BullGuard
Close
00: 00: 00: 00
Days Hours Minutes Seconds
Close
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Trojan Horse in c:\windows\mdm.exe
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Trojan Horse in c:\windows\mdm.exe  
Forum Quick Jump
 
New Topic Post reply to : Trojan Horse in c:\windows\mdm.exe Printable version of : Trojan Horse in c:\windows\mdm.exe
[ << Previous Thread | Next Thread >> ]

faraz
New Member


Date Joined Feb 2007
Total Posts : 2
 
   Posted 2/21/2007 7:48 AM (GMT +3)    Quote: Trojan Horse in c:\windows\mdm.exeAlert an admin about: Trojan Horse in c:\windows\mdm.exe
Hello Sir,
 I am experiencing a drastic problem of recurrent trojan horse in C:\windows\mdm.exe I am running NAV in my computer. I have taken all cleaning steps as advised in different blogs and NAV web site, but to no use. After loading windows in Safe MOde i have deleted MDM.exe from all registry entries, services and startup. but it keeps coming back.
 Please help me resolve this problem.
 thanks faraz
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12969
 
   Posted 2/21/2007 8:42 AM (GMT +3)    Quote: Trojan Horse in c:\windows\mdm.exeAlert an admin about: Trojan Horse in c:\windows\mdm.exe
Hi faraz smile
 
 
Please post a logfile -
 
 
 
1. Get this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe
 
2
Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT
3 Run hijackthis.  (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.
HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.
Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.
Post  hijackthis log here
 


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

faraz
New Member


Date Joined Feb 2007
Total Posts : 2
 
   Posted 2/22/2007 11:03 AM (GMT +3)    Quote: Trojan Horse in c:\windows\mdm.exeAlert an admin about: Trojan Horse in c:\windows\mdm.exe
hello touch,
 here is the log you asked for. Please hurry as the virus has deeply effected my computers. it resides in C;\windows\mdm.exe thats what NAV tells me.
 thanks
faraz


Logfile of HijackThis v1.99.1
Scan saved at 12:45:32 PM, on 2/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softros Systems\Softros Messenger\Messenger.exe
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\alternativ.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=GHO
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Launch Softros Messenger.lnk = C:\Program Files\Softros Systems\Softros Messenger\Messenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = samw.mil
O17 - HKLM\Software\..\Telephony: DomainName = samw.mil
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C7B54BB-3E2A-4641-94B0-FC9FA8A2D889}: NameServer = 10.10.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = samw.mil
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C7B54BB-3E2A-4641-94B0-FC9FA8A2D889}: NameServer = 10.10.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C7B54BB-3E2A-4641-94B0-FC9FA8A2D889}: NameServer = 10.10.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12969
 
   Posted 2/22/2007 11:15 AM (GMT +3)    Quote: Trojan Horse in c:\windows\mdm.exeAlert an admin about: Trojan Horse in c:\windows\mdm.exe
Please download free  Trial of Superantispyware
 
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
close the program
 
 
Please download ATF Cleaner:
 http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only
 
 
Download and install DrWebCureit:
 
to your desktop.
 
 
 
 
 
Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.
 
 
 
Reboot into Safe  Mode   by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
 
 
 
 
 
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
 
 
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all
 
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
 
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
 
 
 
 
Start Superantispyware/rightclick on the black/yellow bug in tray.
 
Hit - Scan Your Computer - button
 
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next
 
it will scan now. When scan have finished, put a checkmark with  all items it found. Next, after cleaning, let it Reboot
 
 
 
Start Superantispyware again –
Click Preferences and then click the statistics/logs tab.
Click the dated log and press view log and a text file will appear.
 
 
 
Post this log along with fresh hijackthis log, Dr.Web and tell how things are running  ?
 
 
 
 
 
 
 
 
 
 
 


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

JOHNMARKMAC05
New Member


Date Joined Dec 2007
Total Posts : 1
 
   Posted 12/30/2007 1:33 PM (GMT +3)    Quote: Trojan Horse in c:\windows\mdm.exeAlert an admin about: Trojan Horse in c:\windows\mdm.exe
how about this one...

Logfile of HijackThis v1.99.1
Scan saved at 5:07:01 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
C:\Program Files\HyperTechnologies\Deep Freeze\_$Df\FrzState.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SVCHOST.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\MDM.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
Back to Top
 
New Topic Post reply to : Trojan Horse in c:\windows\mdm.exe Printable version of : Trojan Horse in c:\windows\mdm.exe
 
Forum Information
Currently it is Wednesday, April 23, 2014 12:12 PM (GMT +3)
There are a total of 60,371 posts in 13,279 threads.
In the last 3 days there were 7 new threads and 4 reply posts. View Active Threads
Who's Online
This forum has 35781 registered members. Please welcome our newest member, gatthelli.
1 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Stilhaus Kitchens Review (0)4/23/2014 4:21:51 AM (gatthelli)
Stilhaus Kitchens Review (0)4/23/2014 4:08:49 AM (gatthelli)
Kitchen Designers Derbyshire (0)4/23/2014 2:58:02 AM (Mbaksopie)
Cheap Kitchen Units UK (0)4/23/2014 2:53:18 AM (Mbahspmbp)
Computer unresponsive. (Registry Issues / Crs.exe failed) PLEASE HELP! (0)4/23/2014 2:25:17 AM (Pkmans)