Trojan Downloader

Demented622 · Jan 17, 2008

I have been infected with what McAfee calls a "Trojan Downloader". It is
stored in the following file: "C:\WINDOWS\system 32\ljjjgff.dll". McAfee
cannot quarintine the file, and when I try to manually delete it, it says
cannot be deleted, system is running. This trojan is constantly running in
background and has slowed me down to the point where I am ready to chuck it
all and buy a new one. Problem is, I have all my business files on this pute
ie: billing, etc. ANY ideas of how to get rid of this???? PLEASE!!!!

David H. Lipman · Jan 17, 2008

From: "Demented622" <[email protected]>

| I have been infected with what McAfee calls a "Trojan Downloader". It is
| stored in the following file: "C:\WINDOWS\system 32\ljjjgff.dll". McAfee
| cannot quarintine the file, and when I try to manually delete it, it says
| cannot be deleted, system is running. This trojan is constantly running in
| background and has slowed me down to the point where I am ready to chuck it
| all and buy a new one. Problem is, I have all my business files on this pute
| ie: billing, etc. ANY ideas of how to get rid of this???? PLEASE!!!!

You have what is most likely a Vundo Trojan.

Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 6.0,
then you are strongly urged to remove any/all versions.
There are numerous vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 6.0 update 3 (jre 6u3)

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.6.0_03

http://java.sun.com/javase/downloads/index.jsp
http://www.java.com/en/download/manual.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102622-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1

Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.

* * * Please report back your results * * *

GS · Jan 17, 2008

have you try safe mode?
system restore roll back prior to the infection?

if still fails, disable system restore
How to turn off or turn on Windows XP System Restore"
in safe mode
WARNING: Symantec strongly recommends that you back up the registry before
making any changes to it. Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify the specified keys only. Read
the document, "How to make a backup of the Windows registry," for
instructions.

----------------------------------------------------------------------------
----

1.. Click Start, and then click Run. (The Run dialog box appears.)
2.. Type reedit

Then click OK. (The Registry Editor opens.)

3.. Navigate to each of these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4.. For each one, in the right pane, delete any values that refer to any
files that were detected as Downloader.Trojan.

5.. Exit the Registry Editor.
you should be able to delete the file by now, actually once in safe mode you
should be able to delete the file

my philosohy is if not microsoft, Symantec, CA, Mcafee, or other vendors I
deal with or some major ISV of the above, I don't download

David H. Lipman · Jan 17, 2008

From: "GS" <[email protected]>

| have you try safe mode?
| system restore roll back prior to the infection?
|
| if still fails, disable system restore
| How to turn off or turn on Windows XP System Restore"
| in safe mode
| WARNING: Symantec strongly recommends that you back up the registry before
| making any changes to it. Incorrect changes to the registry can result in
| permanent data loss or corrupted files. Modify the specified keys only. Read
| the document, "How to make a backup of the Windows registry," for
| instructions.
|
| ----------------------------------------------------------------------------
| ----
|
| 1.. Click Start, and then click Run. (The Run dialog box appears.)
| 2.. Type reedit
|
| Then click OK. (The Registry Editor opens.)
|
| 3.. Navigate to each of these keys:
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| 4.. For each one, in the right pane, delete any values that refer to any
| files that were detected as Downloader.Trojan.
|
| 5.. Exit the Registry Editor.
| you should be able to delete the file by now, actually once in safe mode you
| should be able to delete the file
|
| my philosohy is if not microsoft, Symantec, CA, Mcafee, or other vendors I
| deal with or some major ISV of the above, I don't download
|

The file; C:\WINDOWS\system 32\ljjjgff.dll
is a DLL, not an EXE, it is NOT loaded via the Registry Run locations.

This DLL file is protected by the OS via a BHO and via the DLL being loaded winlogin/notify

Thanx for trying but...
you missed the mark

Elmo · Jan 17, 2008

David said:
From: "GS" <[email protected]>

| have you try safe mode?
| system restore roll back prior to the infection?
|
| if still fails, disable system restore
| How to turn off or turn on Windows XP System Restore"
| in safe mode
| WARNING: Symantec strongly recommends that you back up the registry before
| making any changes to it. Incorrect changes to the registry can result in
| permanent data loss or corrupted files. Modify the specified keys only. Read
| the document, "How to make a backup of the Windows registry," for
| instructions.
|
| ----------------------------------------------------------------------------
| ----
|
| 1.. Click Start, and then click Run. (The Run dialog box appears.)
| 2.. Type reedit
|
| Then click OK. (The Registry Editor opens.)
|
| 3.. Navigate to each of these keys:
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| 4.. For each one, in the right pane, delete any values that refer to any
| files that were detected as Downloader.Trojan.
|
| 5.. Exit the Registry Editor.
| you should be able to delete the file by now, actually once in safe mode you
| should be able to delete the file
|
| my philosohy is if not microsoft, Symantec, CA, Mcafee, or other vendors I
| deal with or some major ISV of the above, I don't download
|

The file; C:\WINDOWS\system 32\ljjjgff.dll
is a DLL, not an EXE, it is NOT loaded via the Registry Run locations.

This DLL file is protected by the OS via a BHO and via the DLL being loaded winlogin/notify

Thanx for trying but...
you missed the mark

Is it anywhere in the registry, perhaps with "Rundll32.exe " before it?
If so, try this from Safe Mode. Afterwards, restart in Safe Mode
again. The file shouldn't be running, and can be deleted:

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type the name of the file into the search pane. Click "Find Next", and
when located, delete the reference to the file. Press F3 to continue
the search.

If ljjjgff.dll follows "explorer.exe ", (but I don't think it can), edit
out " ljjjgff.dll". If you find any references to it in the registry,
but aren't sure they can be safely removed, post what you find.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

David H. Lipman · Jan 17, 2008

From: "Elmo" <[email protected]>

|>> have you try safe mode?
|>> system restore roll back prior to the infection?
|>>
|>> if still fails, disable system restore
|>> How to turn off or turn on Windows XP System Restore"
|>> in safe mode
|>> WARNING: Symantec strongly recommends that you back up the registry before
|>> making any changes to it. Incorrect changes to the registry can result in
|>> permanent data loss or corrupted files. Modify the specified keys only. Read
|>> the document, "How to make a backup of the Windows registry," for
|>> instructions.
|>>
|>> ----------------------------------------------------------------------------
|>> ----
|>>
|>> 1.. Click Start, and then click Run. (The Run dialog box appears.)
|>> 2.. Type reedit
|>>
|>> Then click OK. (The Registry Editor opens.)
|>>
|>> 3.. Navigate to each of these keys:
|>>
|>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|>> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|>>
|>> 4.. For each one, in the right pane, delete any values that refer to any
|>> files that were detected as Downloader.Trojan.
|>>
|>> 5.. Exit the Registry Editor.
|>> you should be able to delete the file by now, actually once in safe mode you
|>> should be able to delete the file
|>>
|>> my philosohy is if not microsoft, Symantec, CA, Mcafee, or other vendors I
|>> deal with or some major ISV of the above, I don't download
|>>|
| Is it anywhere in the registry, perhaps with "Rundll32.exe " before it?
| If so, try this from Safe Mode. Afterwards, restart in Safe Mode
| again. The file shouldn't be running, and can be deleted:
|
| Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
| type the name of the file into the search pane. Click "Find Next", and
| when located, delete the reference to the file. Press F3 to continue
| the search.
|
| If ljjjgff.dll follows "explorer.exe ", (but I don't think it can), edit
| out " ljjjgff.dll". If you find any references to it in the registry,
| but aren't sure they can be safely removed, post what you find.
|
| You can click File, Export, and save the entry to the Desktop. If you
| remove it and there's a problem, double-click the .reg file you exported
| to the Desktop and it'll be added to the registry again. You can create
| a restore point before editing the registry too.
|
| You could click Start, Run, type MSCONFIG, click OK, click the StartUp
| tab, and deselect the item(s). When you restart the computer, you will
| be warned that you're running in the Diagnostic mode; click to not alert
| you again, and OK out. You won't see the message again. But I think
| it's best to just remove the references from the registry.
|

Like I stated...
This DLL file is protected by the OS via a BHO and via the DLL being loaded in
winlogin/notify.

Even if you try to remove either Registry entry, they will STILL exist unless you kill
certain OS processes first.

Trojan Downloader

Demented622

David H. Lipman

GS

David H. Lipman

Elmo

David H. Lipman