99.9% sure I have several worms trojans antivirus was disabled HELP!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

michell911

Thread Starter
Joined
Feb 8, 2003
Messages
6
Im sure I have it need solid proof XCOMMSVR.exe is running
FFCFFCE5, 7E6F5D19: C:\WINDOWS\SYSTEM\KERNEL32.DLL, ver 4.90.3000
FFFFBA79, FFCFFCE5: C:\WINDOWS\SYSTEM\MSGSRV32.EXE, ver 4.90.3000
FFFFB261, FFFFBA79: C:\WINDOWS\SYSTEM\SPOOL32.EXE, ver 4.90.3000
FFFE5AF9, FFFFB261: C:\WINDOWS\SYSTEM\MPREXE.EXE, ver 4.90.3000
FFFE70C9, FFFE5AF9: C:\WINDOWS\SYSTEM\MSTASK.EXE, ver 4.71.2721.1
FFFED0E5, FFFE5AF9: C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE, ver 6.0.1.374
FFFECA1D, FFFE5AF9: C:\WINDOWS\SYSTEM\XCOMMSVR.EXE, ver 1, 6, 9, 7
FFFEEC11, FFFE5AF9: C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE, ver 3.5.169.002
FFFDC439, FFFFBA79: C:\WINDOWS\SYSTEM\mmtask.tsk, ver 4.90.3000
FFFDC899, FFFFBA79: C:\WINDOWS\GWMDMMSG.EXE, ver 3.3.12.1 07/21/2001 10:49:54
FFFD8B59, FFFE6345: C:\WINDOWS\SYSTEM\DEVLDR16.EXE, ver 1, 0, 0, 17
FFFC4455, FFFFBA79: C:\WINDOWS\EXPLORER.EXE, ver 5.50.4134.100
FFFC85ED, FFFE73D5: C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE, ver 4.90.0.2533
FFFDAB19, FFFC4455: C:\WINDOWS\SYSTEM\SYSTRAY.EXE, ver 4.90.3000
FFFB66D5, FFFC4455: C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE, ver 6, 0, 0, 409
FFFEC6D9, FFFC4455: C:\PROGRAM FILES\ANALOGX\NETSTAT LIVE\NSL.EXE, ver 0.0.0.0
FFFBFF31, FFFDAB19: C:\WINDOWS\SYSTEM\WMIEXE.EXE, ver 4.90.2452.1
FFFBFAF5, FFFC4455: C:\WINDOWS\SUPERVISOR.EXE, ver 1.0.0.0
FFFA472D, FFFC4455: C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE, ver 3.5.169.002
FFFA3245, FFFC4455: C:\PROGRAM FILES\SOFTWIN\BDHOME\LMGUI.EXE, ver 1, 0, 0, 20
FFF910E5, FFFC4455: C:\PROGRAM FILES\PDG 2\DOORS.EXE, ver 2.16.0.0
FFFAE65D, FFF823ED: C:\AMERICA ONLINE 6.0\WAOL.EXE, ver 6.00.000
FFFAE59D, FFFAE65D: C:\WINDOWS\SYSTEM\RNAAPP.EXE, ver 4.90.3000
FFF7C179, FFFAE59D: C:\WINDOWS\SYSTEM\TAPISRV.EXE, ver 4.90.3000
System snapshot taken on 2/8/2003 5:33:10 AM.

*----> Summary/Overview <----*

--------------------
Adobe Type Manager has altered Windows system files.

Module Name: ATMSYS.DRV
Description: Adobe Type Manager
Version: R v4.00-32S058G06NN
Product: Adobe Type Manager
Manufacturer: Adobe Systems Incorporated

--------------------
<unknown> has altered Windows system files.

Module Name: <unknown>

--------------------
If the Taskbar is behaving strangely, try exiting Multimedia
background task support module.

