Help with unknown malware component

I have been working to clean a computer that was infected with a variety of malware entities. I can get it essentially cleaned up with the exception of one entry in the registry. It is a DLL loaded in the Winlogon Notify section of the registry. The line out of Hijackthis appears as:

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\MNXML2R.DLL

All the other stuff in Hijackthis appears okay (to me anyway). Every time I remove this entry, it comes back. If I use Hijackthis to remove it, it's there again for the very next scan (I don't even have to exit Hijackthis). I cannot delete the file because "something" has it open. I even tried the "delete a file on reboot" option in HJT and it failed.

I have run all the anti-spyware products suggested, have MSFT's anti-spyware product running all the time (it does not detect any malware when it scans) and have Norton 2005 running (it does not detect anything when I do a full system scan). Yes, all products were updated with the latest and greatest definitions.

Now, this component attempts to download malware each time I boot. Today it tried to load Bookedspace, VirtualBouncer, AdDestroyer and AlwaysUpdateNews... Luckily, MSFT anti-spyware catches it and deletes before it gets on the system.

I've looked all around for references to MNXML2R.DLL but can't find anything substantial (I'm not even sure that's not a random name). Bottom line, I can't get rid of the darn thing! Any suggestions would be greatly appreciated...

 

Sounds like you've got a Look2Me/VX2 variant. Attach a fresh HJT log and let's have a look.

I'll check back when time permits . . .

PP

 

Okay, here you go... (see attached).

 

Hi v908,

You have a couple baddies that will likely require their own removal procedures.

-- How many different User Accounts are on this machine?

-- Please relocate HJT to a safer folder - C:\Program Files\HijackThis


Let's have a stab at this, shall we . . . . .

FIRST:
Please download the following tools and have them handy (Perhaps create an Anti-Spyware Folder for them). Make sure to get them from the links below:

L2MeFix Tool
Generic Detection Tool - NT/2000/XP
VX2.BetterInternet Finder XP/2k - Version Msg126
Pocket KillBox
RKFiles Tool



Please print out or save these instructions locally so that you can Disconnect from the Internet and operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and try to end them, if found.

wintask.exe
lhmnhk.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\lhmnhk.exe reg_run --> Will come back, but we'll deal with it later

O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\MNXML2R.DLL --> Will come back, but next steps will get it

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe

C:\WINDOWS\system32\MNXML2R.DLL
C:\WINDOWS\system32\lhmnhk.exe
You can try to delete the last two if you like . . .

NEXT:
Run CCleaner and Spybot S&D (from the READ ME FIRST Sticky Post ) and have Spybot fix what it finds.

Reboot to Normal Windows and Scan with HijackThis and attach that log.


NEXT:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE:Please do not run any other options or files in the l2mfix Folder!

Please attach the l2mfix Find log along with the fresh HijackThis log when you post back and we’ll see where you stand. Let me know if you ran into any difficulty with the above instructions - I will try to check back as time permits.

Best Luck
PP

 

Okay, I followed all your instructions exactly as requested. Attached is the last Hijackthis log and the L2mfix report.

A couple of minor notes... the Wintask process and entry in Hijack this were not there. Also, lhmnhk.exe seemed to have changed names to lunmur so I substituted lunmur for lhmnhk wherever applicable (since lhmnhk.exe didn't exist anywhere anymore). Exp.exe and Wintask.exe were not in the System32 folder when I looked. I was able to delete lunmur.exe, but not MNXML2R.dll (no surprise).

When I ran spybot, it found SmartpopOops, Huntbar, Look2me.topconverting, Pacimedia, and Virtual Bouncer. All were successfully cleaned (at least according to Spybot).

Oh, and Internet Explorer no longer works (never loads pages). I had to get here by using Windows Explorer and typing the majorgeeks address into the address bar. Odd that this would work, but not IE. Finally, I cannot access My Computer at all...

Anyway, the requested log file and l2mfix report are attached. Please advise next steps...

 

That is odd . . . And you did nothing else besides what you desribed . . .?

-- How many different User Accounts are on this machine?

Let's continue on and deal with IE after the next set of steps.
HJT log looks better - You may have gotten that (kavsvc) baddie. Let's see if it stays gone. Don't forget to relocate HJT to a safer folder. . . .

Here is the next set of steps:

FIRST:
Please make sure ALL Browser Windows are Closed!

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually cough out another log in Notepad.

Again, don't run any other files in the L2MFix folder.


NEXT:
Reboot to Normal Windows and check your Recycle Bin to make sure that it is working properly.
If all is NOT well with Recycle Bin, please run Pocket KillBox and Copy & Paste the Following into the box: C:\RECYCLER\Desktop.ini and Click the Red X to delete it using Standard File Kill.


After checking on your Recycle Bin:
Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy --> This will likely be the only one enabled

Allow Machine to Reboot.


NEXT:
Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that Log along with a Fresh HijackThis Log and the new L2MeFix Log (be sure it is the "Fix Log") and we'll see what remains to be done for your machine. I think this ought to get it . . .

PP

 

Okay, I can only attach two at a time, so here are the L2MeFix log file and GenericDetectionTool log file. Next post will have HijackThis.

I had to do all of this in Safe Mode as I cannot use Windows Explorer in "normal" mode. I'll reboot after this and see if it's working...

 

Here's the HijackThis log...

 

Well . . . . That's not good!

Hey, v908 - Is this the same machine as in the thread with Chas? Or same machine, different account?

At any rate, the logs you attached look OK and free of malware. Are you still having the other problems you mentioned earlier?

PP

 

PP, same guy (v908) -- two different computers (I wouldn't want to mung things up by working two different streams on the same computer -- don't worry).

To your point, this computer seems to be clear of bad stuff now, but "My Computer" is still acting strange (though IE now appears to work normally). Whenever I attempt to open My Computer through the desktop, or browse to 'My Computer' (for example, to browse available disk drives), the right pane simply gives me the searching flashlight graphic and it either hangs, or take 5+ minutes to display the drives and such (though drilling down through any drive is snappy as ever). Any idea on what might be causing problems with 'My Computer?'

Oh, and I can't install Norton 2005 (it just errors out saying it can't install -- no error code or meaningful text), so there is definitely something hinky going on...

 

There could be a number of causes for this. They are difficult to puzzle out in a forum setting and I am not sure where to start.

I would suggest that you start a new thread for this problem in the Software Forum - You'll probably get better result there.

Best Luck to you
PP