I recently picked up the Win32:Agent-EMT trojan horse, possibly in China with some Nintendo DS Supercard software.
The AVAST warning relates to a file MDM.EXE in the Windows folder. I move it to the chest, or rename it, or delete it, and every time it reappears some 30-60 seconds later. It just won’t die!!
Also, now when I right-click on my C Drive, instead of the first two options being “Open” and “Explore”, I get a string of weird (Chinese?) characters.
Have you tried a boot time scan with avast!? (Right click the scanner screen, select ‘schedule a boot time scan’ and reboot).
If that fails, check for rootkits (programs which hide other infections) using a rootkit scanner. I’d recommend F-Secure’s BlackLight, AVG and Panda’s scanners:
*You can completely balls up your computer editing the registry so always make a registry back-up, and don’t try it unless you have a reasonable idea what you’re doing.
I’ve got exactly the same problem, and a full boot time scan didn’t help I also used the rook kit hunter software as prescribed along with spybot, but no sucesses. Though my shell extension menu hasn’t turned to chineese, but I just somwhow can show hidden files any more!!!
Hi,
Well I’ve done exactly everything you mentioned above. First of all it didn’t appear anywhere in boot scan and then later when I logged into windows it all started once again. Seems it is resident in shell extension files, as I can no longer change the option of show hidden files !!!
I found this link that has some .reg files and VBS tools for resolving problems like this, http://www.kellys-korner-xp.com/xp_tweaks.htm, Item 155. Enable/Disable Show Hidden Files/Folders also seems to fit the bill.
Thankx for the tips, but the problem remains. I can modify the registry and see it working, but as soon as I open my computer avast pops up with the MDM.EXE infected with trojan, and the values in the registery revert back! I just can’t get rid of this trojan. I’m going to start in safe mode with command prompt only, lets see if I can get it like that !!!
What is the location of the mdm.exe file that is reported as infected ?
Take care as there is a legitimate windows file called mdm.exe although I don’t have it on my system.
That would tend to confirm malware as the usual location id c:\windows\system32.
Something is recreating/downloading this file, it is fine that avast detects it but it isn’t detecting the file that is creating it. Now those anti-spyware programs Frank mentioned, http://www.ewido.net/en/ and http://www.emsisoft.com/en/software/free/ should have better success at finding what may be a trojan downloader. These should be run from safe mode to be most effective, keep pecking away at the F8 key when your system is booting and you should get options to boot into safe mode.
Now a good firewall should stop unauthorised outbound connections, what is your firewall ?
Going to try all your suggestions. I’m running Zone Alarm (free version) on desktop and I have a gateway firewall (ipcop) on my network. I know where the virus came from…e.g a friend of mine brought his USb with some data. As he inserted it into my PC avast picked it up and started blaring, I immediately removed the USB but the damage was done, now this thing is hiding somewhere deep, and I fear that I’ll have to salvage my data and format the harddisk to get rid of it :-[
Logfile of HijackThis v1.99.1
Scan saved at 10:13:16 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
I can’t see anything malicious. Have you tried the online scans? Which rootkit scanner did you use? Maybe try one or two more because sometimes one will pick up something the others miss.
Windows Defender can occasionally prevent hijackthis from reporting all it should. Can you disable Defender and post a new log.
EDIT: When you first posted you indicated your problem is exactly the same as jonfitton’s. He reported a recurring Win32:Agent-EMT infection in MDM.EXE
Is yours exactly that, or is it similar in the shell extension problems but different in other ways?
I’ll download and use more root kit hunters, I’ll also disable windows defender, and create a new log file. And yes the mdm.exe is repeatedly being detected by avast saying it has traces of Win32:Agent-EMT[Trj]. So my problem is exactly as jonfitton’s. Last night I looked in my processes and saw mdm as in there, I killed the process and rebooted my machine, and logged in, just few minutes later avast started blaring. Also if I open My computer and or if I use Windows explorer. I’ll come back with more logs.
Thankx