TechSpot

Fixed mljjh.dll

By michaelper22
Aug 26, 2007
  1. I downloaded a certain program, and about a day later, I noticed that my hard disk light was constantly blinking.

    My initial reaction was to look through Task Manager and see if anything had an unusually high CPU usage; that didn't get me anything.

    I then opened up Process Explorer, and looked at the one instance of RunDLL. To get more info about what it was actually doing, I went to Process Explorer's "View -> Lower Pane View", and selected "DLLs". That shined light on a strange looking DLL named mljjh.dll.

    I tried to kill the RunDLL.exe process (right-click and select "Kill Process"), but it would keep on coming back. Since I normally run as a non-administrator user, I knew that mljjh.dll couldn't get further than my user's directory, and also couldn't write anywhere out side HKCU in the registry.

    So I logged off my user, and logged back on as an admin. I then deleted the mljjh.dll file from my \Local Settings\Temp directory, and later deleted the one Registry key pointing to the rogue DLL.

    The advice to remeber here is that malware will often hide behind a RunDLL process. Also, running as a least-priveleged-user account really does help.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ah, another Vundo infection. It might be a good idea to post a HJT log as per these instructions, just to see if there`s any other malware on your system.

    Regards Howard :)
     
  3. michaelper22

    michaelper22 TS Rookie Topic Starter Posts: 21

    I never used HJT before, but since you asked, the log file is attached.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Nothing too serious there, but there are one or two things that should be removed.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ALCMTR.EXE
    cloaker.exe
    intel_tweak3.cmd

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    c:\hp\bin\cloaker.exe
    c:\hp\bin\intel_tweak\intel_tweak3.cmd
    C:\WINDOWS\ALCMTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of michaelper22 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. michaelper22

    michaelper22 TS Rookie Topic Starter Posts: 21

    Done. The second file you asked me to delete didn't exist.

    Could you enlighten me as to what function the files other than cloaker.exe do? (I researched clocker on my own.)
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE entry is still shoing up in your HJT log.

    The files I asked you to delete aren`t particularly nasty, but they do phone home a lot with god knows what information and are therefore best got rid of.

    Other than the above, your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of michaelper22 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. michaelper22

    michaelper22 TS Rookie Topic Starter Posts: 21

    "If it ain't broke, don't fix it" - My computer seems to run semi-normally, so I'll let it stay.

    Thanks for your help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...