What the fletch? (computer related question)
Moderators: ihatejacks, Section Moderators, Moderators
23 posts • Page 1 of 2 • 1, 2
What the fletch? (computer related question)
by mervhage » Mon Feb 20, 2006 11:48 pm
Recently, I noticed that my computer was running a little slow. I'd click "internet explorer" icon and it would take a few seconds to load the home page. It seemed a bit strange, so I ran Microsoft Anitspyware beta 1 (I now know that beta 2 Microdefender, or whatever has been released, so I need that puppy).
It revealed the presence of a Trojan and I removed it. So of course, it's come back twice (I'm fairly confident that it's the same Trojan). This is part one of what the fletch? Now for part two.
Because I'm a bastard, my desktop is loaded with a bunch of icons and shortcuts and I never clean it up b/c, well, just reread the first part of this sentence. Today, I noticed a "llh.dll" file on the desktop. Even though I'm a bastard, I recognize that these files are usually in the "system" folder. The file was created on Feb 16 (coincidentally the same day I updated the new Party) and modified Feb 20. Ooooookay. I have no explanation for the creation of this file, hence the title, what the fletch?
Does anyone with any sort of understanding of computers think that there might be a connection. I am puzzled.
It revealed the presence of a Trojan and I removed it. So of course, it's come back twice (I'm fairly confident that it's the same Trojan). This is part one of what the fletch? Now for part two.
Because I'm a bastard, my desktop is loaded with a bunch of icons and shortcuts and I never clean it up b/c, well, just reread the first part of this sentence. Today, I noticed a "llh.dll" file on the desktop. Even though I'm a bastard, I recognize that these files are usually in the "system" folder. The file was created on Feb 16 (coincidentally the same day I updated the new Party) and modified Feb 20. Ooooookay. I have no explanation for the creation of this file, hence the title, what the fletch?
Does anyone with any sort of understanding of computers think that there might be a connection. I am puzzled.
-
mervhage - Whale Hunter
- Posts: 5859
- Joined: Mon Nov 21, 2005 10:12 am
by mervhage » Mon Feb 20, 2006 11:52 pm
hmmmm, I googled "llh.dll" and I came across this gem from a Poker forum:
"llh.dll in party software
--------------------------------------------------------------------------------
Can anyone tell me what llh.dll is for
in the party software folder? Every time
I run the party software, it makes a new
copy of llh.dll and puts it in my temp
folder with a new tmp name, so now I have
lots of copies of it there. But I'm just
curious about it. How can I find out
what it's for and why they would put it
in my temp folder instead of just using
it directly from the party folder."
The investigation continues...
"llh.dll in party software
--------------------------------------------------------------------------------
Can anyone tell me what llh.dll is for
in the party software folder? Every time
I run the party software, it makes a new
copy of llh.dll and puts it in my temp
folder with a new tmp name, so now I have
lots of copies of it there. But I'm just
curious about it. How can I find out
what it's for and why they would put it
in my temp folder instead of just using
it directly from the party folder."
The investigation continues...
-
mervhage - Whale Hunter
- Posts: 5859
- Joined: Mon Nov 21, 2005 10:12 am
by bk » Mon Feb 20, 2006 11:52 pm
I think that's related to the new party poker. I have it too. I assume that it has something to do with an error box that pops up every time I close PP that mentions some memory problem. Do you get that when you close PP too? does anybody know why this is happening or how to correct it?
- bk
- Fish
- Posts: 45
- Joined: Tue Jan 17, 2006 4:56 pm
by scotty1139 » Tue Feb 21, 2006 12:49 am
Can't help you on the trojan, but I will suggest using Mozilla Firefox instead of Internet Explorer. It's not attack-proof, but much more secure than IE, and just as easy, or more so, to use.
Last edited by scotty1139 on Tue Feb 21, 2006 4:25 am, edited 1 time in total.
-
scotty1139 - Moderator
- Posts: 2403
- Joined: Mon Nov 21, 2005 3:12 am
by momowheeler » Tue Feb 21, 2006 11:23 am
-
momowheeler - Shark
- Posts: 354
- Joined: Fri Jan 20, 2006 1:25 pm
llh.dll explained
by jukofyork » Tue Feb 28, 2006 4:48 pm
mervhage wrote:hmmmm, I googled "llh.dll" and I came across this gem from a Poker forum:
"llh.dll in party software
--------------------------------------------------------------------------------
Can anyone tell me what llh.dll is for
in the party software folder? Every time
I run the party software, it makes a new
copy of llh.dll and puts it in my temp
folder with a new tmp name, so now I have
lots of copies of it there. But I'm just
curious about it. How can I find out
what it's for and why they would put it
in my temp folder instead of just using
it directly from the party folder."
