MDM.exe threat?

Can anyone enlighten me as to whether a process on my machine called "MDM.exe ", as shown in the Task Manager, is evidence of a threat or not? The web literature I've found states that the normal process with that name is Microsoft's Machine Debug Manager and that the way to turn it off is as follows:

1. Open Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab.
4. Click to select the Disable script debugging check box, and then click OK.

I have done this and found that "Disable script debugging" was already checked on my machine. So why is MDM.exe still running and taking up significant CPU time? I have searched all the web literature I can find that reports malware that uses MDM.exe, and have checked all corresponding values in my machine's registry, but have found nothing that matches their registry entries.

So, I have two questions: First, if MDM.exe is running in spite of the "Disable script debugging" check-box being checked, doesn't that mean something out of the ordinary is in control of it? And, if so, can anyone shed light on what that is and how to fix it?

Thanks in advance for any help.

 

Hi Christer,

I don't find anything resembling it (e.g. Microsoft Debug Manager, Debug Manager, Script Debug, etc.) in Services.

 

No service resembling "Machine Debug Manager" exists. When sorted by Name, my services list goes from "Logical Disk Manager Administrative Services" directly to "Messenger ".

 

Do a search for the file mdm.exe and rename it to mdm.old. Reboot for effect. If no problems, leave things as is but leave yourself a note as to what you did in case you want to debug script someday.

In the off chance that the renaming causes an error screen, get the full info from it so we can determine what's calling the executable.

You probably got this from the Windows Updater site. Some of their offerings are not for normal folks. That file doesn't exist on my system so I doubt that you will miss it either.

 

surferdude2,

I've done a search of the entire file system for the file "mdm.exe "; none was found.

 

Do be sure you are searching hidden files, system files, and all other known file types.

Open Windows Explorer or My Computer > Tools > Folder Options > View >

Check the box labeled "Show hidden files and folders "

Uncheck the boxes labeled "Hide file extensions for known file types" and "Hide protected operation system files "

OK out of there.

Do the search again. If it still isn't found, there is an increasing chance that you are infected by a Trojan. There is one that has known to use this same file name. I'm not saying you have it, just mentioning that in passing.

If you are seeing the process running in Task manager, it must be on your drive at that time. Agreed? Do the search under those conditions and you should find it.

I have little faith in the MS version of search tool and always advise anyone to get AgentRansack instead. You'll like it, trust me.

BTW, have you reviewed your Startups? If you see anything strange in that area, we need to check it out. If we fall short in this thread, post up a HiJackThis log in the Security forum for those people to review.

 

surferdude2,

Yes, I did fumble my initial search for it. "Search system folders" was turned off. Subsequent search found it in \Windows\System32. I renamed it, killed the process, and it has stayed gone for the rest of the day. I haven't rebooted yet, but I'd be surprised if it gets resurrected, assuming it isn't a Trojan.

So, thanks for the work-around. But I'm now mightily curious about what's really going on and why processes that shouldn't be running are. I'm an old Unix hack and have learned Microsoft's OS's out of grudging necessity, and this kind of stuff drives me crazy. Do you know enough to fill me in on what's going on with this kind of system behavior?

BTW, I did review my startups and there's nothing peculiar there.

 

I'd be hard pressed to come up with any explanation for that process behaving in that fashion.

MS makes it sound so easy to disable it that I wondered what the problem was with you. According to them, just tag the boxes in IE Tools > Internet Options > Advanced > "Disable Script Debugging )Internet Explorer)" and "Disable Script Debugging (other) "

Please note there are two boxes to tag up. Hope you did both (actually hope you didn't and it would explain all the mystery).

MS also says:

So you would expect that command to show up in some startup line in the Registry or in the Start Up folder. Do you even have Office 2000 or do you remember having downloaded this beast from the Update site? Is it listed in your Add/Remove programs in Control Panel?

They also say:

Simple, what? Apparently not or we wouldn't be here.

You should take a look at the Reg key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

just to make sure that gremlin isn't being called from there.

You may just have to save this quest for some rainy day diversion. I'm all out of ideas and since I don't have the problem or Office 2000 or even the file, I can't replicate and troubleshoot it.

If you don't have a start up manager, get one and perhaps it can show where this is being called from. I have StartCop but they have quit giving it away. I think StartUpControl works just as well so give it a shot if you want.

All the best.

 

Yes, both disable-scripts boxes are checked.

My version of Office is 2003. Maybe that's a factor.

Yes, I checked HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run originally and there's nothing relevant there.

Thanks for the tip on StartUpControl. I'll check it out.

Thanks again for your help.

 

If you get it spanked down, post back so others can be helped.