Repeat Trojan. psw. lmir. Kuo, Trojan. psw. Misc. KCC, and other online game Trojans (version 2nd)

Source: Internet
Author: User

EndurerOriginal

2Add a new version
1Version

This morning, some netizens asked for help. The rising real-time monitoring umbrella icon in the lower-right corner of his computer screen is gone, and it cannot be started manually.

With QQ Remote Assistance, run the rising registry Repair Tool and find that the EXE file association and system startup items (that is, F2 items in the following hijackthis log) have been modified.

Hijackthis and procview were downloaded to the http://endurer.ys168.com.

Run hijackthis to scan the log and startup items list and find the following suspicious items:

----------
Logfile of hijackthis v1.99.1
Scan saved at 8:24:59, on

C:/Windows/system32/ntdhcp.exe
C:/Windows/SMSs. exe
C:/Windows/system32/ntdhcp.exe

F2-Reg: system. ini: shellw.shangher.exe 1

O2-BHO: ihiu class-{958e60ad-8539-400d-b4ef-8e8b8d944e85}-C:/Windows/system32/bhopop. dll

O2-BHO: shdocvwhlp class-{BE442802-3911-46E0-B227-076B15A4EAD3}-C:/Windows/system32/mssnmp16.dll

O4-HKLM/../run: [tprogram] C:/Windows/SMSs. exe

O4-HKLM/../run: [ntdhcp] C:/Windows/system32/ntdhcp.exe

O4-HKLM/../run: [winsvc] C:/Windows/system32/winsvc.exe

O4-HKLM/../runservices: [tprogram] C:/Windows/SMSs. exe
----------

Startuplist report, 8:25:32

File Association entry for. EXE:
Hkey_classes_root/winfiles/Shell/Open/command

(Default) = C:/Windows/exeroute.exe "% 1" % *
----------

When I saw exeroute.exe, I remembered the legendary Trojan Horse.

Use the rising registry Repair Tool to repair the EXE file association and system startup items.

Terminate a process with procview:
C:/Windows/SMSs. exe
C:/Windows/system32/ntdhcp.exe (Note: there are two)

Check the following folders and find the following suspicious files. Use WinRAR to package the backup and add the extension. DEL:

C:/Windows Directory
------------
47,957 SMSs. EXE. DEL
47,957 1.com. DEL
47,957 finder.com. DEL
47,957 assumer.com. DEL
47,957 exeroute.exe. Del (same as the above four files, Kaspersky reportsTrojan-PSW.Win32.WOW.ew)
300,032 realplayer.exe. Del (this is the one mentioned in the new gray pigeon backdoor. gpigeon. ymg variant. At that time, I was busy and did not report it to rising. I could not think that rising star 18.39.42 could not be killed)

C:/Windows/DEBUG directory
------------
48,171 debugprogram.exe. DEL

C:/Windows/system32 directory
------------
17,389 mswdm.exe. Del (the value of Kaspersky isTrojan-PSW.Win32.Lmir.azfThe rising report isTrojan. psw. lmir. Kuo)
5,250 winsvc.exe. DEL
46,592 bhopop. dll. Del (Kaspersky reportedTrojan-Downloader.Win32.Agent.asy)
53,248 internater.exe. Del (the value of Kaspersky isTrojan-Downloader.Win32.Agent.asy)
29,802 1.exe. DEL
48,171 0.exe. DEL
29,802 ntdhcp.exe. DEL
48,171 rundll32.com. DEL
48,171 finder.com. DEL
48,171 command. pif. DEL
48,171 msconfig. com. DEL
48,171 dxdiag.com. DEL
48,171 regedit.com. DEL

C:/program files/Internet Explorer directory
------------
48,171 iexplore.com. DEL

C:/Documents and Settings/ABC/Local Settings/TEMP directory
------------
53,248 svchost.exe (the value of Kaspersky isTrojan-Downloader.Win32.Agent.asy)
5,250 22085.com

D:/directory
------------
33 autorun. inf. DEL
47,957 pagefile. pif. Del (Kaspersky reportedTrojan-PSW.Win32.WOW.ewThe rising report isTrojan. psw. Misc. KCC)

And

Trojan. psw. lmir and other viruses (version 4th)
Http://endurer.blogchina.com/4634161.html

Remove the trojan variants (Trojan. psw. Misc. R) of the stolen game account.
Http://endurer.blogchina.com/4968800.html

Viking/Weijin, Trojan-PSW.Win32.WOW.do, etc. (3)
Http://endurer.blogchina.com/5424439.html

Similar.

 

Run hijackthis to fix the suspicious items listed above.

Clear the temporary ie folder.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.