Module Name: mmtask.tsk
Description: Multimedia background task support module
Version: 4.90.3000
Product: Microsoft Windows
Manufacturer: Microsoft Corporation

User's Remarks:


*----> System Information <----*

Microsoft Windows ME 4.90.3000
Clean install using OEM Preinstall Kit
/T:C:\WININST0.400 /SrcDir=C:\WINDOWS\OPTIONS\CABS /IS /IW /IQ /ID /IV /IZ /II /NZ /II /C
IE 5 5.00.2919.6307
Uptime: 0:00:50:14
Normal mode
On "S0028853711" as "default"
Gateway
GenuineIntel Intel(R) Pentium(R) 4 CPU 1.80GHz
256MB RAM
47% system resources free
Windows-managed swap file on drive C (67294MB free)
Temporary files on drive C (67294MB free)

*----> Task list <----*

Program
Type
Path
------------

1. Kernel32.dll
4.90.3000
Microsoft Corporation

2. MSGSRV32.EXE
4.90.3000
Microsoft Corporation

3. Spool32.exe
4.90.3000
Microsoft Corporation

4. Mprexe.exe
4.90.3000
Microsoft Corporation

5. Mstask.exe
4.71.2721.1
Microsoft Corporation

6. Avgserv9.exe
6.0.1.374
GRISOFT, s.r.o

7. Xcommsvr.exe
1, 6, 9, 7
Softwin

8. Vsmon.exe
3.5.169.002
Zone Labs Inc.

9. MMTASK.TSK
4.90.3000
Microsoft Corporation

10. Gwmdmmsg.exe
3.3.12.1 07/21/2001 10:49:54
GTW

11. Devldr16.exe
1, 0, 0, 17
Creative Technology Ltd.

12. Explorer.exe
5.50.4134.100
Microsoft Corporation

13. Stmgr.exe
4.90.0.2533
Microsoft Corporation

14. Systray.exe
4.90.3000
Microsoft Corporation

15. Avgcc32.exe
6, 0, 0, 409
GRISOFT s.r.o.

16. Nsl.exe



17. Wmiexe.exe
4.90.2452.1
Microsoft Corporation

18. Supervisor.exe
1.0.0.0


19. Zapro.exe
3.5.169.002
Zone Labs Inc.

20. Lmgui.exe
1, 0, 0, 20
4

21. Waol.exe
6.00.000
America Online, Inc.

22. Rnaapp.exe
4.90.3000
Microsoft Corporation

23. Tapisrv.exe
4.90.3000
Microsoft Corporation

24. Drwatson.exe
4.03
Microsoft Corporation

*----> Startup Items <----*

Name
Loaded from
Command
-------------------

1. Murphy Shield
Startup Group
"C:\Program Files\SOFTWIN\BDHome\lmgui.exe"

2. ZoneAlarm Pro
Common Startup Group
"C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe"

3. supervisor.exe
Registry (Per-User Run)
C:\WINDOWS\supervisor.exe

4. SystemTray
Registry (Machine Run)
SysTray.Exe

5. OEMRUNONCE
Registry (Machine Run)
c:\windows\options\cabs\oemrun.exe

6. ScanRegistry
Registry (Machine Run)
C:\WINDOWS\scanregw.exe /autorun

7. HPDJ Taskbar Utility
Registry (Machine Run)
C:\WINDOWS\SYSTEM\hpztsb03.exe

8. AVG_CC
Registry (Machine Run)
C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

9. NetStat Live
Registry (Machine Run)
C:\PROGRAM FILES\ANALOGX\NETSTAT LIVE\NSL.EXE

10. devldr16.exe
Registry (Machine Run)
C:\WINDOWS\SYSTEM\devldr16.exe

11. *StateMgr
Registry (Machine Service)
C:\WINDOWS\System\Restore\StateMgr.exe

12. VidSvr
Registry (Machine Service)


13. SchedulingAgent
Registry (Machine Service)
mstask.exe

14. Avgserv9.exe
Registry (Machine Service)
C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

15. BitDefender Communicator
Registry (Machine Service)
C:\WINDOWS\SYSTEM\XCOMMSVR.EXE

16. BitDefender Live! Init
Registry (Machine Service)
C:\PROGRAM FILES\SOFTWIN\BDHOME\AVXINIT.EXE

17. TrueVector
Registry (Machine Service)
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

*----> System Patches <----*

System module
Modified by
Path
-------------------

1. GDI
ATMSYS.DRV
R v4.00-32S058G06NN

2. GDI
<unknown>


*----> System Hooks <----*

Hook type
Hooked by
Application
DLL path
Application path
------------------------

1. Shell
MMSYSTEM.DLL
mmtask.tsk
C:\WINDOWS\SYSTEM\MMSYSTEM.DLL
C:\WINDOWS\SYSTEM\mmtask.tsk

*----> Kernel Drivers <----*

Driver
Loaded from
Type
Likely path
-------------------
NEED MORE INFO please walk me through what u need...
THANK YOU!!!!!
 
Joined
Apr 2, 2002
Messages
5,945
michell911,

There is a program called Trojan Remover which is free for 30 days from: www.simplysup.com

By default it scans the usual places that trojans are launched from and can also be configured to search whole drives if necessary. Take a look at the website and see what you think.

Also, search here on 'trojans' or 'worms' and see what else comes up. I know there are some online trojan scanners that you could use, assuming the problems you are sure you have don't interfere with any online scans.

There are some really experienced people here and they may have much better ideas if you wait for their responses.

PS. Just checked the link. TR website is referring to definitions dated 24/1 whereas I know the latest update was 6/2 so, if you try it, use the update feature before scanning. Also, be sure you thoroughly understand what you are doing. This program will amend files.
 
Joined
Dec 9, 2000
Messages
45,855
14. Avgserv9.exe
Registry (Machine Service)
C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

15. BitDefender Communicator
Registry (Machine Service)
C:\WINDOWS\SYSTEM\XCOMMSVR.EXE

16. BitDefender Live! Init
Registry (Machine Service)
C:\PROGRAM FILES\SOFTWIN\BDHOME\AVXINIT.EXE

You have two antivirus programs running. AVG and BitDefender. Xcommsvr.exe is BitDefender. You should choose one or the other but not run both at the same time.

This is also a part of BitDefender

1. Murphy Shield
Startup Group
"C:\Program Files\SOFTWIN\BDHome\lmgui.exe"
 

michell911

Thread Starter
Joined
Feb 8, 2003
Messages
6
Hi
yes that is correct, they are off of Disk E I have a disk now with all anti virus, trogan utl. and some other programs i use I just use the disk and actually ihave had them scan at the same time with no problems. But I am in the proess of taking programs off Hard drive adding to my utility disk E.
Thank You! Do Appreciate.
Michel
 

michell911

Thread Starter
Joined
Feb 8, 2003
Messages
6
I Dloded Trojan remoover and locked up on reboot had to ctrl alt del, out I ran it on second reboot found nothing .
Anyone know what C:/windows/supervisor.exe is? Part of anti-virus,firewall , or trojan program or is it the CRack --Supervisior 2.0???/
All help appreciated Chele
 

cnm

Joined
Oct 21, 2002
Messages
246
Is there any useful info when you right-click on supervisor.exe and select Properties?
 
Joined
May 26, 1999
Messages
994
Having the two antivirus programs may be what caused the one to be disabled. Can you get back into it and re-enable it? I also don't recomend two of them. I don't see any signs of a problem but hang in there maybe someone with more knowledge will find something.

Go to both supervisor folders and see if there are any text files or logs that you can learn more from.
 

michell911

Thread Starter
Joined
Feb 8, 2003
Messages
6
>Go to both supervisor folders and see if there are any text files >or logs that you can learn more from.


I D- Loaded those two anti viruses--- After ":Norton" was disabled...... the definitions would not update and even after mannual d-load the date on the virusers Did Not Updated --I deleted off my sys and D-loaded those two.. I made a utility disk on E which is where they are going to be located NOT C drive.
The Supervisor folders open and show NOTHING ..
IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans, virus can be poly morphic or take on valid program names and i dont know enough to distingiush.
Chele
 
Joined
May 26, 1999
Messages
994
Has your subscription run out? To check open Norton click help then about. It should have the info there.

What is CRack. Maybe you will find something in that file. Another thing that may help would be to check the date created on the supervisor program. If it was recently created and you didn't do it it could be the culprit.

"IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans"
Not sure I follow, has the Trojan been recognized and removed?
 

michell911

Thread Starter
Joined
Feb 8, 2003
Messages
6
Has your subscription run out? To check open Norton click help then about. It should have the info there.

What is CRack. Maybe you will find something in that file. Another thing that may help would be to check the date created on the supervisor program. If it was recently created and you didn't do it it could be the culprit.

