Removal of Virus/Trojan DLLs ?

W

Websider

I have identified three suspected Virus/Trojan DLL files on my system:

C:\WINDOWS\system32\mlljg.dll
C:\WINDOWS\system32\tuvwtqq.dll
C:\WINDOWS\system32\wineak32.dll

When I attempt to delete these files using Explorer, I get the message
‘Cannot delete … It is being used by another person or program’

I have also identified these suspicious entries in a HijackThis log:

O2 - BHO: (no name) - {74F09124-5F73-4639-999F-F276C20F6D6D} -
C:\WINDOWS\system32\mlljg.dll
02 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} -
C:\WINDOWS\system32\tuvwtqq.dll O20 - Winlogon Notify: tuvwtqq -
C:\WINDOWS\SYSTEM32\tuvwtqq.dll O20 - Winlogon Notify: wineak32 -
C:\WINDOWS\SYSTEM32\wineak32.dll

One of these suspicious modules appears to also act as a backdoor for
injection of other virus/Trojan processes like:

mgrs.exe
winxxx.exe (where xxx is a two- or three-digit number)
wanmpsvc.exe
drvxxx.exe (where xxx are three characters such as 'heb' or 'max')

Using Warecase eXtended Task Manager (XTM)and DiamondCS Advanced Process
Elimination (APM), I have identified the modules mlljg.dll and tuvwtqq.dll
under process explorer.exe and have identified the modules tuvwtqq.dll and
wineak32.dll under the process winlogon.exe.

I have attempted to unload these processes using XTM and APM without success.

Neither Trend Micro PC-Cillan or System Cleaner, or a variety of Spyware
scanners (Microrsoft, Adaware, Ashampoo, Panda, etc) have been able to
identify and/or remove these virus/Trojans from my system.

Can you PLEASE advise me of how I can eliminate these suspected
Virus/Trojans from my system ?
 
R

Richard Urban

Sometimes it is necessary to flatten your system and start completely fresh.
Then practice safe hex.



--

Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)



"Websider" <Websider@discussions.microsoft.com> wrote in message
news:ED506818-D446-4E39-9906-EF2F209BC549@microsoft.com...
>I have identified three suspected Virus/Trojan DLL files on my system:
>
> C:\WINDOWS\system32\mlljg.dll
> C:\WINDOWS\system32\tuvwtqq.dll
> C:\WINDOWS\system32\wineak32.dll
>
> When I attempt to delete these files using Explorer, I get the message
> ‘Cannot delete … It is being used by another person or program’
>
> I have also identified these suspicious entries in a HijackThis log:
>
> O2 - BHO: (no name) - {74F09124-5F73-4639-999F-F276C20F6D6D} -
> C:\WINDOWS\system32\mlljg.dll
> 02 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} -
> C:\WINDOWS\system32\tuvwtqq.dll O20 - Winlogon Notify: tuvwtqq -
> C:\WINDOWS\SYSTEM32\tuvwtqq.dll O20 - Winlogon Notify: wineak32 -
> C:\WINDOWS\SYSTEM32\wineak32.dll
>
> One of these suspicious modules appears to also act as a backdoor for
> injection of other virus/Trojan processes like:
>
> mgrs.exe
> winxxx.exe (where xxx is a two- or three-digit number)
> wanmpsvc.exe
> drvxxx.exe (where xxx are three characters such as 'heb' or 'max')
>
> Using Warecase eXtended Task Manager (XTM)and DiamondCS Advanced Process
> Elimination (APM), I have identified the modules mlljg.dll and tuvwtqq.dll
> under process explorer.exe and have identified the modules tuvwtqq.dll and
> wineak32.dll under the process winlogon.exe.
>
> I have attempted to unload these processes using XTM and APM without
> success.
>
> Neither Trend Micro PC-Cillan or System Cleaner, or a variety of Spyware
> scanners (Microrsoft, Adaware, Ashampoo, Panda, etc) have been able to
> identify and/or remove these virus/Trojans from my system.
>
> Can you PLEASE advise me of how I can eliminate these suspected
> Virus/Trojans from my system ?
>
 
M

Malke

Websider wrote:
> I have identified three suspected Virus/Trojan DLL files on my system:
>
> C:\WINDOWS\system32\mlljg.dll
> C:\WINDOWS\system32\tuvwtqq.dll
> C:\WINDOWS\system32\wineak32.dll
>
> When I attempt to delete these files using Explorer, I get the message
> ‘Cannot delete … It is being used by another person or program’
>
> I have also identified these suspicious entries in a HijackThis log:
>
> O2 - BHO: (no name) - {74F09124-5F73-4639-999F-F276C20F6D6D} -
> C:\WINDOWS\system32\mlljg.dll
> 02 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} -
> C:\WINDOWS\system32\tuvwtqq.dll O20 - Winlogon Notify: tuvwtqq -
> C:\WINDOWS\SYSTEM32\tuvwtqq.dll O20 - Winlogon Notify: wineak32 -
> C:\WINDOWS\SYSTEM32\wineak32.dll
>
> One of these suspicious modules appears to also act as a backdoor for
> injection of other virus/Trojan processes like:
>
> mgrs.exe
> winxxx.exe (where xxx is a two- or three-digit number)
> wanmpsvc.exe
> drvxxx.exe (where xxx are three characters such as 'heb' or 'max')
>
> Using Warecase eXtended Task Manager (XTM)and DiamondCS Advanced Process
> Elimination (APM), I have identified the modules mlljg.dll and tuvwtqq.dll
> under process explorer.exe and have identified the modules tuvwtqq.dll and
> wineak32.dll under the process winlogon.exe.
>
> I have attempted to unload these processes using XTM and APM without success.
>
> Neither Trend Micro PC-Cillan or System Cleaner, or a variety of Spyware
> scanners (Microrsoft, Adaware, Ashampoo, Panda, etc) have been able to
> identify and/or remove these virus/Trojans from my system.
>
> Can you PLEASE advise me of how I can eliminate these suspected
> Virus/Trojans from my system ?
>

Post your HijackThis log in one of the specialty forums listed below (in
no particular order). Please do *not* post the log here in the MS
newsgroups as you will not get the expert attention you need.

Choose a forum, read the posting FAQ, register, and you will be given
guided help.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
B

Buck Rogers

On Sat, 24 Nov 2007 21:13:00 -0800, Websider
<Websider@discussions.microsoft.com> wrote:

>I have identified three suspected Virus/Trojan DLL files on my system:
>
>C:\WINDOWS\system32\mlljg.dll
>C:\WINDOWS\system32\tuvwtqq.dll
>C:\WINDOWS\system32\wineak32.dll
>
>When I attempt to delete these files using Explorer, I get the message
>‘Cannot delete … It is being used by another person or program’
>
>I have also identified these suspicious entries in a HijackThis log:
>
>O2 - BHO: (no name) - {74F09124-5F73-4639-999F-F276C20F6D6D} -
>C:\WINDOWS\system32\mlljg.dll
>02 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} -
>C:\WINDOWS\system32\tuvwtqq.dll O20 - Winlogon Notify: tuvwtqq -
>C:\WINDOWS\SYSTEM32\tuvwtqq.dll O20 - Winlogon Notify: wineak32 -
>C:\WINDOWS\SYSTEM32\wineak32.dll
>
>One of these suspicious modules appears to also act as a backdoor for
>injection of other virus/Trojan processes like:
>
>mgrs.exe
>winxxx.exe (where xxx is a two- or three-digit number)
>wanmpsvc.exe
>drvxxx.exe (where xxx are three characters such as 'heb' or 'max')
>
>Using Warecase eXtended Task Manager (XTM)and DiamondCS Advanced Process
>Elimination (APM), I have identified the modules mlljg.dll and tuvwtqq.dll
>under process explorer.exe and have identified the modules tuvwtqq.dll and
>wineak32.dll under the process winlogon.exe.
>
>I have attempted to unload these processes using XTM and APM without success.
>
>Neither Trend Micro PC-Cillan or System Cleaner, or a variety of Spyware
>scanners (Microrsoft, Adaware, Ashampoo, Panda, etc) have been able to
>identify and/or remove these virus/Trojans from my system.
>
>Can you PLEASE advise me of how I can eliminate these suspected
>Virus/Trojans from my system ?

Hello,

One way is to remove hard drive and put it in another computer as a
slave. Boot the computer, navigate to the slave and rename the files
(dll and exe) you've identified above. Return the hard drive to your
computer as master, run hijack this. Check the boxes and fix the
entries you've identified above. If all seems to be running properly,
then delete the files you renamed.

Regards,

Buck
 
W

Websider

Malke,

Thanks for putting me onto AumHa.
Those guys were outstanding.
After several iterations with very detailed instructions my computer was
saved !
I highly recommend AumHa to anyone with a serious virus/spyware problem and
have made a voluntary donation to their outstanding free service.

Cheers,

Tony
Australia



"Malke" wrote:

> Websider wrote:
> > I have identified three suspected Virus/Trojan DLL files on my system:
> >
> > C:\WINDOWS\system32\mlljg.dll
> > C:\WINDOWS\system32\tuvwtqq.dll
> > C:\WINDOWS\system32\wineak32.dll
> >
> > When I attempt to delete these files using Explorer, I get the message
> > ‘Cannot delete … It is being used by another person or program’
> >
> > I have also identified these suspicious entries in a HijackThis log:
> >
> > O2 - BHO: (no name) - {74F09124-5F73-4639-999F-F276C20F6D6D} -
> > C:\WINDOWS\system32\mlljg.dll
> > 02 - BHO: (no name) - {ED203331-9C33-49D8-8714-D24A366A04EC} -
> > C:\WINDOWS\system32\tuvwtqq.dll O20 - Winlogon Notify: tuvwtqq -
> > C:\WINDOWS\SYSTEM32\tuvwtqq.dll O20 - Winlogon Notify: wineak32 -
> > C:\WINDOWS\SYSTEM32\wineak32.dll
> >
> > One of these suspicious modules appears to also act as a backdoor for
> > injection of other virus/Trojan processes like:
> >
> > mgrs.exe
> > winxxx.exe (where xxx is a two- or three-digit number)
> > wanmpsvc.exe
> > drvxxx.exe (where xxx are three characters such as 'heb' or 'max')
> >
> > Using Warecase eXtended Task Manager (XTM)and DiamondCS Advanced Process
> > Elimination (APM), I have identified the modules mlljg.dll and tuvwtqq.dll
> > under process explorer.exe and have identified the modules tuvwtqq.dll and
> > wineak32.dll under the process winlogon.exe.
> >
> > I have attempted to unload these processes using XTM and APM without success.
> >
> > Neither Trend Micro PC-Cillan or System Cleaner, or a variety of Spyware
> > scanners (Microrsoft, Adaware, Ashampoo, Panda, etc) have been able to
> > identify and/or remove these virus/Trojans from my system.
> >
> > Can you PLEASE advise me of how I can eliminate these suspected
> > Virus/Trojans from my system ?
> >
>
> Post your HijackThis log in one of the specialty forums listed below (in
> no particular order). Please do *not* post the log here in the MS
> newsgroups as you will not get the expert attention you need.
>
> Choose a forum, read the posting FAQ, register, and you will be given
> guided help.
>
> http://aumha.org/downloads/hijackthis.zip
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
> another tutorial
> http://aumha.net/ - Click on the HijackThis forum. Read the announcement
> and the stickies *first*.
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://spywarewarrior.com/viewforum.php?f=5
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>
 
M

Malke

Websider wrote:
> Malke,
>
> Thanks for putting me onto AumHa.
> Those guys were outstanding.
> After several iterations with very detailed instructions my computer was
> saved !
> I highly recommend AumHa to anyone with a serious virus/spyware problem and
> have made a voluntary donation to their outstanding free service.

I'm so pleased that worked for you. Thank you very much for taking the
time to post back.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
You must log in or register to reply here.

Similar threads

C
Got a virus, fixed it, now my windows is stuck in the classic skin and won't connect to the internet
Replies
4
Views
544
saxsquatch
S
C
vista keeps restarting randomly
Replies
3
Views
323
crop_circlemaker
C
K
Removal of Virus/Trojan DLLs ? (more decom tips)
Replies
1
Views
293
Klaatu01
K
J
Trojan Beast
Replies
3
Views
665
Jalvarezmcp
J
N
HELP ME PLEASE!!!! win32/renos.aor & win32/zlob
Replies
1
Views
449
Malke
M
Back
Top Bottom