Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mljgh.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 Beltway

Beltway

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 25 January 2008 - 01:05 AM

I am going through the tutorial on virus removal, trying to download adaware etc, but I am having a hard time getting going because of this thing. When I start my pc I can browse with firefox but if I click on a video file it can make the system freeze. Also it will only open new browsers for the first few minutes after the pc turns on...then nothing. Nor will new files open up after the first few minutes, any word file, for instance, will not open. I cannot pull up my processes with control alt delete. This thing seems to have completely deleted the sygate security thing I had on the pc.

I have ran ad aware 3 times so far. The first time it found 80 things, the second time it found the mljgh.exe virus in two places, which I quarantined then deleted. Third time it found nothing. But my computer still won't function properly.

So I will just keep going through the tutorial but I was wondering if there was any way to kill this thing off right now while I am going through the tutorial, so I don't have to keep restarting my pc every five seconds due to the virus stalling out everything I am doing online, and not allowing me to open programs.

Every time I restart - which I have to do manually because the computer will not shut down since the virus hit, windows cannot access the path to C:\WINDOWS\System32\mljgh.exe then cannot load or run the same...make sure it exists....

Right now it is running OK and everything is opening.....maybe that is the solution, just make a post in here and everything goes away. :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:22 AM

Posted 25 January 2008 - 09:22 AM

You should not follow specific instructions provided to someone else especially if they were given in the HijackThis forum. Those instructions were given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware.

Further, you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 31 January 2008 - 12:40 AM

I already ran combofix before I made this thread and it didn't seem to do anything either way.
I ran VundoFix and here is the log:

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 10:33:47 PM 1/25/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


******************************



What does that log mean? Did it remove the old java files? Seems like a strange way to end a log. Anyways, it didn't do anything. My computer freezes when I open media files over the net. It will only allow me access to the net for the first few minutes but after that I have to use firefox and open windows in a new tab from the current window. I can no longer click on the browser icon on my desk top and make it work after the first few minutes. No files will open either after the first few minutes. No thunderbird email, no word files, no control alt delete to look at processes, nothing will open from the control panel etc. And I have to manually turn of the pc to shut it down. However, if I click OK when it tells me about Mljgh.exe at start up, and let it go through the rest of the start up process, than, sometimes, it will shut down normally, unless I have already clicked on a media files it doesn't like, in which case it will not.

I am currently running the SuperAntiSpyware program in safe mode for the second time. It uncovered over 80 infections the vast majority of which where virtumonde related, however, it crashed right as it was done and attemtping to quarantine the infections!!!!! So I am running the whole thing again, it takes over 45 minutes on my machine. I will post the first and second logs. Hopefully it gets to finish this time. It is already pulling up all the same things it did the first time.

#4 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 31 January 2008 - 02:02 AM

Well now both logs are gone. It asked me if I wanted to reboot and I said yes but maybe I should have clicked finish before I said yes. There is nothing in the quarantine section and no "last scan date" when I have already scanned twice. However my computer seems to be working fine right now. It still tells me it can't find mljgh.exe on start up and another infected file as well that was in the system files but was removed by the scan. Gotta go to sleep but I will work on this more tomorrow after I get home from work.

#5 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 31 January 2008 - 02:13 AM

I am doing a third scan in safe mode and I will post the log if there is one, tomorrow.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:22 AM

Posted 31 January 2008 - 09:43 AM

Sorry but network problems at work are keeping me from posting a timely reply.

What does that log mean? Did it remove the old java files?

It means your Java is out of date and several old versions are still on yur machine.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

It still tells me it can't find mljgh.exe on start up and another infected file as well that was in the system files...

The "Cannot find...", "Could not run..." or "Error loading..." message is usually related to a program (or malware) that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 February 2008 - 12:09 AM

OK I have the latest Java as per your directions and deleted the old one and I don't have mljgh.exe at start up or the other one, removed them both with autoruns but everything is the same, email and browsers stop working, sometimes within minutes of start up.

There are some truly evil processes running on my pc so I guess the next step is to go through the tutorial and figure out how to remove them.

wuauclt.exe
sgmain.exe
khalmnpr.exe
hpotdd01.exe
hpohmr08.exe
AGRSMMSG.exe
wdfmgr.exe
aawservice.exe

#8 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 February 2008 - 12:19 AM

my windows task manager froze as I was typing those out so I couldn't scroll down so I had to restart

here are some more I know some of these are probably evil

sms.exe
csrss.exe
mdm.exe
lsass.exe
msiexec.exe

svchost.exe is on there twice as system as well as one as local service and network service

there are more

thanks for your help on this unfortunately whatever is screwing my pc up (besides my own lazyness in allowing vulnerabilities) is still just as bad but at least its a start

I was hoping I could at least get past this problem of restarting my pc 567,654 times each day oh well I am getting used to it now






so I guess I will just make a thread after going through the tutorial and get myself unhijacked

I already removed one thing called takafi (?) I think it was which was a peer sharing thing that was hijack related, I removed the registry on auto runs but beyond that I don't want to mess with things I know nothing about

#9 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 February 2008 - 12:24 AM

I can't even get thru the first step because cleanmgr won't run on my pc it gets to about two blue bars and thats it, even after a half hour it just sits there, I tried it a few different times last week. Maybe if I left it on overnight....that is why I skipped that step and went to adaware, then I had the idea to make this thread

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:22 AM

Posted 04 February 2008 - 08:02 AM

Have your tried running your scans in "Safe Mode"?

sgmain.exe is related to SpywareGuard.
khalmnpr.exe is related to your Logitech mouse software.
hpotdd01.exe is related to HP Multimedia products.
hpohmr08.exe is related to drivers for the HP OfficeJet printer.
AGRSMMSG.exe is related to IBM AMR modem driver.
wdfmgr.exe is related to Microsoft Windows Media Player 10 and above.
aawservice.exe is related to Ad-Aware 2007 Service.
msiexec.exe belongs to the Windows Installer Component and is used to install new programs that use Windows Installer package files.
csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for manageing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service.
mdm.exe is Microsoft's Machine Debug Manager program which is included in Microsoft Visual Studio .NET, Microsoft Office 2007, Microsoft Office 2003, and a Microsoft Office XP post-Service Pack 3 release to provide support for program debugging.
wuauclt.exe is Windows Automatic Updates application which checks the Microsoft Windows Update website for updates to be installed.

sms.exe is added by the Troj/Dloader-KR TROJAN unless this is a spelling error. smss.exe is the session manager subsystem process which is responsible for starting the user session.

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. To investigate these processes, see How to determine what services are running under a Svchost.exe process.

Anytime you come across a suspicious file, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Proces Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 04 February 2008 - 11:25 PM

It was a typo its really smss.exe

I will work my way through the tutorial now.......

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:22 AM

Posted 05 February 2008 - 08:15 AM

Ok. Like I said if you can't find any info on a suspicious file submit it to one of the online virus scans and post back with the results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Beltway

Beltway
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 18 March 2008 - 09:30 PM

I am paranoid that svchost.exe is evil because it is constantly contacting the internet, and I am always saying no and it doesn't seem to effect anything (or when I say yes). But I have heard of bad things running under the guise of the real svchost.exe. I am currently waiting a week for my hijack this log to be addressed (but I am not complaining by any means, I am glad to get the help). I did a search for the file with explorer and it does not come up. Why would that be?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:22 AM

Posted 18 March 2008 - 09:33 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users