What is VSStatm32.exe?

I found an application running on 10 sequential TCP ports (it changes after every ipconfig /renew).  By checking its process id it points to an  image name VSStatm32.exe however this file does not exist on my system.  I would guess it must be some sort of virus running from another file with another name.  I have checked Norton's SARC with no luck, can anyone give me some direction on such a application/virus?
LVL 3
TRobertsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wesly_chenCommented:
Hi,

   How about the spyware cleaner such as Ad-aware SE, Spybot-Search and Destroy?
Download it and get the definition table up-to-date and scan your PC.

Wesly
0
wesly_chenCommented:
0
TRobertsonAuthor Commented:
I've tried Spybot S&D and ran another full drive scan with latest definitions from Symantec with hits.

Next I will reboot and run HijackThis to see if that can give ma a bit more information.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

TRobertsonAuthor Commented:
More info found:
04 - HKCU\..\Run: [Mcafee Antivirus Monitoring System32] VSStatm32.exe

I know that I have never had Mcafee installed so where does this come from?

Also I can not find this file on my system.

I am removing these Run keys from the registry however I still would like some info on where this came from.
0
wesly_chenCommented:
It's the virus/spyware with the same filename as Mcafee Antivirus Monitoring System32 (VSStatm32.exe).

You might want to login SAFE mode to and search for VSStatm32.exe and delete it.

Wesly
0
TRobertsonAuthor Commented:
Ran safe-mode and search still no find.  
0
wesly_chenCommented:
So it's removed by the spyware cleaner.

Wesly
0
☠ MASQ ☠Commented:
This looks like a variant of the Win Comm trojan  (the legit Mcafee file is vsstat.exe)
You may have a few other nasties in there as well as this acts as a backdoor allowing them in
be wary of any other memory residents ending in "32.exe"
likely to be trojan/worm

Recommend you run HiJackThis! and post the log file of running processes.

Online virus check would be worthwhile also
0
MaxterJFCommented:
Yeah! It is a backdoor itself.  It is the Win COmm trojan.  

I just got one at job which had the same exact thing.

You should find in the HKLM\Software\Microsoft\Windows\Current Version\   -> Run and RunOnce  The entries VSStat32.exe, and Symantec.exe or Symantec.com and WinCom.exe.
You should find them too in HKCU\Software\Microsoft\Windows\Current Version\ -> Run and RunOnce  the same entries.

Tell me if you see them all! If you do, you have the latest version of WinCom trojan/malware.  
0
TRobertsonAuthor Commented:
"So it's removed by the spyware cleaner."
No, after I ran Spybot and rebooted a couple of times and it would still run like before grabbing 10 random ports.  It would still run due to the Run key in the registry.  I deleted the key but can not find the file to delete to permenately remove from my system.

Ran HiJackThis and everything else looked legit.  However I can not find any file named VSStat32.exe or vsstat.exe.  Also can anyone direct me to a virus definition page on the Win Comm trojan?  

"Online virus check"
What does this mean?  I use Symantec Corp. Ed. already, is there something else I should do?

I have used Spybot and HiJackThis, should I still run Ad Aware?
0
wesly_chenCommented:
Hi,

   Boot into Safe mode and searh for the following files:
----
NetConfs.exe
VSStatm32.exe
crsss64.exe
command32.exe
symantec32.exe
VSStatm32.exe
crsss64.exe
WinComm.exe
----
rename them such as
NetConfs.exe  ==> _NetConfs_.exe

And reboot. If anything run fine, then delete them. Any scan your PC again.

>"Online virus check"
The process is running and you can not kill it by task manger (it will run by itself after a couple seconds.)
It will also check the regiestory and add itself in even you remove it from the registery.

So you need to rename/delete them in SAFE mode.

Wesly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TRobertsonAuthor Commented:
Found VSStatm32 in c:\windows\system32.
Sorry it was a hidden system file, forgot that XP makes it difficult to search system folders and display system files.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.