Windows\System32\mtmnr0.exe ->virus?

I found this little bugger in my pc and NOD32 and Norton aren't detecting it as a virus. I don't know where it comes from but it put itself in the system folder and runs everytime I start windows unless I disable it with msconfig.

 

Hi DragonQuest,

Could you follow the instructions posted here:
http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

My Computer Specs:

...Let me know if you need anymore details

So I followed directions Pieter_Arntz today and installed, updated, and scanned with Spybot. However, this software kept freezing when it got to AdGoblin. So I went and got Ad-Aware, updated, etc. and fixed like 7 problems but I still have that weird mtmnr0.exe thing in my computer.

I also forgot to mention this but there is a blank startup item that msconfig sees. I'm not sure if hijackthis detected it since I can't identify it.

I am temporarily posting a picture of this here:

Code:

http://my.sanbrunocable.com/fubash/msconfig.gif

And before I forget here is the hijack log file:

Thank you for any help in this matter.

 

Hi DragonQuest,

I have recently seen a few logs with the IXPLORE.exe in it and I'd love to have a copy of that file, together with a copy of mtmnr0.exe.

Could you please send that to the address in my profile?

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE
O4 - HKLM\..\RunServices: [Microsoft System Init] mtmnr0.exe

Then reboot.

The empty line is very likely harmless. It can be removed, but you will have to edit it in the registry (at least, I don't know of another way)

Let me know if you want that and I will tell you where and what to look for.

Regards,

Pieter

 

A weird thing happened today. I was searching for IXPLORE.EXE in the Windows\System32 folder...After and only after clicking on the 27KB unknown exe file did Norton pop up (what a late rescue) saying it detected a "Backdoor.SDBot.Gen" virus (Norton gave no detailed info about this virus). I was disappointed in Norton because I knew this file was running prior to Norton detecting it and my Norton is always updated since I have it automatically update everyday.

Well, to sum things up, I lost the IXPLORE.EXE file since it was deleted immediately upon clicking it. I am able to recover the mtmnr0.exe file though, so I'll send that one asap.

My guess is that this or some other file is making the IXPLORE.EXE undetectable by other virus scanners. I hope this thing is it.

 

Oh btw, can I take you up on that offer to help remove that annoying blank entry that msconfig sees. It would definitely sooth the paranoia stress I'm getting from it. Thanks.

 

Before making manual changes to the registry, always make a backup!!

Click Start > Run > type regedit > OK

Then navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
Look for a key that shows (Default) with Data showing just 2 double quotes. Delete the (Default) item, and it will be replaced with Data showing (value not set).

After a reboot the empty line should be gone. If you can't find it there don't panic. There are other Run keys where it could be, but this is the most likely one.

Regards,

Pieter

 

Hey guys

one question?

I see you are running XP?

if so you should still have a copy of that file, unless you disabled restore before deleting?

controler

 

Hi controler,

Risky bussiness and it may not be worth it.
Simply use System Restore will re-activate it, right?

Regards,

Pieter

 

Hi Peiter

"I have recently seen a few logs with the IXPLORE.exe in it and I'd love to have a copy of that file, together with a copy of mtmnr0.exe."

Oh heaven no, I was not suggesting doing a System Restore @ all.
I was just thinking if you wanted a copy and he had not turned System Resotre off, He should still have a copy in System Restore for you... I don't think any AV-At's can delete the total infection without
you first turning off System Restore before cleaning.
Everything you ever do is kept in files in System restore. All files downloaded, mail, everything if I am not misstaken.

controler

 

That is quite correct controler. They are all in there, somewhere.

Unfortunately the files in System Restore have beautifull names like a874560.cpy
And until some scanner gives you an alert that it has found virus "newbutnotnice" in file C:\_RESTORE\TEMP\A0084170:CPY
I for one would have a hard time finding out which file to copy, so that it would turn out to be the file I need.

Doing a System Restore would put the file back under it's original name, but that would come with all the registry changes that would make it active again as well. That is why I warned about that.

I will get my paws on that file eventually.
No need for re-infecting a clean computer.

Regards,

Pieter

 

I was thinking more of System Volume Information DIR i think..
Yes the files are renamed but the EXE usualy retain the EXE extention
if i remember correct.
If this person has show hidden system files and folders enabled, they can just do a scan of that DIR and maybe pick it up..
Not for a Newbi though


con

 

Hi DragonQuest,

mtmnr0.exe seems to be a packed and modified version of the Windows file: wuaumgr.exe

KAV online scanner says:
mtmnr0.exe Infected: Backdoor.SdBot.05.bb

Delete at will.

Regards,

Pieter

 

Thank you, so much for the research. Regarding the System Restore, I don't use it since I feel viruses might contaminate it. I much rather prefer the Norton Ghost backups although it does take up more time. I just hope NOD32 picks up the pace and starts detecting this backdoor stuff, since it seemed to just let this one slip by unnoticed...(plz correct me if I'm wrong)

 

If NOD32 decides to detect Backdoors and Trojans that is their decision.
I'm fully satisfied if they concentrate on viruses and worms, since I have other scanners for the "ratty" kind of malware.
If it is any consolation, NAV let this one pass as well.

Regards,

Pieter