Hi. I use Avast Home Edition and a file that reappears repeatedly after startup is C:\Windows\System32\mwinnmdt.exe. This file is detected by Avast and I delete it but it reappears. Can you offer some advice in how I might track down where this file is being rewritten from? Thank you for any information.

By the way I am running Windows XP Profession edition.

It would appear that there are other elements to this, which is restoring, downloading or installing again.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner.

A google search for mwinnmdt.exe returns several hits, this is just one http://fileinfo.prevx.com/adware/qq00821025…MWINNMDT.EXE.html

That is a backdoor trojan with a hidden infector. There are a few ways to treat this. If you are prepared I can
help

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

I took the path of least resistance . I downloaded and ran Superantispyware. It seemed to take care of eliminating my problem file (I rebooted to see if the problem file reappeared and it did not). However, this whole exercise raised a question in my mind that I’m sure you guys could give me a good answer to. What antivirus software should I use on my computer and what practices (i.e. scans) should I conduct and how often so that I can minimize the risk of having a virus or some other problem reappear? Currently I am running Avast! On-Access Scanner and Avast home edition anti virus software. I truly would appreciate your advice. Thank you.

One other thing, Tech mentioned that quarantining a file was preferable to deleting it. Why is that? My inclination is to want to eliminate it immediately.

You should only ever have ‘one’ resident on-access antivirus installed, that doesn’t stop having an anti-spyware to act as a back-up scanner. Nor does it stop having an on-demand anti-virus like BitDefender ‘free’ which is on-demand (only runs when you initiate a scan).

The simple answer once deleted there is nothing else you can do. Before you delete anything you should be absolutely certain of any detection. In the quarantine it can do no harm and you can investigate. Internet search on the file name and malware name, scan with a multi-engine scanner like VirusTotal or Jotti, etc.

It may also allow you to send a sample to avast to improve detections, so deletion is a poor first option. If for any reason it isn’t a good detection you can restore the file, relating to the above investigations.

You should use only one resident anti-virus software to eliminate conflicts when more than one av service “fights” over a virus infection. This often results in the virus not being controlled. Of course, we here on the forum use and recommend avast!

For other malware (trojans, adware, keyloggers, etc), many here recommend different software of which most are very good. You mentioned Superantispyware and many here like it very well. Some other programs that are recommended by users here are …

Spybot-Search&Destroy
Spyware Terminator
Lavesoft’s AdAware
AVG Antispyware

I think David & Tech both mentioned most of these in their posts above.

It is better to quarantine in case of a false positive (a file that is not really infected, etc) and so that truly infected or suspect files can be sent to a avast for evaluation. Some of these files may also be system files needed for best operation of your computer. If such system files are deleted, you may not know which one it is later and this could cause you farther problems. In quarantine, these infections can do no harm as it is a protested area where the infections can not get out.

I hope this helps you understand better.

EDIT:

Oops … David posted while I was writing. I hope both his and my reply helps you better understand.

First no harm… Chest is safe and viruses can’t get out from there.
My security tools and suggestions are posted here: http://forum.avast.com/index.php?topic=28395.msg231962#msg231962