"IN boxes from Dr watson desciption and Manufactor are blak Ver1.0 Part of anti trojan shield But trojans"
Not sure I follow, has the Trojan been recognized and removed?

The Subscription didnt run out as far as I Knew! Just wouldn't update One scan found NT Crash in a program but it doesnt clean it. But thats Ok its a disposable program I'll just delete the whole program. otherwise the system does odd things setting change etc. i leave things one way turn around they are another way Nothing in Particular lots of little things now lock ups etc,. And another scan found hybris clone of trojan etc but doesnt clean for example I d-loaded a trojan clnr on Toggs advice & I had to CTRl-ALT-DEL out of the reboot-- things like that. I was rebooting for the trojan program to work & it locKed up... I ran it on 2nd reboot and it found nothing... But, cant a trojan disable scanners especially if it didnt reboot correctly first shot?.
I have Ports on timewait Port 1025 comes up like 10 times on NeSTAT most of the time, foriegn adreess 0.0.0.0. or 127.0.0.1.
Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4077 0.0.0.0:0 LISTENING
TCP 172.138.28.120:1030 205.188.78.78:13784 ESTABLISHED
TCP 172.138.28.120:1032 205.188.48.94:5190 ESTABLISHED
TCP 172.138.28.120:139 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1038 *:*
UDP 172.138.28.120:137 *:*
UDP 172.138.28.120:138 *:*
and why is DOS under command lineA:\COMMAND.COM
Is THat NORMAL? should it be off C:/COMMAND.COM
things like that make me think I got something...

A crack Is a Hackers Tool! Supervisior 2.0 is one of them!
but im not sure if my Supervisior.exe is one in the same. but under description and manufacture for that program is BLANK.. oddly enough just says part of trojan sheild , but Im skeptical to say the least. For a experiment I went into edit reg and chaned the name and it reinstalls itself to iniilize on start up bit defender ask me if this is ok itell it no, then says it was unable to set data for Supervisor.
another oddity My Zone alarms loads on start up and NOW so DOES aol, ANd its not IN STrat-up Menu or in Start up Yet it trys to beat Zonealarm eveytime, I never SET it to INiilze on start up and I CANT stop it I usually CTRL-ALT - DEl to close it and usally get a error in Kernel 32.dll error. all these things make me think somethings up- On MY analog netstat THERES CONSTANT incoming and outgoing Data EVrytime Im online at a site thers akways OUTGOING! Im nOT SENDING ANYTHING.. Im just surfing the data amts of incoming/outgoing match, so it seems everthing i see is being sent somewhere!! shouldn't be ANY outgoing.. but there is .. all thhis make me think so...
thanks
Chele
 

Attachments

Joined
Dec 9, 2000
Messages
45,855
Michelle, other than supervisor.exe and doors.exe, I'm really not seeing anything in those startups to raise concern about. With AOL, you probably don't even need a firewall as it tends to act as one in itself. Most if not all the TCP entries there look like normal AOL stuff.

I'm not sure what you are referring to about the DOS command for command.com.

But it might help if you gave us a post of your startups using the StartupList application rather than DrWatson. Just unzip and run it then copy/paste the results to a reply.

http://www.lurkhere.com/~nicefiles/

Supervisor.exe appears to be one of those two-edged swords, a legitimate program that can be used for other purposes. I don't know what's calling it. A look at the above startuplist might help.

You could try renaming it and see if you get an error call on startup. You will need to end-task it first if it is in the Running Tasks when you do a ctrl-alt-del.

Also, is this a known legit screensaver?

C:\PROGRAM FILES\PDG 2\DOORS.EXE

If you don't know what it is, I would kill it and delete the program file.
 
Joined
Dec 28, 2004
Messages
37
I have the same HOOK when running Dr. Watson which is

1. Shell
MMSYSTEM.DLL
mmtask.tsk
C:\WINDOWS\SYSTEM\MMSYSTEM.DLL
C:\WINDOWS\SYSTEM\mmtask.tsk

What is a HOOK and is this something that may cause pc problems -- I read somewhere deleting mmtask.tsk is a good idea, but not enough info out there to be sure, and what about the mmsystem.dll and what a HOOK means. HELP me gain some more lovely KNOWLEDGE -- not that I'll ever understand everything there is to know about PC issues. One could go CRAZY!

Thanks.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top