Trojan. psw. lmir and other viruses (version 4th)

EndurerOriginal

2006-03-16 th4Added kaspersky's response to a.exe.
3Added By Jiang min: setup.exe is not a virus.
2Edition supplemented the specific processing process
2006-03-101Version

Yesterday, a friend called and said that his computer had a problem and he always reported an error and he could not use it.

I taught him to check the security mode. After a while, he called to find out which assistant's system repair function has been used in security mode, but it still does not work. Let me help you.

My friend's computer is old and he uses Win 98. When you enter the table, the error message "assumer.exe" appears. If you want to shut down properly, it will not work.

Press the reset button, force restart, press F8, select safe mode, and enter the security mode. If no error occurs, the error message "assumer.exe" is returned. It seems that there is a problem with the startup Item.
Fortunately, hijackthis was still used to help friends get their computers. They scanned the log and found the following suspicious or repair items:

 

 

Logfile of hijackthis v1.99.1
Scan saved at 8:41:05, on 06-3-10
Platform: Windows 98 SE (Win9x 4.10.2222a)
MSIE: Internet Explorer v6.00 (6.00.2462.0000)

Running Processes:
C:/Windows/Winlogon. exe

R3-urlsearchhook: Yahoo assistant-{406f94f0-504f-4a40-8dfd-58b0666abebd}-C:/program files/Yahoo! /Assistant/assist/yasbar. dll

O2-BHO: eyeonie class-{6e28339b-7a2a-47b6-aeb2-46ba53782379}-C:/program files/pcdownloader/bhoplugin. dll

O2-BHO: Yahoo assistant-{406f94f0-504f-4a40-8dfd-58b0666abebd}-C:/program files/Yahoo! /Assistant/assist/yasbar. dll

O2-BHO: IE-{D157330A-9EF3-49F8-9A67-4141AC41ADD4}-C:/Windows/Downloaded Program Files/cnshook. dll

O3-toolbar: Yahoo assistant-{406f94f0-504f-4a40-8dfd-58b0666abebd}-C:/program files/Yahoo! /Assistant/assist/yasbar. dll

O3-toolbar: Snap-on Security Assistant-{DB9ECD4F-FB8F-4311-B3CE-90B976C2707C}-(no file)

O4-HKLM/../run: [torjan program] C:/Windows/Winlogon. exe

O4-Global startup: IE-BAR.lnk = C:/Windows/rundll32.exe

O8-extra context menu item :! Search (& S)-res: // C:/program files/yisou. dll/232

O9-extra button: (No Name)-{233a9694-667e-11d1-9dfb-006097d5040a}-(no file)

O9-extra button: Yahoo assistant-{5d73ee86-05f1-49ed-b850-e423120ec338}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = yassist (file missing)

O9-extra button: Treasure Hunt fun-{59bc54a2-56b3-44a0-93e5-432d58746e26}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = Taobao (file missing)

O9-extra button: Yahoo 1g email-{507f9113-cd77-4866-ba92-0e86da3d0b97}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = yahoomail (file missing)

O9-extra button: (No Name)-{FD00D911-7529-4084-9946-A29F1BDF4FE5}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = clean (file missing)

O9-extra 'tool' menuitem: Clear Internet record-
{FD00D911-7529-4084-9946-A29F1BDF4FE5}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = clean (file missing)

O9-extra button: (No Name)-{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = repair (file missing)

O9-extra 'tool' menuitem: Fixed browser-{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}-http://cn.zs.yahoo.com/cnsbutton.htm? Source = CNS & BTN = repair (file missing)
O11-Options Group :[! CN] Internet Assistant-Address Bar search

O16-DPF: {9a578c98-3c2f-4630-890b-fc04196ef420}-http://jump.cnnic.cn/stat/stat? SID = 0008 & url = http: // 159.226.202.54/download/CNNIC/mini/CDN. Cab

O21-ssodl: dlmon-{590498a3-4131-4d8f-ba4b-36791a0803b1}-C:/Windows/system/dlmain. dll

 

 

It turned out that my friend used the help of Yahoo! to fix the problem ".

In the "add and delete programs" on the control panel, I Want To unmount the Yahoo assistant. I don't want this stuff to be uninstalled online, but the Windows 98 security mode is not connected to the Internet. First let the IE-BAR and other suspicious projects off.

In log, process C:/Windows/Winlogon. EXE appears a bit strange, because in Safe Mode

O4-HKLM/../run: [torjan program] C:/Windows/Winlogon. exe

This will not be executed by the system.

Find

 

C:/Windows/Winlogon. exe
C:/Windows/exeroute.exe
C:/Windows/system/rundll32.com
C:/Windows/system/regedit.com
C:/Windows/system/msconfig.com
C:/Windows/system/finder.com
C:/Windows/system/dxdiag.com
C:/Windows/temp/a.exe
C:/Windows/temp/B .exe
C:/Windows/finder.com
C:/Windows/internet.exe
C:/Windows/system.exe
C:/Windows/winlogon.exe

 

 

 

Add. Bak or. Del extensions to suspicious files.
Remote Administrator is also found, which is packaged and deleted after backup.

Then the problem arises. when running the program, the system prompts that C:/Windows/exeroute.exe cannot be found.
Originally, C:/Windows/exeroute.exe modified the. exe file association. Every time you run the. exeprogram, exeroute.exe will be run!

This problem can be solved using the registry Repair Tool of rising or Kingsoft drug overlord. However, Windows 98 cannot be downloaded online.
An error occurred while reading the floppy disk on the floppy disk because the database was old and had no USB interface!

You can modify it manually in the registration table, change regedit.exe to regedit.com, enter the Registry Editor, and fix the EXE file association.

Use hijackthis to fix the items listed above.

After restarting the computer, an error occurred while logging on to Windows,

Run the Rising Antivirus assistant and use Rising's free online scan to find 35 infected files:

 

 

File Name virus name
C:/Windows/system/rundll32.com Trojan. psw. lmir. JAG
C:/Windows/system/msconfig. com Trojan. psw. lmir. JAG
C:/Windows/system/finder.com Trojan. psw. lmir. JAG (kaserpersky reports Trojan-PSW.Win32.Lmir.aov)
C:/Windows/system/dxdiag.com Trojan. psw. lmir. JAG
C:/Windows/system/regedit.com Trojan. psw. lmir. JAG
C:/Windows/system/command. pif Trojan. psw. lmir. JAG
C:/Windows/system/rundll32.com. Del Trojan. psw. lmir. JAG
C:/Windows/system/ca.exe> B. EXE Trojan. psw. lmir. jbg (Kaspersky real-time monitoring does not report, manual scan reports are Trojan-PSW.Win32.Lmir.aoe)
C:/Windows/system/qq.exe. Bak Trojan. psw. lmir. JDC (Kaspersky reports Trojan-PSW.Win32.Lmir.aqo)
C:/Windows/system/dlmon. DLL Trojan. DL. Agent
C:/Windows/system/dlmain. dll. Del Trojan. DL. Agent (Kaspersky reports Trojan-Downloader.Win32.Agent.ue)
C:/Windows/system/regedit.com. Bak Trojan. psw. lmir. JAG
C:/Windows/system/msconfig.com. Del Trojan. psw. lmir. JAG
C:/Windows/system/finder.com. Del Trojan. psw. lmir. JAG
C:/Windows/system/dxdiag.com. Del Trojan. psw. lmir. JAG
C:/Windows/temp/a.exe. Bak dropper. psw. lmir. AGD (Kaspersky reports Trojan-PSW.Win32.Lmir.ash)
C:/Windows/temp/B .exe. Bak Trojan. psw. lmir. jje
C:/Windows/Temporary Internet Files/content. ie5/ohm7o5y7/a1_1).exe dropper. psw. lmir. AGD
C:/Windows/Temporary Internet Files/content. ie5/kblfiazt/QQ [2]. HTA script. taorao. A (kasersky reported as Trojan-Dropper.VBS.Taorao)
C:/Windows/Temporary Internet Files/content. ie5/ce4b7tkt/94251).exe Trojan. psw. lmir. JDC
C:/Windows/Temporary Internet Files/content. ie5/ce4b7tkt/101000010000.exe> B. EXE Trojan. psw. lmir. jbg
C:/Windows/Temporary Internet Files/content. ie5/ce4b7tkt/1110812.16.exe Trojan. psw. lmir. JDC
C:/Windows/Temporary Internet Files/content. ie5/snxfuin1/b1_1).exe Trojan. psw. lmir. jje
C:/Windows/72896.dll Trojan. psw. lmir. JDC
C:/Windows/assumer.com. Del Trojan. psw. lmir. JAG
C:/Windows/finder.com Trojan. psw. lmir. JAG
C:/Windows/assumer.com Trojan. psw. lmir. JAG
C:/Windows/1.com. Bak Trojan. psw. lmir. JAG
C:/Windows/finder.com. Del Trojan. psw. lmir. JAG
C:/Windows/internet.exe. Del Trojan. psw. lmir. JDC
C:/Windows/system.exe. Del> unpack Trojan. Clicker. VB. Cd (the value of Kaspersky is Trojan. win32.vb. AAT)
C:/Windows/1.com Trojan. psw. lmir. JAG
C:/Windows/winlogon.exe. Del Trojan. psw. lmir. JAG
C:/Windows/exeroute.exe. Bak Trojan. psw. lmir. JAG
C:/program files/common files/iw.e. pif Trojan. psw. lmir. JAG
C:/program files/Internet Explorer/iw.e.com Trojan. psw. lmir. JAG

 

 

We used the Rising Antivirus assistant to solve the problem.

Find the virus file with the original name changed again. