Need help removing mljklif.dll[malware]! [RESOLVED]

Ragwing · September 14, 2007, 4:17pm

Greetings all,

Yesterday, I got infected with a trojan that adds mljklif.dll to \system32, adds itself to WinLogon notifiers.
mljklif.dll tries to log keystrokes(which my anti-keylogger blocks), contact Internet thru explorer.exe with winlogon.exe as parent.
I can’t remove it, it’ll just add itself again. It’s embedded in the winlogon.exe process, so I can’t exit winlogon.exe and then delete mljklif.dll, because if you exit winlogon.exe your system will crash.

I’ve uploaded it on VirusTotal and 18/32 AV-products detected it. I tried with Avira Antivir, it said it would delete after reboot, but it didn’t. I’ve sent it to Avast!, so it’ll probably be added to their future virus database.

Tried GPo [ at ] Utilities, which is supposted to rename/move/delete files before Windows boots, but it doesn’t work.

My last hope would be a DOS program that’ll remove it before Windows is booted, which means I’ll need something you can put on a floppy.
Or should I try all antivirus programs that detects it and see if one of them will succeed to delete it?

Any help is appreciated.

mljklif.dll
File size: 43542 bytes
MD5: fb390d111925a63b517d666a8db4e5dd
SHA1: cba941f614dcf4d3543914a8d506489c8065d287

Here’s some name that’s used for it:
TR/Vundo.Gen
Adware Generic2.OUK
Trojan.Vundo.DMV
AdWare.Virtumonde.jp (Not a Virus)
Trojan.Vundo-525
Win32/Vundo!generic

Ragwing

Little_Mac · September 14, 2007, 4:24pm

Hey Ragwing, I moved your post here to the Malware Removal Assistance board…

Do you have System Restore enabled?

Are you running BOC?

LM

Ragwing · September 14, 2007, 4:40pm

Sorry, didn’t found this forum as it’s located in Comodo Anti-Viruspyware (CAVS) section, and this problem isn’t about CAVS, but thanks anyways.

No, I’ve disabled it and emptied System Volume Information.

No, I run Avast!, TeaTimer, CPF, CMG, SnoopFree and PSM Anti-keylogger.

Here’s HijackThis logfile:

I’ve marked the malware-file with red color.

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 18:28:50, on 2007-09-14 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\Program\PSMKorea\ANTIKE~1\PSMAntiS.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program\Alwil Software\Avast4\aswUpdSv.exe
D:\Program\Alwil Software\Avast4\ashServ.exe
D:\Program\Comodo\Firewall\cmdagent.exe
D:\Program\COMODO\Memory Guardian\cmgs32.exe
D:\Program\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program\Delade filer\LightScribe\LSSrvc.exe
D:\Program\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\System32\SnoopFreeSvc.exe
D:\Program\Alwil Software\Avast4\ashMaiSv.exe
D:\Program\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\Program\Comodo\Firewall\CPF.exe
D:\Program\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\SnoopFreeUI.exe
D:\Program\CyberLink\PowerDVD\PDVDServ.exe
D:\Program\Nero\Nero 7\InCD\InCD.exe
D:\Program\COMODO\Memory Guardian\cmg.exe
D:\Program\PSMKorea\AntiKeyLogger\PSMAntiSpy.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\Spybot - Search & Destroy\TeaTimer.exe
D:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe
D:\Program\Delade filer\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
D:\Program\uTorrent\uTorrent.exe
D:\PROGRAM\MOZILL~1\FIREFOX.EXE
D:\Program\CCleaner\CCleaner.exe
D:\Documents and Settings\Rasmus\Skrivbord\HiJackThis_v2.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Program\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {C1ADC5ED-FB26-4770-AFE5-BD3A7EB5C148} - D:\WINDOWS\system32\mljklif.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Program\FlashGet\getflash.dll
O4 - HKLM..\Run: [COMODO Firewall Pro] “D:\Program\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [avast!] D:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM..\Run: [RemoteControl] D:\Program\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM..\Run: [InCD] D:\Program\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM..\Run: [Comodo Memory Guardian] “D:\Program\COMODO\Memory Guardian\cmg.exe”
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [PSMAntiKeyLogger] D:\Program\PSMKorea\AntiKeyLogger\PSMAntiSpy.exe
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “D:\Program\Delade filer\Ahead\Lib\NMBgMonitor.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOKAL TJÄNST’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: &Download All with FlashGet - D:\Program\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Program\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program\FlashGet\FlashGet.exe
O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188414000625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188485410703
O20 - Winlogon Notify: mljklif - D:\WINDOWS\SYSTEM32\mljklif.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Memory Guardian injector 32bit - Unknown owner - D:\Program\COMODO\Memory Guardian\cmgs32.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program\Delade filer\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - D:\Program\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program\Delade filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: PSMAntiSpy - PSMKorea - http://www.psmkorea.co.kr - D:\Program\PSMKorea\ANTIKE~1\PSMAntiS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - D:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - D:\Program\Windows Live\installer\WLSetupSvc.exe

Ragwing

Little_Mac · September 14, 2007, 4:49pm

I suggest you get BOC. http://www.comodo.com/boclean/boclean.html

It’s free. It has definitions that I think will allow it to spank the bottom of this trojan with force. It doesn’t scan the same way other stuff does; it is a memory-monitor. The malware has to access memory in order to run (whether it’s already on the machine or not). When it does so, BOC starts the spanking process (which includes removal, if you want it to).

It should prompt to get updates during install; please allow it to do so. Then reboot and let the fun begin. Given that the trojan involves winlogon, it’s possible that BOC removing the malware may crash your machine; this should not cause any problem other than another reboot.

LM

PS: Disable TeaTimer completely before installing BOC. Tea Timer has some coding issues that are problematic, and can interfere with BOC doing its job. You don’t want TT running on reboot.

Ragwing · September 14, 2007, 4:54pm

Will download it now.

I’ve also downloaded Trojan Remover 6.6.2, it detected the trojan, so going to see if it’s able to deal with the problem, else I’ll try BOClean.
If it Trojan Remover fixes the problem, I’ll install BOClean for future use.
Going to reboot computer now.

Ragwing

EDIT: It seems like Trojan Remover fixed the problem. Thanks for your all your help Little Mac.

***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 2007-09-14 19:04:28: Trojan Remover has been restarted Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. D:\WINDOWS\system32\mljklif.dll has been renamed to D:\WINDOWS\system32\mljklif.dll.ren 2007-09-14 19:04:28: Trojan Remover closed

All that remained was a blank BHO that I removed manually.