Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ljhhg.dll trojan? can't delete it

Status
Not open for further replies.
ftechguy

ftechguy

IS-IT--Management
Oct 2, 2002
149
US
A user reported popups that say his laptop is infected, click here to scan, etc. Ok sounds familiar.

A Hijack log shows only one suspicious file: the above named dll is always loaded at startup. I tried to remove it, but a rescan always shows it appearing again. I can't delete the file, whether in safe-mode or command prompt safe-mode. Neither Killbox nor Moveon Boot could get rid of it. Norton, Spybot S&D and Ewido don't detect it at all.

Anybody have anything else I can try, or have any info about this? A google search gave only two pages which are not in English, but seem to confirm it's malware.
The file shows no info in its properties view. The creation date puts it around the time the user started having problems.
Any help would be appreciated.
TIA!
 
Sort by date Sort by votes
Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.





* Download the trial version of Ewido Security Suite here


* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.




* Click here to download ATF Cleaner by Atribune and save it to your desktop.



* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.




* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:




* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


reboot to normal mode and run a few online scans!



Run an online antivirus check from


choose extended database for the scan!



post another hijack this log, the ewido and kaspersky scan logs

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Well the person is just going to wipe everything now. I wanted to try RKR--I think that might've showed what was recreating the file entries that made it startup. oh well, probably a randomly generated trojan name.
 
Upvote 0 Downvote
the dll actually looks like vundo!


Please download to your desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.


Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Hi pechenegs,
Thanks for that link--I never heard of vundo before.
I won't be able to give it a try though unfortunately, since the laptop has already been wiped but I'll save it for future reference.
Thanks again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
182
DrB0b
DrB0b
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
163
BionicJohn
BionicJohn
jlockley
  • Locked
  • Question
Virus? (posted in Windows, but perhaps it belongs here)
Replies
3
Views
134
jlockley
jlockley
OsakaWebbie
  • Locked
  • Question
PHP file found on flash drive - how could it have been used? 1
Replies
12
Views
198
OsakaWebbie
OsakaWebbie
BadBigBen
  • Locked
  • News
Crossplatform Trojan...
Replies
2
Views
99
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top