michaelper22
Posts: 20 +0
I downloaded a certain program, and about a day later, I noticed that my hard disk light was constantly blinking.
My initial reaction was to look through Task Manager and see if anything had an unusually high CPU usage; that didn't get me anything.
I then opened up Process Explorer, and looked at the one instance of RunDLL. To get more info about what it was actually doing, I went to Process Explorer's "View -> Lower Pane View", and selected "DLLs". That shined light on a strange looking DLL named mljjh.dll.
I tried to kill the RunDLL.exe process (right-click and select "Kill Process"), but it would keep on coming back. Since I normally run as a non-administrator user, I knew that mljjh.dll couldn't get further than my user's directory, and also couldn't write anywhere out side HKCU in the registry.
So I logged off my user, and logged back on as an admin. I then deleted the mljjh.dll file from my \Local Settings\Temp directory, and later deleted the one Registry key pointing to the rogue DLL.
The advice to remeber here is that malware will often hide behind a RunDLL process. Also, running as a least-priveleged-user account really does help.
My initial reaction was to look through Task Manager and see if anything had an unusually high CPU usage; that didn't get me anything.
I then opened up Process Explorer, and looked at the one instance of RunDLL. To get more info about what it was actually doing, I went to Process Explorer's "View -> Lower Pane View", and selected "DLLs". That shined light on a strange looking DLL named mljjh.dll.
I tried to kill the RunDLL.exe process (right-click and select "Kill Process"), but it would keep on coming back. Since I normally run as a non-administrator user, I knew that mljjh.dll couldn't get further than my user's directory, and also couldn't write anywhere out side HKCU in the registry.
So I logged off my user, and logged back on as an admin. I then deleted the mljjh.dll file from my \Local Settings\Temp directory, and later deleted the one Registry key pointing to the rogue DLL.
The advice to remeber here is that malware will often hide behind a RunDLL process. Also, running as a least-priveleged-user account really does help.