HEllo,
Do someone know a process named mgdntgd32.exe of which I am suspicious.
It seems to to me that it disturbs my Win XP SP2 system like / as a firewall filtering: IE cannot find any page.
When I kill the process, it’s ok.
I searched Google for this process, but no result match this keyword…so it is not a regular WIN XP process,
but Avast, SpyBot and Ad-Aware did’nt found some virus or spyware…!
Thanks a lot
Fabrice
France
Hi Flebon,
You could try a-Squared and Ewido. If they don’t find anything, you could post a HijackThis! log.
http://www.bleepingcomputer.com/forums/tutorial42.html
You could also try a scan with some of the online scanners: Panda and Trend Micro Housecall are often recommended.
If nothing comes up on Google, it’s usually a randomed-named malware file.
Submitting the file to an online multi-engine scanner might help identify it (but not remove it.) That’s if you can find the malware file itself of course.
Hi FreewheelinFrank,
Thank you for your help.
I already have an attempt to find the file on my local disks, but it failed.
I tried to use Panda online scanner, but it failed too (Avast was watching out…and detected a VBS install !).
But I’ll try all your tips/advices until I’ll find who is masked under this process !
Bye
Fabrice
Beware, don’t use Panda’s on-line scanner as it doesn’t encrypt its virus signature files and can cause subsequent false positive detections by avast in the panda created folder activescan.
I suggest another alternative or a link to several alternatives.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt
Hello,
Let me tell about you my progress on my malicious process mgdntgd32.exe.
Afetr applying an a-Squared and Ewido scan, a dozen of entries was detected…
I also deactivate some IE plug-in which was weird (No vendor name, suspicious names…as iiiii.dll cbxuu.dll wuweb.dll).
After some deletions and reboot, as by magic, the process called mgdntgd32.exe disappeared; but I noticed another one with the same weight etfanoo32.exe…
And the initial problem still remain.
So I plan to use the preconised solution by FreewheelinFrank wich is to use HijackThis!, but if the malware change is name, it meens that it store its replication code in many places >:( …
I will try before some soft from the http://www.security-ops.eu.tt/ site (thanks to DavidR).
Hard is the battle, but I begin to like it…and will win !
Thanks
Fabrice
Hi again,
Some news about it.
As i tried to search etfanoo32.exe with regedit, the regedit window was killed after a few seconds every time I launched it until I kill etfanoo32.exe in my turn.
I can know open regedit and see etfanoo32.exe in multiple places as:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Bye,
Fabrice
Hijackthis would have highlighted these run entries very quickly and you could have applied the fix via hijackthis.
Hijackthis is a very useful analysis tool (not a solution like a pro-active tool), it doesn’t remove anything, you have to make the selection of what to fix (and for many things this means delete the registry entry). There are a number of on-line analysis sites that will help with these decisions and you can also use google for more information on a process or file name, etc.
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2
However, what would have been useful is the location of the file. If it is in any of the system folders, it needs permission to do this and create registry entries, give yourself a fighting chance and don’t give malware administrator privileges by default.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.
The Panda scanner is one of a limited number that will remove malware. Simply disable avast! while you’re scanning (the scanner is not infecting your computer with malware) and re-enable avast! when you finish. Uninstall Panda active scanner when you have finished if you are worried about false positives.
Trend Micro Housecall is worth trying, but I prefer to download Sysclean. Again this will produce false positives if you don’t disable avast! when you run it, but it’s well worth running if you have multiple infections. Links to both plus other online and downloadable scanners here:
Hello,
After a lot of tries, F-Secure Online Scanner http://support.f-secure.com/enu/home/ols.shtml gave a name for my malware : it is Rbot alias Backdoor.Rbot.gen.
f-bot.exe made the disinfection.
F-Secure also found BAT.Ftp alias Trojan-Downloader.BAT.Ftp which I will treat without care with a simple deletion as said F-Secure.
Know I reboot the PC and “cross my fingers” as we say.
Anyway, if it doesn’t be good, I will be able to persue with all the given advices…
This post is closed,
Thanks for all
Fabrice