The investigation continues...
I answered this question http://answers.yahoo.com/question/?qid=1006022215581&r=w
Here is my answer incase the link does not work:
"llh.dll is used by Party Poker to snoop on other applications you have running.
It basically is the dll which it 'injects' into other running processes to see what they are doing. It then installs hooks for certain windows API calls inside of the target process and most likely it then sends the collected data back to their servers.
Party Poker also installs both mouse and keyboard hooks to snoop on you, but these are unrelated to this dll.
To block it use either 'AntiHook' or 'Proccess Guard', as both of these can stop it from doing any snooping (ie: blocks both dll injection and mouse/keyboard hooks).
Hope this helps explain what it is doing - Juk
"
I know I never post here, but I do know what I talk about when it comes to this (search 2+2 and you will see I post regularly in their software forum).
Juk
-
jukofyork - Fish
- Posts: 7
- Joined: Tue Feb 28, 2006 4:43 pm
Re: llh.dll explained
by mervhage » Tue Feb 28, 2006 4:49 pm
jukofyork wrote:mervhage wrote:hmmmm, I googled "llh.dll" and I came across this gem from a Poker forum:
"llh.dll in party software
--------------------------------------------------------------------------------
Can anyone tell me what llh.dll is for
in the party software folder? Every time
I run the party software, it makes a new
copy of llh.dll and puts it in my temp
folder with a new tmp name, so now I have
lots of copies of it there. But I'm just
curious about it. How can I find out
what it's for and why they would put it
in my temp folder instead of just using
it directly from the party folder."
The investigation continues...
I answered this question http://answers.yahoo.com/question/?qid=1006022215581&r=w
Here is my answer incase the link does not work:
"llh.dll is used by Party Poker to snoop on other applications you have running.
It basically is the dll which it 'injects' into other running processes to see what they are doing. It then installs hooks for certain windows API calls inside of the target process and most likely it then sends the collected data back to their servers.
Party Poker also installs both mouse and keyboard hooks to snoop on you, but these are unrelated to this dll.
To block it use either 'AntiHook' or 'Proccess Guard', as both of these can stop it from doing any snooping (ie: blocks both dll injection and mouse/keyboard hooks).
Hope this helps explain what it is doing - Juk
I know I never post here, but I do know what I talk about when it comes to this (search 2+2 and you will see I post regularly in their software forum).
Juk
Thank you good sir. Do you think this is related to the trojan that keeps coming back despite having deleted it many times?
Also, if I trash this file, will it just reinstall afterwards or interfere with Party?
-
mervhage - Whale Hunter
- Posts: 5859
- Joined: Mon Nov 21, 2005 10:12 am
Re: llh.dll explained
by jukofyork » Tue Feb 28, 2006 4:59 pm
mervhage wrote:jukofyork wrote:mervhage wrote:hmmmm, I googled "llh.dll" and I came across this gem from a Poker forum:
"llh.dll in party software
--------------------------------------------------------------------------------
Can anyone tell me what llh.dll is for
in the party software folder? Every time
I run the party software, it makes a new
copy of llh.dll and puts it in my temp
folder with a new tmp name, so now I have
lots of copies of it there. But I'm just
curious about it. How can I find out
what it's for and why they would put it
in my temp folder instead of just using
it directly from the party folder."
The investigation continues...
I answered this question http://answers.yahoo.com/question/?qid=1006022215581&r=w
Here is my answer incase the link does not work:
"llh.dll is used by Party Poker to snoop on other applications you have running.
It basically is the dll which it 'injects' into other running processes to see what they are doing. It then installs hooks for certain windows API calls inside of the target process and most likely it then sends the collected data back to their servers.
Party Poker also installs both mouse and keyboard hooks to snoop on you, but these are unrelated to this dll.
To block it use either 'AntiHook' or 'Proccess Guard', as both of these can stop it from doing any snooping (ie: blocks both dll injection and mouse/keyboard hooks).
Hope this helps explain what it is doing - Juk
I know I never post here, but I do know what I talk about when it comes to this (search 2+2 and you will see I post regularly in their software forum).
Juk
Thank you good sir. Do you think this is related to the trojan that keeps coming back despite having deleted it many times?
Also, if I trash this file, will it just reinstall afterwards or interfere with Party?
I don't think it is related to a Trojan, but the aggressive method of dll injection may trigger some firewalls and virus killers to think it is a Trojan (as they use the same methods and looks very similar to a Trojan when running I guess).
As far as I know there is no way you will be able to stop it from recreating a copy of the file each time you delete it, but there is software around which can block it:
- AntiHook 2.5 is currently free for home use and this will block it, but on my system it causes instability and crashes (plus Party keeps renaming this dll and its mouse/keyboard hook dll to make it harder to block).
- Process Guard can do this also, but you need the full version which is not freeware (which sadly I don't have so cannot say if it is any more stable than AntiHook).
I am just looking into other methods at the moment.
Juk
-
jukofyork - Fish
- Posts: 7
- Joined: Tue Feb 28, 2006 4:43 pm
by momowheeler » Tue Feb 28, 2006 5:02 pm
Wouldnt Party get awfully suspicious if your machine wasnt returning the applicable information that their software is requesting?
IE: Using these blocker programs sounds like a good way to get your funds confiscated
IE: Using these blocker programs sounds like a good way to get your funds confiscated
-
momowheeler - Shark
- Posts: 354
- Joined: Fri Jan 20, 2006 1:25 pm
by jukofyork » Tue Feb 28, 2006 5:13 pm
MOMOwheeler wrote:Wouldnt Party get awfully suspicious if your machine wasnt returning the applicable information that their software is requesting?
IE: Using these blocker programs sounds like a good way to get your funds confiscated
I agree, but I think legally they have no right to stop this, as these programs are designed to prevent intrusions for key-loggers, Trojans, etc (I am no lawyer so, plz don't take my word on this! - Party's TOS seem to make you sign away your life... lol).
I think it will most likely make them suspicious too, but I am not convince that alot of the instability from their new client is related to these hooks they are installing.
EDIT: Here is the original post that was on 2+2 which talks about Party being quarantined as a suspected Trojan:
http://forumserver.twoplustwo.com/showthreaded.php?Cat=0&Number=4822587&an=0&page=0#Post4822587
I have also tried to cross link the posts with this thread, as this never seems to have been discussed their in much detail.
-
jukofyork - Fish
- Posts: 7
- Joined: Tue Feb 28, 2006 4:43 pm
Re: llh.dll explained
by tightpoker » Thu Mar 02, 2006 4:14 am
jukofyork wrote:I answered this question http://answers.yahoo.com/question/?qid=1006022215581&r=w
Here is my answer incase the link does not work:
"llh.dll is used by Party Poker to snoop on other applications you have running.
It basically is the dll which it 'injects' into other running processes to see what they are doing. It then installs hooks for certain windows API calls inside of the target process and most likely it then sends the collected data back to their servers.
Party Poker also installs both mouse and keyboard hooks to snoop on you, but these are unrelated to this dll.
To block it use either 'AntiHook' or 'Proccess Guard', as both of these can stop it from doing any snooping (ie: blocks both dll injection and mouse/keyboard hooks).
Hope this helps explain what it is doing - Juk
I know I never post here, but I do know what I talk about when it comes to this (search 2+2 and you will see I post regularly in their software forum).
Juk
Thanks for the post Juk and 'Hello!' as well, first time I believe we've met.
I don't want to get too much exactly into details regarding Party and their DLLs, but what you've said is square on the ball in regards to Party hooking into users' computers. They're doing this to detect third party programs (such as finding the processes for Poker Edge, Poker Prophecy or bot development...) and will go to great lengths to even dig through browser cache to see if you have visited these sites.
I believe they even have the ability to do a screen scrape (screenshot) and upload it back to their team.
A process guard is utility is so far the best way to stop Party from snooping across in other processes. There may be a way to lower the running privileges of Party's executable and sandbox it somehow, but I believe this is still being looked into.
-
tightpoker - Site Admin
- Posts: 3314
- Joined: Sun Nov 20, 2005 7:27 pm
Re: llh.dll explained
by jp » Thu Mar 02, 2006 10:37 am
mj wrote:I believe they even have the ability to do a screen scrape (screenshot) and upload it back to their team.
Damn, Big Brother really is watching.
-
jp - MACHINE
- Posts: 2552
- Joined: Sun Nov 20, 2005 11:50 pm
Re: llh.dll explained
by momowheeler » Thu Mar 02, 2006 11:07 am
JP wrote:mj wrote:I believe they even have the ability to do a screen scrape (screenshot) and upload it back to their team.
Damn, Big Brother really is watching.
I think this is exactly the case. Though I'm not a registered user, I will admit that I investigated Poker Prophesy. Their tabs are constantly changing description in an effort to trick PP into thinking that your not surfing their site. Though, I have SERIOUS doubts that this small cover-up does any good..... therefore I stay away from such sites all together.
-
momowheeler - Shark
- Posts: 354
- Joined: Fri Jan 20, 2006 1:25 pm
23 posts • Page 1 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests
