Main symptoms:
1, the use of a large number of network speed, so that the machine becomes extremely slow.
2, will bundle all the EXE file, as long as one application, the Logo1.exe icon under the Winnt will become the application icon accordingly.
3, sometimes occasionally pop-up some of the program box, and sometimes the application to move together on the wrong, and sometimes the start is forced to quit.
4, Internet cafes only feel the beam Win2K Pro version, server version and XP system are not infected.
5, can bypass all the restoration software.
Detailed technical information:
After the virus runs, a file named Virdll.dll is generated in the WINDWS root directory at the%windir% generation Logo1_.exe.
%windir%virdll.dll
The worm generates the following key values in the system registry:
Auto = 1
Stealing passwords
The virus attempts to log in and steal the password of the network game Legend 2 in the infected computer and send the game password to the person who implanted the Trojan virus. Prevent the following antivirus running virus from trying to terminate the run that contains the following processes, which are most of the anti-virus software processes. Including Card eight, Jinshan Company's poison Pa. Rising and so on. 98% of antivirus software running. Domestic software in poisoning after the virus is killed, is the virus kill-antivirus software. such as Jinshan, rising and so on. Which software can recognize the virus. But soon after he was recognized, he died. Changes the%system%driversetchosts file by writing a text message. This means that when an infected computer browses to many sites (including numerous anti-virus sites), the browser redirects to 66.197.186.149.
Viruses infect computers running Windows operating systems and are propagated through open network resources. Once installed, the worm will infect the. exe file on the infected computer. The worm is a 82k-sized Windows PE executable file. Propagating the worm over a local network replicates itself to the following network resources:
admin$
ipc$
Symptoms:
The worm infects all. exe files. However, it does not infect files in the path that contain the following strings:
Program Files
Common Files
ComPlus Applicati
Documents and Settings
NetMeeting
Outlook Express
Recycled
System
System Volume Information
System32
Windows
Windows Media Player
Windows NT
WindowsUpdate
Winnt
The worm removes the process listed below from memory:
Eghost.exe
Iparmor.exe
Kavpfw.exe
Kwatchui.exe
Mailmon.exe
Ravmon.exe
Z
Internet cafes damaged by this virus caused a large area of the card machine, paralyzed. The degree of harm can be compared with the world's top ten love back-door variants. The virus can be transmitted over the network, with a propagation cycle of 3 minutes. If the new system is in the poison of the network environment, as long as the machine one online, within 3 minutes must recruit. After you install rising Skynet Symantec McAfee Gate Rfw.exe Ravmon.exe Kill Nav and other anti-virus software can not remedy your system, virus files Logo1_.exe as the main virus, he automatically generated a virus attack needed Sws32.dll sws.dlll Kill.exe and other documents. These documents are one but derivative. He will quickly infect the system core processes such as explore, and so on EXE executable files, the appearance of typical symptoms of the legend, Bubble Hall, and other games icon discoloration. At this point the system resource availability rate is very low, every time you reboot, the virus will attack once. The virus for the prevention of weak awareness, reducing the software can not be installed in time to put the Internet café is very lethal, the speed of its network transmission is very fast and effective. The old version of anti-virus software can not detect, the new version can not be completely root kill. One but the Internet café in a machine in the virus, then the Internet Café all the machine is not poisoned in a dangerous state. Because the virus outbreak is stored in memory. And spread through the explore.exe. Therefore, even if the Restoration Wizard is installed, the machine of the restore card will also be infected. The system can be restored after you reboot. But you will still be infected once you turn on the boot.
Virus outbreaks can generate additional virus pwsteal.lemir.gen and Trojan.psw.lineage, among others. These are very powerful backdoor procedures. and plug virus similar, but its power is more than 50 times times the virus plug. Under the Win98 platform, the virus damage is relatively small. In win2000/xp/2003
The platform is fatal to the Internet Café system. Running System Extreme Card machine. After you reboot you will find that all of your game's. exe programs are all infected with the latest anti-virus software after killing. In addition to the system can barely run. The rest of you don't want to run anymore.
Virus Cleanup methods:
If the virus does not attack in the case of antivirus can be completely done. If the attack also don't kill Antivirus. Go straight to the disc and restore it.
First, locate theregistry
Auto = 1
Remove Downloadwww PRIMARY Key
Second, find
Winlogo, the Winlogo after the C:winntsws32.dll deleted, next to the Hkey_local_machine]software/microsoft/windows/currentversi key/ One of the two Runonce/runonceex.
C:winntsws32.dll
Delete all of the above. Note Do not delete the default key value (deleted if the consequences are at your own risk)
If there are no more key values, skip this step directly
Third End Process
Press "Ctrl+alt+del" key pop-up task Manager, find Logo1_.exe process, end process, can use the green Eagle Process management software processing more convenient. Locate the Expl0rer.exe process (note that the 5th letter is the number 0 is not the letter O), select it and click "End Process" to end it (if the expl0rer.exe process needs to be repeated again if it is running again).
Four-pack anti-virus software
Do not reboot after the installation (remember) directly upgrade the virus library, after the upgrade, the C:winnt directory of all toxic files deleted. Then run antivirus software to start antivirus. After killing. There are a few anti-virus software can not delete things to write down the name. Because different systems have different names. That's why it's not clear. Write it down for yourself. , reboot after the antivirus again. Remember the end of the suspicious process. Otherwise antivirus software can not clean antivirus. And the most important thing to remember is to set the virus that the antivirus software cannot clean to delete files. Generally want to repeat antivirus 3-5 times to kill clean.
Five look at the anti-virus system.
A lot of system files are missing. The system is in a dangerous state. If you have a ghost backup. Recover at this time. The system can be clean and undamaged. If not, run the SFC command to check the file system. The specific operation for the run-enter the cmd command into the DOS prompt. -Enter SFC
/scannow--prompts to put in the system CD. --Put it in. Then slowly wait. Look at the results. The effect of anti-virus is remarkable. The poison is clean. But after killing a lot of games can not play. I didn't know what I was doing when I was busy. It's depressing. Then do the system again. Who is the poison is the Internet Café anti-virus and reload system after the guard. Some netizens in the process of dealing with the virus may have such a feeling of easy removal, or no way to reinstall the system, but did not have a long time to have the same virus, so that the immune program is the best.
The following will be the immunization program published below, for users to download the use of: the proposal to do the system when the default sharing shutdown. Turn off ipc$ admin$ shutdown 554 to turn off ICMP routing. Set the password for all members of the Administrators group. Best numbers in English
Download the address cango to http://www.e169.net software download to look for, you can directly through the following URL download:
Http://www.e169.net/showsoft.asp?id=28
File description Download After decompression, there are 3 files Dellogo.bat placed in the Winnt directory, 98 of users placed in the Windows directory Delshare.bat placed in the Start menu-Program---Startup items, the purpose of the computer to start after the deletion of the default share, thereby preventing the virus from spreading and reinfection the bridge. Ljl.reg to run this file directly after downloading, prompt, information to import the registry, the description is written to the registry successfully, the purpose is to let the computer restart immediately after the virus subject file Logo1_.exe file deleted. Note that this registry import file is for the Win2000 system, if you are a different operating system, please refer to the modified.
The above operation is only blocking propagation, if you are afraid to infect this virus in use, you also need to follow the following procedure, so even if the virus infection, can not run the main virus program. Of course, the operation is actually for Win2000 system, other systems can refer to the operation:
Run Gpedit.msc Open Group Policy
Click User Configuration-Admin Module-system-Specifies that the program point that is not running for Windows is enabled and then point to the source file that adds logo1_exe to the virus.
On the Internet to see the situation about the Logo1_.exe virus, combined with my experience in the actual removal of the virus to sum up, to the users of this virus to refer to, I was referring to the "net Star" and other users of the composite, not my original Oh, can only help you to clear this abominable virus as soon as possible.
See about the Logo1_.exe virus on the internet, combined with my experience in the actual removal of the virus to sum up, to the users of this virus to refer to, I was referring to the "net Star" and other users of the post synthesis, not my original Oh, can only help you to clear this abominable virus as soon as possible: &NBSP
about logo1_.exe
Basic introduction
Virus name worm@w32.looked
Virus alias virus.win32.delf.62976 , w32/hllp.philis.j ,w32.looked
net-worm.win32.zorin.a
Virus type worm (network worm)
Virus Discovery Date 2004/12/20
Impact platform windows 95/98/me , windows nt/2000/xp/2003
Risk assessment
Extent of dissemination: Medium
Degree of damage:
Main symptoms:
1, the use of a large number of network speed, so that the machine becomes extremely slow.
2, will bundle all the EXE file, as long as one application, the Logo1.exe icon under the Winnt will become the application icon accordingly.
3, sometimes occasionally pop-up some of the program box, and sometimes the application to move together on the wrong, and sometimes the start is forced to quit.
4, Internet cafes only feel the beam Win2K Pro version, server version and XP system are not infected.
5, can bypass all the restoration software.
Detailed technical information:
After the virus runs, a file named Virdll.dll is generated in the WINDWS root directory at the%windir% generation Logo1_.exe.
%windir%virdll.dll
The worm generates the following key values in the system registry:
Auto = 1
Stealing passwords
The virus attempts to log in and steal the password of the network game Legend 2 in the infected computer and send the game password to the person who implanted the Trojan virus.
Prevent the following antivirus software from running
The virus attempts to terminate the process that contains the following processes, many of which are antivirus software processes. Including Card eight, Jinshan Company's poison Pa. Rising and so on. 98% of antivirus software running. Domestic software in poisoning after the virus is killed, is the virus kill-antivirus software. such as Jinshan, rising and so on. Which software can recognize the virus. But soon after he was recognized, he died. Changes the%system%driversetchosts file by writing a text message. This means that when an infected computer browses to many sites (including numerous anti-virus sites), the browser redirects to 66.197.186.149.
Viruses infect computers running Windows operating systems and are propagated through open network resources. Once installed, the worm will infect the. exe file on the infected computer. The worm is a 82k-sized Windows PE executable file. Propagating the worm over a local network replicates itself to the following network resources:
admin$
ipc$
Symptoms
The worm infects all. exe files. However, it does not infect files in the path that contain the following strings:
Program Files
Common Files
ComPlus Applicati
Documents and Settings
NetMeeting
Outlook Express
Recycled
System
System Volume Information
System32
Windows
Windows Media Player
Windows NT
WindowsUpdate
Winnt
The worm removes the process listed below from memory:
Eghost.exe
Iparmor.exe
Kavpfw.exe
Kwatchui.exe
Mailmon.exe
Ravmon.exe
Z
Internet cafes damaged by this virus caused a large area of the card machine, paralyzed. The degree of harm can be compared with the world's top ten love back-door variants. The virus can be transmitted over the network, with a propagation cycle of 3 minutes. If the new system is in the poison of the network environment, as long as the machine one online, within 3 minutes must recruit. After the recruit you install rising Skynet Symantec McAfee Gate Rfw.exe Ravmon.exe Kill Nav etc.
Toxic software can not remedy your system, virus files Logo1_.exe as the main virus, he automatically generated a virus attack needed Sws32.dll
Sws.dlll Kill.exe and other documents. These documents are one but derivative. He will quickly infect the system core processes such as explore and so. exe
Executable file, the appearance of typical symptoms for the legend, Bubble Hall, and other games icon discoloration. At this point the system resource availability rate is very low, every time you reboot, the virus will attack once.
The virus for the prevention of weak awareness, reducing the software can not be installed in time to put the Internet café is very lethal, the speed of its network transmission is very fast and effective. The old version of anti-virus software can not detect, the new version can not be completely root kill. One but the Internet café in a machine in the virus, then the Internet Café all the machine is not poisoned in a dangerous state. Because the virus outbreak is stored in memory. And spread through the explore.exe. Therefore, even if the Restoration Wizard is installed, the machine of the restore card will also be infected. The system can be restored after you reboot. But you will still be infected once you turn on the boot. Virus outbreaks can generate additional virus pwsteal.lemir.gen and Trojan.psw.lineage, among others. These are very powerful backdoor procedures. and plug virus similar, but its power is more than 50 times times the virus plug. Under the Win98 platform, the virus damage is relatively small. The win2000/xp/2003 platform is fatal to the Internet Café system. Running System Extreme Card machine. After you reboot you will find that all of your game's. exe programs are all infected with the latest anti-virus software after killing. In addition to the system can barely run. The rest of you don't want to run anymore.
Virus cleanup methods
If the virus does not attack in the case of antivirus can be completely done. If the attack also don't kill Antivirus. Go straight to the disc and restore it.
First, locate the registry
Auto = 1
Remove Downloadwww PRIMARY Key
Second, find
Winlogo Items
Delete the c:winntsws32.dll behind the Winlogo item
Next, put the Hkey_local_machine]software/microsoft/windows/currentversi key in the/runonce/runonceex
One of the two is also
C:winntsws32.dll
Delete all of the above. Note Do not delete the default key value (deleted if the consequences are at your own risk)
If there are no more key values, skip this step directly
Third End Process
Press "Ctrl+alt+del" key pop-up task Manager, find Logo1_.exe process, end process, can use the green Eagle Process management software Department
More convenient. Locate the Expl0rer.exe process (note that the 5th letter is the number 0 is not the letter O), select it when you find it, and click "End Process"
To end (if the Expl0rer.exe process runs again, it needs to be done again).
Four-pack anti-virus software
Do not reboot after the installation (remember) directly upgrade the virus library, after the upgrade, the C:winnt directory of all toxic files deleted. And then run
Antivirus software began to antivirus.
After killing. There are a few anti-virus software can not delete things to write down the name. Because different systems have different names. So it's not clear here.
Chu. Write it down for yourself. , reboot after the antivirus again. Remember the end of the suspicious process. Otherwise antivirus software can not clean antivirus. and the heaviest.
The one thing to remember is to set the virus that the antivirus software cannot clean to delete files. Generally want to repeat antivirus 3-5 times to kill clean.
Five. Look at the system after the antivirus.
A lot of system files are missing. The system is in a dangerous state. If you have a ghost backup. Recover at this time. The system can be clean and undamaged. If not, run the SFC command to check the file system. The specific operation for the run-enter the cmd command into the DOS prompt. -Enter SFC
/scannow--prompts to put in the system CD. --Put it in. Then slowly wait. Look at the results. The effect of anti-virus is remarkable. The poison is clean. But after killing a lot of games can not play. I didn't know what I was doing when I was busy. It's depressing. Then do the system again. Who is the poison is the Internet Café System antivirus and reload system after the prevention, some netizens in the process of dealing with the virus may have such a feeling of easy removal, or no way to reinstall the system, but did not have a long time to have the same virus, so that the immune program is the best.
The following will be the immunization program published below, for users to download the use of: the proposal to do the system when the default sharing shutdown. Turn off ipc$ admin$ shutdown 554 to turn off ICMP routing. Set the password for all members of the Administrators group. The best digital download address can go tohttp://www.e169.net software download to look for, you can directly download the following URL:http://www.e169.net/softdown/list.asp?id=25 File description Download After decompression, there are 3 files Dellogo.bat placed in the Winnt directory, 98 of users placed in the Windows directory Delshare.bat placed in the Start menu-Program---Startup items, the purpose of the computer to start after the deletion of the default share, thereby preventing the virus from spreading and reinfection the bridge. Ljl.reg to run this file directly after downloading, prompt, information to import the registry, the description is written to the registry successfully, the purpose is to let the computer restart immediately after the virus subject file Logo1_.exe file deleted. Note that this registry import file is for the Win2000 system, if you are a different operating system, please refer to the modified.
The above operation is only blocking propagation, if you are afraid to infect this virus in use, you also need to follow the following procedure, so even if the virus infection, can not run the main virus program. Of course, the operation is actually for Win2000 system, other systems can refer to the operation:
Run Gpedit.msc Open Group Policy
Click User Configuration-Admin Module-system-Specifies that the program point that is not running for Windows is enabled and then point to the source file that adds logo1_exe to the virus.
There's one more step.
I tried the way it was done, no, he's missing another step, search for Rundl132.exe in C (Note rundl----132.exe, the one behind is one, before he mixed up) Delete, the registry also wants to delete rundl132.exe related content.
The above is reproduced on the net, now I say my process
will create 15 files in the system directory windows or Winnt directory: 0Sy.exe, 1sy.exe, 2sy.exe, 3sy.exe, 4sy.exe, 5sy.exe, Logo_1.exe, Logo1_.exe, Logo1.exe , Rundl132.exe, Sws32.dll, Sws.dll, KILL.exe, VirDll.dll, VDLL.dll to delete these virus files, and then re-establish 15 of the same files, set to completely deny access, read-only hiding, so that the general defense of the virus. There is also a randomly launched defense software, it can automatically bind this machine IP, MAC address and gateway IP, MAC address, without manual operation, ARP can also play a certain preventive effect. If there is a need to add my QQ, or into my forum notice can be
Virus, congratulations on the recruit, but do not be afraid, nothing great. After I kill, intentionally download the virus body to do research!!! &NBSP
1, F8 into Safe mode (not in or in Safe mode some files can not be deleted)
2, recommended "jiangmin virus Kill" and then run-regedit-edit-Search-logo1_. EXE and Rundl132.exe are repeated several times by manual deletion. &NBSP
3, open My Computer -- Tools -- Folder Options -- view -- tick "Show system Folder Contents", Tick off " Hide protected operating system files, select "Show All Files and folders" below to determine. &NBSP
4, delete all files in the following three folders:
c:\\windows\\temp\\
C:\\documents and settings\\ administrator\\local settings\\temp
C:\\documents and settings\\administrator\\local  SETTINGS\\TEMPORARY INTERNET FILES&NBSP
5, open c:\\windows\\ arrange files by modified time, Delete all the documents from the time of the recent poisoning (this should be a little more careful, look at the time if away from the very far, it should be system files, if it is the day you poisoned the beginning of the production, what EXE file, and so on, then delete, including the. Log log file! &NBSP
6, open c:\\windows\\system32\\, do the same 61 kind of operation, there is the virus name file deleted, in these two folders, if you can not find the virus name on the search! &NBSP
It is important to note that software is not a good match for manual deletion.
Resources: Http://www.jiangmin.com/download/VikingKiller.exe
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
