1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mlJHASkHy.dll possible trojan or other malware

Discussion in 'Virus & Other Malware Removal' started by gplracerx, Apr 18, 2008.

Thread Status:
Not open for further replies.
  1. gplracerx

    gplracerx Thread Starter

    Joined:
    Nov 28, 2006
    Messages:
    17
    I did something stupid and am now blessed with some sort of infection. I keep getting infected with Virtumonde and sometimes Smitfraud. The problem seems centered on the title dll, which appears in a BHO. I can't remove because it's in memory and I can't find the process to kill it. Spybot Teatimer seems to keep it sort of under control but can never remove it completely. Here's the HJT log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:41:42 AM, on 4/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
    C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
    C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
    C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
    C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
    C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
    C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\All Users\Application Data\wrylgpwn\klenovod.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
    C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
    C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Cyberlink\Shared Files\brs.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DVICO\FusionHDTV\ResManager.exe
    C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
    C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program

    Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

    Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - C:\WINDOWS\system32\mlJASkHy.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program

    Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

    Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [FusionTrayAgent] C:\Program Files\DVICO\FusionHDTV\FusionHdtvTray.exe
    O4 - HKLM\..\Run: [FusionRemote] C:\Program Files\DVICO\FusionHDTV\Remote\FusionRc.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe"

    RCSystem * -Startup
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module

    Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio

    Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume

    Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE"

    /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe"

    /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

    8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

    Files\Nero\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [pmklRRqNSB] C:\Documents and Settings\All Users\Application

    Data\wrylgpwn\klenovod.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

    (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

    (User 'Default user')
    O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
    O4 - Startup: CCC.lnk = ?
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NCProTray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -

    http://www.creative.com/su/ocx/15030/CTSUEng.cab
    O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) -

    http://www.mushkin.com/_detect/InSPECS3_0.cab
    O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) -

    http://www.cyberlink.com/winxp/CheckDVD.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?11892383

    53918
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118923

    8789762
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) -

    http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) -

    http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package)

    - http://www.creative.com/su/ocx/15034/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C28408A-24ED-4660-810A-37CE67D0F95A}: NameServer =

    192.168.0.1,0.0.0.0
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1C28408A-24ED-4660-810A-37CE67D0F95A}: NameServer =

    192.168.0.1,0.0.0.0
    O17 - HKLM\System\CS4\Services\Tcpip\..\{1C28408A-24ED-4660-810A-37CE67D0F95A}: NameServer =

    192.168.0.1,0.0.0.0
    O20 - Winlogon Notify: mlJASkHy - C:\WINDOWS\SYSTEM32\mlJASkHy.dll
    O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC

    PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile

    Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program

    Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program

    Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program

    Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ

    Online Security\Common\FSMA32.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero

    BackItUp\NBService.exe (file missing)
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero

    BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

    Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. -

    C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program

    Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program

    Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
    O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program

    Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program

    Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network

    Monitor\WLService.exe

    --
    End of file - 13252 bytes

    Any help would be greatly appreciated
     
  2. gplracerx

    gplracerx Thread Starter

    Joined:
    Nov 28, 2006
    Messages:
    17
    I used recovery console to delete the suspect dll. Then I was able to delete the BHO with Spybot. I still had an entry in Winlogon notify referring to the it, though. I couldn't remove it with Spybot, but after removing all entries in the registry that referred to it, the problem seems to have gone away. Spybot reports clean, Panda Activscan 2.0 says I'm clean. We'll see.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/704891

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice