Win32:Agent-EMT keeps popping up

I recently picked up the Win32:Agent-EMT trojan horse, possibly in China with some Nintendo DS Supercard software.

The AVAST warning relates to a file MDM.EXE in the Windows folder. I move it to the chest, or rename it, or delete it, and every time it reappears some 30-60 seconds later. It just won’t die!!

Also, now when I right-click on my C Drive, instead of the first two options being “Open” and “Explore”, I get a string of weird (Chinese?) characters.

Help!!

Hi jonfitton,

Have you tried a boot time scan with avast!? (Right click the scanner screen, select ‘schedule a boot time scan’ and reboot).

If that fails, check for rootkits (programs which hide other infections) using a rootkit scanner. I’d recommend F-Secure’s BlackLight, AVG and Panda’s scanners:

http://www.antirootkit.com/software/index.htm

Then scan with AVG Anti-Spyware and /or a-Squared Free, Ad-Aware and spybot Search & Destroy:

http://www.ewido.net/en/

http://www.emsisoft.com/en/software/free/

http://www.download.com/3000-2144-10045910.html

http://www.safer-networking.org/en/download/index.html

Thanks Frank. The boot time scan seems to have cured the trojan.

However, I still have the weird characters instead of Open & Explore when I right-click the C drive.

Any ideas?

This program allows you to examine right-click options (shell extensions):

http://www.nirsoft.net/utils/shexview.html

The help page may give you some clues about where to look in the registry:

http://windowsxp.mvps.org/slowrightclick.htm

The help page links to this page which looks like it could be useful:

http://windowsxp.mvps.org/context_folders.htm

*You can completely balls up your computer editing the registry so always make a registry back-up, and don’t try it unless you have a reasonable idea what you’re doing.

I’ve got exactly the same problem, and a full boot time scan didn’t help I also used the rook kit hunter software as prescribed along with spybot, but no sucesses. Though my shell extension menu hasn’t turned to chineese, but I just somwhow can show hidden files any more!!!

Hi Shoaib,

Have you tried the anti-Trojan, anti-spyware programs listed in my previous post?

Hi,
Well I’ve done exactly everything you mentioned above. First of all it didn’t appear anywhere in boot scan and then later when I logged into windows it all started once again. Seems it is resident in shell extension files, as I can no longer change the option of show hidden files !!!

The problem is likely to be in this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = “0”

In Regedit right click the value and select ‘modify’. I expect “1” is not hidden and “2” is hidden, with “0” being disabled.

I found this link that has some .reg files and VBS tools for resolving problems like this, http://www.kellys-korner-xp.com/xp_tweaks.htm, Item 155. Enable/Disable Show Hidden Files/Folders also seems to fit the bill.

Thankx for the tips, but the problem remains. I can modify the registry and see it working, but as soon as I open my computer avast pops up with the MDM.EXE infected with trojan, and the values in the registery revert back! I just can’t get rid of this trojan. I’m going to start in safe mode with command prompt only, lets see if I can get it like that !!!

What is the location of the mdm.exe file that is reported as infected ?
Take care as there is a legitimate windows file called mdm.exe although I don’t have it on my system.

http://www.liutilities.com/products/wintaskspro/processlibrary/mdm/
http://www.neuber.com/taskmanager/process/mdm.exe.html

its always C:\windows\mdm.exe :-[

Can you just confirm you’ve tried AVG Anti-Spyware?

If you have, try a few online scans: F-Secure, Panda, Trend Micro Housecall.

(Disable avast! while scanning).

You can find links here:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

That would tend to confirm malware as the usual location id c:\windows\system32.

Something is recreating/downloading this file, it is fine that avast detects it but it isn’t detecting the file that is creating it. Now those anti-spyware programs Frank mentioned, http://www.ewido.net/en/ and
http://www.emsisoft.com/en/software/free/ should have better success at finding what may be a trojan downloader. These should be run from safe mode to be most effective, keep pecking away at the F8 key when your system is booting and you should get options to boot into safe mode.

Now a good firewall should stop unauthorised outbound connections, what is your firewall ?

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
Post the contents of the HJT log file here or check out these sites. On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Going to try all your suggestions. I’m running Zone Alarm (free version) on desktop and I have a gateway firewall (ipcop) on my network. I know where the virus came from…e.g a friend of mine brought his USb with some data. As he inserted it into my PC avast picked it up and started blaring, I immediately removed the USB but the damage was done, now this thing is hiding somewhere deep, and I fear that I’ll have to salvage my data and format the harddisk to get rid of it :-[

Here is the log file of Hijack this,

Logfile of HijackThis v1.99.1
Scan saved at 10:13:16 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.100:800
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.100;
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [SoundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163222300109
O17 - HKLM\System\CCS\Services\Tcpip..{80D9B2CE-89F6-4955-AF15-1C730A4CAC1F}: NameServer = 192.168.0.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: FrontLine Drivers Auto Removal (v2) (sfrem02) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem02.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

HijackThis.de is highlighting this line as ‘incorrect’. Try fixing it with HijackThis! and see if it helps.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

I can’t see anything malicious. Have you tried the online scans? Which rootkit scanner did you use? Maybe try one or two more because sometimes one will pick up something the others miss.

Windows Defender can occasionally prevent hijackthis from reporting all it should. Can you disable Defender and post a new log.

EDIT: When you first posted you indicated your problem is exactly the same as jonfitton’s. He reported a recurring Win32:Agent-EMT infection in MDM.EXE

Is yours exactly that, or is it similar in the shell extension problems but different in other ways?

I’ll download and use more root kit hunters, I’ll also disable windows defender, and create a new log file. And yes the mdm.exe is repeatedly being detected by avast saying it has traces of Win32:Agent-EMT[Trj]. So my problem is exactly as jonfitton’s. Last night I looked in my processes and saw mdm as in there, I killed the process and rebooted my machine, and logged in, just few minutes later avast started blaring. Also if I open My computer and or if I use Windows explorer. I’ll come back with more logs.
Thankx

Hi shoaib,

Read down this cleansing routine here:
http://www.atribune.org/forums/index.php?showtopic=1046&st=20

Check up the host file in the way it is suggested there. I would also have a go with process explorer, to say what start to run at start-up, see here: http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

polonus