?
Solved

What is VSStatm32.exe?

Posted on 2004-11-03
12
Medium Priority
?
226 Views
Last Modified: 2010-10-05
I found an application running on 10 sequential TCP ports (it changes after every ipconfig /renew).  By checking its process id it points to an  image name VSStatm32.exe however this file does not exist on my system.  I would guess it must be some sort of virus running from another file with another name.  I have checked Norton's SARC with no luck, can anyone give me some direction on such a application/virus?
0
Comment
Question by:TRobertson
12 Comments
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12486981
Hi,

   How about the spyware cleaner such as Ad-aware SE, Spybot-Search and Destroy?
Download it and get the definition table up-to-date and scan your PC.

Wesly
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12487036
0
 
LVL 3

Author Comment

by:TRobertson
ID: 12487166
I've tried Spybot S&D and ran another full drive scan with latest definitions from Symantec with hits.

Next I will reboot and run HijackThis to see if that can give ma a bit more information.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Author Comment

by:TRobertson
ID: 12487339
More info found:
04 - HKCU\..\Run: [Mcafee Antivirus Monitoring System32] VSStatm32.exe

I know that I have never had Mcafee installed so where does this come from?

Also I can not find this file on my system.

I am removing these Run keys from the registry however I still would like some info on where this came from.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12487429
It's the virus/spyware with the same filename as Mcafee Antivirus Monitoring System32 (VSStatm32.exe).

You might want to login SAFE mode to and search for VSStatm32.exe and delete it.

Wesly
0
 
LVL 3

Author Comment

by:TRobertson
ID: 12487533
Ran safe-mode and search still no find.  
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12487585
So it's removed by the spyware cleaner.

Wesly
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 12487817
This looks like a variant of the Win Comm trojan  (the legit Mcafee file is vsstat.exe)
You may have a few other nasties in there as well as this acts as a backdoor allowing them in
be wary of any other memory residents ending in "32.exe"
likely to be trojan/worm

Recommend you run HiJackThis! and post the log file of running processes.

Online virus check would be worthwhile also
0
 
LVL 2

Expert Comment

by:MaxterJF
ID: 12491640
Yeah! It is a backdoor itself.  It is the Win COmm trojan.  

I just got one at job which had the same exact thing.

You should find in the HKLM\Software\Microsoft\Windows\Current Version\   -> Run and RunOnce  The entries VSStat32.exe, and Symantec.exe or Symantec.com and WinCom.exe.
You should find them too in HKCU\Software\Microsoft\Windows\Current Version\ -> Run and RunOnce  the same entries.

Tell me if you see them all! If you do, you have the latest version of WinCom trojan/malware.  
0
 
LVL 3

Author Comment

by:TRobertson
ID: 12493422
"So it's removed by the spyware cleaner."
No, after I ran Spybot and rebooted a couple of times and it would still run like before grabbing 10 random ports.  It would still run due to the Run key in the registry.  I deleted the key but can not find the file to delete to permenately remove from my system.

Ran HiJackThis and everything else looked legit.  However I can not find any file named VSStat32.exe or vsstat.exe.  Also can anyone direct me to a virus definition page on the Win Comm trojan?  

"Online virus check"
What does this mean?  I use Symantec Corp. Ed. already, is there something else I should do?

I have used Spybot and HiJackThis, should I still run Ad Aware?
0
 
LVL 38

Accepted Solution

by:
wesly_chen earned 1000 total points
ID: 12495484
Hi,

   Boot into Safe mode and searh for the following files:
----
NetConfs.exe
VSStatm32.exe
crsss64.exe
command32.exe
symantec32.exe
VSStatm32.exe
crsss64.exe
WinComm.exe
----
rename them such as
NetConfs.exe  ==> _NetConfs_.exe

And reboot. If anything run fine, then delete them. Any scan your PC again.

>"Online virus check"
The process is running and you can not kill it by task manger (it will run by itself after a couple seconds.)
It will also check the regiestory and add itself in even you remove it from the registery.

So you need to rename/delete them in SAFE mode.

Wesly
0
 
LVL 3

Author Comment

by:TRobertson
ID: 12496010
Found VSStatm32 in c:\windows\system32.
Sorry it was a hidden system file, forgot that XP makes it difficult to search system folders and display system files.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question