1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

99.9% sure I have several worms trojans antivirus was disabled HELP!

Discussion in 'Virus & Other Malware Removal' started by michell911, Feb 8, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    Im sure I have it need solid proof XCOMMSVR.exe is running
    FFCFFCE5, 7E6F5D19: C:\WINDOWS\SYSTEM\KERNEL32.DLL, ver 4.90.3000
    FFFFBA79, FFCFFCE5: C:\WINDOWS\SYSTEM\MSGSRV32.EXE, ver 4.90.3000
    FFFFB261, FFFFBA79: C:\WINDOWS\SYSTEM\SPOOL32.EXE, ver 4.90.3000
    FFFE5AF9, FFFFB261: C:\WINDOWS\SYSTEM\MPREXE.EXE, ver 4.90.3000
    FFFE70C9, FFFE5AF9: C:\WINDOWS\SYSTEM\MSTASK.EXE, ver 4.71.2721.1
    FFFED0E5, FFFE5AF9: C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE, ver 6.0.1.374
    FFFECA1D, FFFE5AF9: C:\WINDOWS\SYSTEM\XCOMMSVR.EXE, ver 1, 6, 9, 7
    FFFEEC11, FFFE5AF9: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE, ver 3.5.169.002
    FFFDC439, FFFFBA79: C:\WINDOWS\SYSTEM\mmtask.tsk, ver 4.90.3000
    FFFDC899, FFFFBA79: C:\WINDOWS\GWMDMMSG.EXE, ver 3.3.12.1 07/21/2001 10:49:54
    FFFD8B59, FFFE6345: C:\WINDOWS\SYSTEM\DEVLDR16.EXE, ver 1, 0, 0, 17
    FFFC4455, FFFFBA79: C:\WINDOWS\EXPLORER.EXE, ver 5.50.4134.100
    FFFC85ED, FFFE73D5: C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE, ver 4.90.0.2533
    FFFDAB19, FFFC4455: C:\WINDOWS\SYSTEM\SYSTRAY.EXE, ver 4.90.3000
    FFFB66D5, FFFC4455: C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE, ver 6, 0, 0, 409
    FFFEC6D9, FFFC4455: C:\PROGRAM FILES\ANALOGX\NETSTAT LIVE\NSL.EXE, ver 0.0.0.0
    FFFBFF31, FFFDAB19: C:\WINDOWS\SYSTEM\WMIEXE.EXE, ver 4.90.2452.1
    FFFBFAF5, FFFC4455: C:\WINDOWS\SUPERVISOR.EXE, ver 1.0.0.0
    FFFA472D, FFFC4455: C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE, ver 3.5.169.002
    FFFA3245, FFFC4455: C:\PROGRAM FILES\SOFTWIN\BDHOME\LMGUI.EXE, ver 1, 0, 0, 20
    FFF910E5, FFFC4455: C:\PROGRAM FILES\PDG 2\DOORS.EXE, ver 2.16.0.0
    FFFAE65D, FFF823ED: C:\AMERICA ONLINE 6.0\WAOL.EXE, ver 6.00.000
    FFFAE59D, FFFAE65D: C:\WINDOWS\SYSTEM\RNAAPP.EXE, ver 4.90.3000
    FFF7C179, FFFAE59D: C:\WINDOWS\SYSTEM\TAPISRV.EXE, ver 4.90.3000
    System snapshot taken on 2/8/2003 5:33:10 AM.

    *----> Summary/Overview <----*

    --------------------
    Adobe Type Manager has altered Windows system files.

    Module Name: ATMSYS.DRV
    Description: Adobe Type Manager
    Version: R v4.00-32S058G06NN
    Product: Adobe Type Manager
    Manufacturer: Adobe Systems Incorporated

    --------------------
    <unknown> has altered Windows system files.

    Module Name: <unknown>

    --------------------
    If the Taskbar is behaving strangely, try exiting Multimedia
    background task support module.

    Module Name: mmtask.tsk
    Description: Multimedia background task support module
    Version: 4.90.3000
    Product: Microsoft Windows
    Manufacturer: Microsoft Corporation

    User's Remarks:


    *----> System Information <----*

    Microsoft Windows ME 4.90.3000
    Clean install using OEM Preinstall Kit
    /T:C:\WININST0.400 /SrcDir=C:\WINDOWS\OPTIONS\CABS /IS /IW /IQ /ID /IV /IZ /II /NZ /II /C
    IE 5 5.00.2919.6307
    Uptime: 0:00:50:14
    Normal mode
    On "S0028853711" as "default"
    Gateway
    GenuineIntel Intel(R) Pentium(R) 4 CPU 1.80GHz
    256MB RAM
    47% system resources free
    Windows-managed swap file on drive C (67294MB free)
    Temporary files on drive C (67294MB free)

    *----> Task list <----*

    Program
    Type
    Path
    ------------

    1. Kernel32.dll
    4.90.3000
    Microsoft Corporation

    2. MSGSRV32.EXE
    4.90.3000
    Microsoft Corporation

    3. Spool32.exe
    4.90.3000
    Microsoft Corporation

    4. Mprexe.exe
    4.90.3000
    Microsoft Corporation

    5. Mstask.exe
    4.71.2721.1
    Microsoft Corporation

    6. Avgserv9.exe
    6.0.1.374
    GRISOFT, s.r.o

    7. Xcommsvr.exe
    1, 6, 9, 7
    Softwin

    8. Vsmon.exe
    3.5.169.002
    Zone Labs Inc.

    9. MMTASK.TSK
    4.90.3000
    Microsoft Corporation

    10. Gwmdmmsg.exe
    3.3.12.1 07/21/2001 10:49:54
    GTW

    11. Devldr16.exe
    1, 0, 0, 17
    Creative Technology Ltd.

    12. Explorer.exe
    5.50.4134.100
    Microsoft Corporation

    13. Stmgr.exe
    4.90.0.2533
    Microsoft Corporation

    14. Systray.exe
    4.90.3000
    Microsoft Corporation

    15. Avgcc32.exe
    6, 0, 0, 409
    GRISOFT s.r.o.

    16. Nsl.exe



    17. Wmiexe.exe
    4.90.2452.1
    Microsoft Corporation

    18. Supervisor.exe
    1.0.0.0


    19. Zapro.exe
    3.5.169.002
    Zone Labs Inc.

    20. Lmgui.exe
    1, 0, 0, 20
    4

    21. Waol.exe
    6.00.000
    America Online, Inc.

    22. Rnaapp.exe
    4.90.3000
    Microsoft Corporation

    23. Tapisrv.exe
    4.90.3000
    Microsoft Corporation

    24. Drwatson.exe
    4.03
    Microsoft Corporation

    *----> Startup Items <----*

    Name
    Loaded from
    Command
    -------------------

    1. Murphy Shield
    Startup Group
    "C:\Program Files\SOFTWIN\BDHome\lmgui.exe"

    2. ZoneAlarm Pro
    Common Startup Group
    "C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe"

    3. supervisor.exe
    Registry (Per-User Run)
    C:\WINDOWS\supervisor.exe

    4. SystemTray
    Registry (Machine Run)
    SysTray.Exe

    5. OEMRUNONCE
    Registry (Machine Run)
    c:\windows\options\cabs\oemrun.exe

    6. ScanRegistry
    Registry (Machine Run)
    C:\WINDOWS\scanregw.exe /autorun

    7. HPDJ Taskbar Utility
    Registry (Machine Run)
    C:\WINDOWS\SYSTEM\hpztsb03.exe

    8. AVG_CC
    Registry (Machine Run)
    C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

    9. NetStat Live
    Registry (Machine Run)
    C:\PROGRAM FILES\ANALOGX\NETSTAT LIVE\NSL.EXE

    10. devldr16.exe
    Registry (Machine Run)
    C:\WINDOWS\SYSTEM\devldr16.exe

    11. *StateMgr
    Registry (Machine Service)
    C:\WINDOWS\System\Restore\StateMgr.exe

    12. VidSvr
    Registry (Machine Service)


    13. SchedulingAgent
    Registry (Machine Service)
    mstask.exe

    14. Avgserv9.exe
    Registry (Machine Service)
    C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    15. BitDefender Communicator
    Registry (Machine Service)
    C:\WINDOWS\SYSTEM\XCOMMSVR.EXE

    16. BitDefender Live! Init
    Registry (Machine Service)
    C:\PROGRAM FILES\SOFTWIN\BDHOME\AVXINIT.EXE

    17. TrueVector
    Registry (Machine Service)
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    *----> System Patches <----*

    System module
    Modified by
    Path
    -------------------

    1. GDI
    ATMSYS.DRV
    R v4.00-32S058G06NN

    2. GDI
    <unknown>


    *----> System Hooks <----*

    Hook type
    Hooked by
    Application
    DLL path
    Application path
    ------------------------

    1. Shell
    MMSYSTEM.DLL
    mmtask.tsk
    C:\WINDOWS\SYSTEM\MMSYSTEM.DLL
    C:\WINDOWS\SYSTEM\mmtask.tsk

    *----> Kernel Drivers <----*

    Driver
    Loaded from
    Type
    Likely path
    -------------------
    NEED MORE INFO please walk me through what u need...
    THANK YOU!!!!!
     
  2. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,899
    michell911,

    There is a program called Trojan Remover which is free for 30 days from: www.simplysup.com

    By default it scans the usual places that trojans are launched from and can also be configured to search whole drives if necessary. Take a look at the website and see what you think.

    Also, search here on 'trojans' or 'worms' and see what else comes up. I know there are some online trojan scanners that you could use, assuming the problems you are sure you have don't interfere with any online scans.

    There are some really experienced people here and they may have much better ideas if you wait for their responses.

    PS. Just checked the link. TR website is referring to definitions dated 24/1 whereas I know the latest update was 6/2 so, if you try it, use the update feature before scanning. Also, be sure you thoroughly understand what you are doing. This program will amend files.
     
  3. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    :) Thanks Togg,
    I will try that until I get more info
    Have A Grt Day
    Michel
     
  4. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    14. Avgserv9.exe
    Registry (Machine Service)
    C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    15. BitDefender Communicator
    Registry (Machine Service)
    C:\WINDOWS\SYSTEM\XCOMMSVR.EXE

    16. BitDefender Live! Init
    Registry (Machine Service)
    C:\PROGRAM FILES\SOFTWIN\BDHOME\AVXINIT.EXE

    You have two antivirus programs running. AVG and BitDefender. Xcommsvr.exe is BitDefender. You should choose one or the other but not run both at the same time.

    This is also a part of BitDefender

    1. Murphy Shield
    Startup Group
    "C:\Program Files\SOFTWIN\BDHome\lmgui.exe"
     
  6. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    Hi
    yes that is correct, they are off of Disk E I have a disk now with all anti virus, trogan utl. and some other programs i use I just use the disk and actually ihave had them scan at the same time with no problems. But I am in the proess of taking programs off Hard drive adding to my utility disk E.
    Thank You! Do Appreciate.
    Michel
     
  7. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    I Dloded Trojan remoover and locked up on reboot had to ctrl alt del, out I ran it on second reboot found nothing .
    Anyone know what C:/windows/supervisor.exe is? Part of anti-virus,firewall , or trojan program or is it the CRack --Supervisior 2.0???/
    All help appreciated Chele
     
  8. cnm

    cnm

    Joined:
    Oct 21, 2002
    Messages:
    246
    Is there any useful info when you right-click on supervisor.exe and select Properties?
     
  9. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    Having the two antivirus programs may be what caused the one to be disabled. Can you get back into it and re-enable it? I also don't recomend two of them. I don't see any signs of a problem but hang in there maybe someone with more knowledge will find something.

    Go to both supervisor folders and see if there are any text files or logs that you can learn more from.
     
  10. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    >Go to both supervisor folders and see if there are any text files >or logs that you can learn more from.


    I D- Loaded those two anti viruses--- After ":Norton" was disabled...... the definitions would not update and even after mannual d-load the date on the virusers Did Not Updated --I deleted off my sys and D-loaded those two.. I made a utility disk on E which is where they are going to be located NOT C drive.
    The Supervisor folders open and show NOTHING ..
    IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans, virus can be poly morphic or take on valid program names and i dont know enough to distingiush.
    Chele
     
  11. jm100dm

    jm100dm

    Joined:
    May 26, 1999
    Messages:
    994
    Has your subscription run out? To check open Norton click help then about. It should have the info there.

    What is CRack. Maybe you will find something in that file. Another thing that may help would be to check the date created on the supervisor program. If it was recently created and you didn't do it it could be the culprit.

    "IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans"
    Not sure I follow, has the Trojan been recognized and removed?
     
  12. michell911

    michell911 Thread Starter

    Joined:
    Feb 8, 2003
    Messages:
    6
    Has your subscription run out? To check open Norton click help then about. It should have the info there.

    What is CRack. Maybe you will find something in that file. Another thing that may help would be to check the date created on the supervisor program. If it was recently created and you didn't do it it could be the culprit.

    "IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans"
    Not sure I follow, has the Trojan been recognized and removed?

    The Subscription didnt run out as far as I Knew! Just wouldn't update One scan found NT Crash in a program but it doesnt clean it. But thats Ok its a disposable program I'll just delete the whole program. otherwise the system does odd things setting change etc. i leave things one way turn around they are another way Nothing in Particular lots of little things now lock ups etc,. And another scan found hybris clone of trojan etc but doesnt clean for example I d-loaded a trojan clnr on Toggs advice & I had to CTRl-ALT-DEL out of the reboot-- things like that. I was rebooting for the trojan program to work & it locKed up... I ran it on 2nd reboot and it found nothing... But, cant a trojan disable scanners especially if it didnt reboot correctly first shot?.
    I have Ports on timewait Port 1025 comes up like 10 times on NeSTAT most of the time, foriegn adreess 0.0.0.0. or 127.0.0.1.
    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:4077 0.0.0.0:0 LISTENING
    TCP 172.138.28.120:1030 205.188.78.78:13784 ESTABLISHED
    TCP 172.138.28.120:1032 205.188.48.94:5190 ESTABLISHED
    TCP 172.138.28.120:139 0.0.0.0:0 LISTENING
    UDP 127.0.0.1:1038 *:*
    UDP 172.138.28.120:137 *:*
    UDP 172.138.28.120:138 *:*
    and why is DOS under command lineA:\COMMAND.COM
    Is THat NORMAL? should it be off C:/COMMAND.COM
    things like that make me think I got something...

    A crack Is a Hackers Tool! Supervisior 2.0 is one of them!
    but im not sure if my Supervisior.exe is one in the same. but under description and manufacture for that program is BLANK.. oddly enough just says part of trojan sheild , but Im skeptical to say the least. For a experiment I went into edit reg and chaned the name and it reinstalls itself to iniilize on start up bit defender ask me if this is ok itell it no, then says it was unable to set data for Supervisor.
    another oddity My Zone alarms loads on start up and NOW so DOES aol, ANd its not IN STrat-up Menu or in Start up Yet it trys to beat Zonealarm eveytime, I never SET it to INiilze on start up and I CANT stop it I usually CTRL-ALT - DEl to close it and usally get a error in Kernel 32.dll error. all these things make me think somethings up- On MY analog netstat THERES CONSTANT incoming and outgoing Data EVrytime Im online at a site thers akways OUTGOING! Im nOT SENDING ANYTHING.. Im just surfing the data amts of incoming/outgoing match, so it seems everthing i see is being sent somewhere!! shouldn't be ANY outgoing.. but there is .. all thhis make me think so...
    thanks
    Chele
     

    Attached Files:

  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Michelle, other than supervisor.exe and doors.exe, I'm really not seeing anything in those startups to raise concern about. With AOL, you probably don't even need a firewall as it tends to act as one in itself. Most if not all the TCP entries there look like normal AOL stuff.

    I'm not sure what you are referring to about the DOS command for command.com.

    But it might help if you gave us a post of your startups using the StartupList application rather than DrWatson. Just unzip and run it then copy/paste the results to a reply.

    http://www.lurkhere.com/~nicefiles/

    Supervisor.exe appears to be one of those two-edged swords, a legitimate program that can be used for other purposes. I don't know what's calling it. A look at the above startuplist might help.

    You could try renaming it and see if you get an error call on startup. You will need to end-task it first if it is in the Running Tasks when you do a ctrl-alt-del.

    Also, is this a known legit screensaver?

    C:\PROGRAM FILES\PDG 2\DOORS.EXE

    If you don't know what it is, I would kill it and delete the program file.
     
  14. size05

    size05

    Joined:
    Dec 28, 2004
    Messages:
    37
    I have the same HOOK when running Dr. Watson which is

    1. Shell
    MMSYSTEM.DLL
    mmtask.tsk
    C:\WINDOWS\SYSTEM\MMSYSTEM.DLL
    C:\WINDOWS\SYSTEM\mmtask.tsk

    What is a HOOK and is this something that may cause pc problems -- I read somewhere deleting mmtask.tsk is a good idea, but not enough info out there to be sure, and what about the mmsystem.dll and what a HOOK means. HELP me gain some more lovely KNOWLEDGE -- not that I'll ever understand everything there is to know about PC issues. One could go CRAZY!

    Thanks.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/117659

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice