MODIFY?

Discussion in 'ProcessGuard' started by madhaxer, Sep 27, 2005.

Thread Status:
Not open for further replies.
  1. madhaxer

    madhaxer Guest

    What is this program doing ?? I am guessing my Process Guard is still protecting me, that seems obvious. Have I been infected ?? I dont know since the program kept trying to modify programs? also my internet was very slow at the time
    Mon 26 - 23:46:05 [MODIFY] c:\windows\system32\yfgdcg.exe [1042] was blocked from modifying explorer.exe
    Mon 26 - 23:46:06 [MODIFY] c:\windows\system32\yfgdcg.exe [1042] was blocked from modifying msimn.exe

    Could any damage have been done already ? The yfgdcg.exe is killed and so far everything seems okay, internet connection fast again. I dont want to format the PC for no reason....... ty
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I can find no ref. to that file name in Google. I would suggest that you get it checked out at Jotti's place found here: http://virusscan.jotti.org/

    Use the buttons at the top of the page by using the browse button then navigate to your system32 folder select the file then submit.

    Please let us know your results.

    Thanks. Pilli :)
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Most likely it was trying to hijack those programs to send data out - possibly just to contact home base but also possibly to send out captured personal data (e.g. passwords). Pilli's advice is sound and should be followed with a full system scan (with an updated scanner) and a review of your security to identify how your system became infected.

    If any scan results identify a keylogger and you use any online financial sites (e.g. banks or share brokers) then you should assume the worst and contact them to let them know your account may be compromised - at the very least you should change your passwords for any sites that require them.
     
  4. madhaxer

    madhaxer Guest

    Thanks!!! this is a GREAT forum :D

    Online scan says it is a backdoor rbot so deleted it.. google search finds variant of rbot webcam spy, password stealing, DDOS launching :( gone to run free antivirus scans and change passwords.. no I dont use any online banking :D
     
  5. madhaxer

    madhaxer Guest

    We had Admin: no password think its how it got in. Changed now to a big password with swearing in it lol ty both again will see how it goes
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    That shouldn't be the case with Windows XP - an account with no password should only be accessible by someone on the computer, not via remote login. A more likely cause (if you use Admin all the time) would be a compromise via Internet Explorer (if you use it - switching to Opera/Firefox, using a web filter to screen out ActiveX and other potentially harmful webpage content and using a non-Admin user for web browsing would all help prevent this) or running a download which included the trojan (all too common on file sharing networks - but the file should have been picked up by the scanner).

    It may well be worth giving your system a check with the trial versions of Ewido or TrojanHunter since it is quite possible that you have other nasties on your system (note that you will need to clear the "Block Driver..." setting in PG to be able to install these and they will need modify/terminate privileges set when installed).
     
Thread Status:
Not open for further replies.