mshjlj.dll virus

Laudare1 · #1 (**permalink**) 23-12-2004, 01:30 AM

Having recently installed and run AVG Antivirus, the program has quarantined a few things, but every time i open an application it tells me there is a Trojan 'back door agent' in the C:\WINDOWS\system32\mshjlj.dll file. I cannot delete it, heal or quarantine it, nor will KillBox kill it. Can anyone help?

A HijackThis log is below:

Logfile of HijackThis v1.99.0
Scan saved at 00:08:46, on 23/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\batberos.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spisrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TIM HUBBARD\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D9A78059-D7D4-4A3B-AE24-913240E7AF91} - C:\WINDOWS\system32\behlf.dll (file missing)
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [9fKJzw1O8] C:\documents and settings\tim hubbard\local settings\temp\9fKJzw1O8.exe
O4 - HKLM\..\Run: [Olympic] c:\programmi\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [xsEP32j] batberos.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd500\34525781.exe -remove
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ICC2000] C:\Program Files\Internet\ICC\icc2000.exe
O4 - HKCU\..\Run: [gBxFRSH6T] spisrvc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: www.yeak.net
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12118/CTSUEng.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/...tdmgainads.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1041290.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12118/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC9A9EC-FC8F-43E7-99D6-4A7F62981E8F}: NameServer = 62.241.162.200 158.43.240.3
O18 - Filter: text/html - {AF2E64C3-AB76-473C-9735-F7B858B33A91} - C:\WINDOWS\system32\behlf.dll
O18 - Filter: text/plain - {AF2E64C3-AB76-473C-9735-F7B858B33A91} - C:\WINDOWS\system32\behlf.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\mshjlj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: RadClock - Unknown - C:\WINDOWS\system32\RadClock.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Not only that, but I've also got the dialeradmin hijack on mozilla, and the about:blank hijack on IE, doh!

Sure hope someone can help..

brain_damage · #2 (**permalink**) 23-12-2004, 02:06 AM

Cant help on the Hijack log............but to get rid of the trojan.. disable system restore, boot in safe mode, run avg, then enable system restore and see if the trojan is still there..........hope this helps someway..

owen · #3 (**permalink**) 23-12-2004, 12:44 PM

Hello,
Please download and install APM from here. Also download and install Ad-aware from here.

Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.

Now disconnect from the internet, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {D9A78059-D7D4-4A3B-AE24-913240E7AF91} - C:\WINDOWS\system32\behlf.dll (file missing)
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [9fKJzw1O8] C:\documents and settings\tim hubbard\local settings\temp\9fKJzw1O8.exe
O4 - HKLM\..\Run: [Olympic] c:\programmi\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [xsEP32j] batberos.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\HaldexLtd\stnd500\34525781.exe -remove
O4 - HKCU\..\Run: [gBxFRSH6T] spisrvc.exe
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download...ptdmgainads.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1041290.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
O18 - Filter: text/html - {AF2E64C3-AB76-473C-9735-F7B858B33A91} - C:\WINDOWS\system32\behlf.dll
O18 - Filter: text/plain - {AF2E64C3-AB76-473C-9735-F7B858B33A91} - C:\WINDOWS\system32\behlf.dll

Now click Fix Checked

After you have done that, start APM.

In the top Window select explorer.exe
After this, in the bottom Windows find behlf.dll
Right click behlf.dll and choose Unload.
Click OK

Now Start Ad-aware

We need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

Scan Within Archives
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file
Under Click here to select drives + folders, choose:
All of your hard drives

Click on the Advanced button on the left and select:

Include additional process information
Include additional file information
Include environment information

Click the Tweak button and select:

Under the Scanning Engine:
- Unload recognized processes & modules during scan
- Include additional Ad-aware settings in logfile
Under the Cleaning Engine:
- Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Boot into Safe Mode.

Go to C:\documents and settings\tim hubbard\local settings\temp and once in the folder click Edit> Select All. Then hit the delete key to get rid of the entire contents of the folder. Leave the folder itself intact though.

Delete the following files and folders. Use the Windows Search tool to search for and delete any files that don't have a specific location below:

C:\Program Files\CxtPls
win32x.exe
c:\programmi\sgrunt
C:\WINDOWS\system32\batberos.exe
c:\program files\HaldexLtd
C:\WINDOWS\system32\spisrvc.exe

Reboot into Normal Mode. Are you running Windows XP Home Edition or Windows XP Professional? What file system is your computer using, FAT32 or NTFS? You can find this out by going to Start> My Computer. Click your Hard Drive and under the details heading next to file system it will tell you. Post a fresh Hijack This log as well.

Laudare1 · #4 (**permalink**) 23-12-2004, 10:10 PM

Thanks Owen! What a quick, detailed answer!

OK, have done as instructed, except:
1. APM didn't find 'behlf.dll'
2. I can't find the last 5 files you said to delete, even with Windows searching for hidden.

Also....I'm still getting the original virus message about mshjlj.dll

The PC runs WindowsXPHome with SP2, file system is NTFS.

The Hijack log follows:

Logfile of HijackThis v1.99.0
Scan saved at 20:59:54, on 23/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\TIM HUBBARD\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ICC2000] C:\Program Files\Internet\ICC\icc2000.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: www.yeak.net
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12118/CTSUEng.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12118/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC9A9EC-FC8F-43E7-99D6-4A7F62981E8F}: NameServer = 62.241.162.200 158.43.240.3
O20 - AppInit_DLLs: C:\WINDOWS\System32\mshjlj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: RadClock - Unknown - C:\WINDOWS\system32\RadClock.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'd be grateful for your further help!

owen · #5 (**permalink**) 24-12-2004, 07:38 PM

Hello again,
Please download the attached file hiving_154.zip and then download CWShredder from here. Save them to a convenient location like your Desktop.

Unzip hiving_154.zip

Then disconnect from the internet. Beforehand I suggest you print this page and the article located here, you will need this information.

Now double click the hiving.bat file that you unzipped from hiving_154.zip

After you have run the file, then Reboot and boot into Safe Mode

Locate the file C:\Windows\System32\mshjlj.dll.dll and take ownership of this file. The article that you printed out from the Microsoft website gives you instructions on how to do this.

Then rename the file from mshjlj.dll to badfile.dll then to badfile.txt. Then delete the file.

Now double click the CWShredder.exe file you downloaded earlier and click Fix and follow the prompts.

Then reboot into normal mode and post a fresh log back here

Laudare1 · #6 (**permalink**) 10-01-2005, 10:40 PM

Thanks, unfortunately the mshjlj.dll file is impossible to locate with the computer in safe mode!
Have run hiving.bat and CWS Shredder, still getting the trojan message.

owen · #7 (**permalink**) 12-01-2005, 11:20 PM

Ensure you are showing hidden files and folders as well. See here.

Laudare1 · #8 (**permalink**) 14-01-2005, 12:14 PM

I have, the file is visible with the PC running normally, but it disappears in safe mode

owen · #9 (**permalink**) 17-01-2005, 08:25 PM

Run the hiving_154.bat file again. Then delete the file. If that doesn't work, remember to take ownership!