\vsmon.exe
    PID: 704 ( 216) C:\WINNT\System32\WBEM\WinMgmt.exe
    PID: 736 ( 216) C:\WINNT\System32\mspmspsv.exe
    PID: 748 ( 216) C:\WINNT\system32\svchost.exe
    PID: 900 (1052) C:\Program\Logitech\MouseWare\system\em_exec.exe
    PID: 980 ( 292) C:\Program\Logitech\iTouch\iTouch.exe
    PID: 1108 ( 292) C:\WINNT\System32\internat.exe
    PID: 1124 ( 292) C:\Program\Zone Labs\ZoneAlarm\zonealarm.exe
    PID: 1180 ( 292) C:\Program\Spybot - Search & Destroy\SpybotSD.exe


    ----------
    Active Ports shows this:

    System   8   0.0.0.0   445         LISTEN   UDP   
    System   8   0.0.0.0   1031         LISTEN   TCP   
    System   8   0.0.0.0   445         LISTEN   TCP   
    lsass.exe   228   213.114.220.23   500         LISTEN   UDP   C:\WINNT\system32\lsass.exe
    svchost.exe   400   0.0.0.0   135         LISTEN   TCP   C:\WINNT\system32\svchost.exe
    DWRCS.EXE   464   0.0.0.0   6129         LISTEN   TCP   C:\WINNT\SYSTEM32\DWRCS.EXE
    MSTask.exe   584   0.0.0.0   1026         LISTEN   TCP   C:\WINNT\system32\MSTask.exe
    xmdm.exe   760   213.114.220.23   1027         LISTEN   TCP   C:\WINNT\system32\xmdm.exe
    IEXPLORE.EXE   1176   127.0.0.1   1033         LISTEN   UDP   C:\Program\Internet Explorer\IEXPLORE.EXE
     
  25. chadruc

    chadruc Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    23
    Didn't want that to be a cool smiley. It's suppose to look like this

    PID: 188 ( 144) \??\C:\WINNT\system32\winlogon.exe
     
Thread Status:
Not open for further replies.