Windows\System32\mtmnr0.exe ->virus?

Discussion in 'malware problems & news' started by DragonQuest, Jan 10, 2004.

Thread Status:
Not open for further replies.
  1. DragonQuest

    DragonQuest Guest

    I found this little bugger in my pc and NOD32 and Norton aren't detecting it as a virus. I don't know where it comes from but it put itself in the system folder and runs everytime I start windows unless I disable it with msconfig.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi DragonQuest,

    Could you follow the instructions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  3. DraonQuest

    DraonQuest Guest

    My Computer Specs:
    ...Let me know if you need anymore details

    So I followed directions Pieter_Arntz today and installed, updated, and scanned with Spybot. However, this software kept freezing when it got to AdGoblin. So I went and got Ad-Aware, updated, etc. and fixed like 7 problems but I still have that weird mtmnr0.exe thing in my computer.

    I also forgot to mention this but there is a blank startup item that msconfig sees. I'm not sure if hijackthis detected it since I can't identify it.

    I am temporarily posting a picture of this here:
    Code:
    http://my.sanbrunocable.com/fubash/msconfig.gif
    And before I forget here is the hijack log file:
    Thank you for any help in this matter.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi DragonQuest,

    I have recently seen a few logs with the IXPLORE.exe in it and I'd love to have a copy of that file, together with a copy of mtmnr0.exe.

    Could you please send that to the address in my profile?

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE
    O4 - HKLM\..\RunServices: [Microsoft System Init] mtmnr0.exe

    Then reboot.

    The empty line is very likely harmless. It can be removed, but you will have to edit it in the registry (at least, I don't know of another way)

    Let me know if you want that and I will tell you where and what to look for.

    Regards,

    Pieter
     
  5. DragonQuest

    DragonQuest Guest

    A weird thing happened today. I was searching for IXPLORE.EXE in the Windows\System32 folder...After and only after clicking on the 27KB unknown exe file did Norton pop up (what a late rescue) saying it detected a "Backdoor.SDBot.Gen" virus (Norton gave no detailed info about this virus). I was disappointed in Norton because I knew this file was running prior to Norton detecting it and my Norton is always updated since I have it automatically update everyday.

    Well, to sum things up, I lost the IXPLORE.EXE file since it was deleted immediately upon clicking it. I am able to recover the mtmnr0.exe file though, so I'll send that one asap.

    My guess is that this or some other file is making the IXPLORE.EXE undetectable by other virus scanners. I hope this thing is it. ;)
     
  6. DragonQuest

    DragonQuest Guest

    Oh btw, can I take you up on that offer to help remove that annoying blank entry that msconfig sees. It would definitely sooth the paranoia stress I'm getting from it. Thanks. :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Before making manual changes to the registry, always make a backup!!

    Click Start > Run > type regedit > OK

    Then navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run
    Look for a key that shows (Default) with Data showing just 2 double quotes. Delete the (Default) item, and it will be replaced with Data showing (value not set).

    After a reboot the empty line should be gone. If you can't find it there don't panic. There are other Run keys where it could be, but this is the most likely one.

    Regards,

    Pieter
     
  8. controler

    controler Guest

    Hey guys

    one question?

    I see you are running XP?

    if so you should still have a copy of that file, unless you disabled restore before deleting?

    controler
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi controler,

    Risky bussiness and it may not be worth it.
    Simply use System Restore will re-activate it, right?

    Regards,

    Pieter
     
  10. controler

    controler Guest

    Hi Peiter

    "I have recently seen a few logs with the IXPLORE.exe in it and I'd love to have a copy of that file, together with a copy of mtmnr0.exe."

    Oh heaven no, I was not suggesting doing a System Restore @ all.
    I was just thinking if you wanted a copy and he had not turned System Resotre off, He should still have a copy in System Restore for you... I don't think any AV-At's can delete the total infection without
    you first turning off System Restore before cleaning.
    Everything you ever do is kept in files in System restore. All files downloaded, mail, everything if I am not misstaken.

    controler
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That is quite correct controler. They are all in there, somewhere.

    Unfortunately the files in System Restore have beautifull names like a874560.cpy
    And until some scanner gives you an alert that it has found virus "newbutnotnice" in file C:\_RESTORE\TEMP\A0084170:CPY
    I for one would have a hard time finding out which file to copy, so that it would turn out to be the file I need.

    Doing a System Restore would put the file back under it's original name, but that would come with all the registry changes that would make it active again as well. That is why I warned about that.

    I will get my paws on that file eventually. :D
    No need for re-infecting a clean computer.

    Regards,

    Pieter
     
  12. controler

    controler Guest

    I was thinking more of System Volume Information DIR i think..
    Yes the files are renamed but the EXE usualy retain the EXE extention
    if i remember correct.
    If this person has show hidden system files and folders enabled, they can just do a scan of that DIR and maybe pick it up..
    Not for a Newbi though ;)


    con
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi DragonQuest,

    mtmnr0.exe seems to be a packed and modified version of the Windows file: wuaumgr.exe

    KAV online scanner says:
    mtmnr0.exe Infected: Backdoor.SdBot.05.bb

    Delete at will. :)

    Regards,

    Pieter
     
  14. DragonQuest

    DragonQuest Guest

    Thank you, so much for the research. Regarding the System Restore, I don't use it since I feel viruses might contaminate it. I much rather prefer the Norton Ghost backups although it does take up more time. I just hope NOD32 picks up the pace and starts detecting this backdoor stuff, since it seemed to just let this one slip by unnoticed...(plz correct me if I'm wrong)
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    If NOD32 decides to detect Backdoors and Trojans that is their decision.
    I'm fully satisfied if they concentrate on viruses and worms, since I have other scanners for the "ratty" kind of malware.
    If it is any consolation, NAV let this one pass as well.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.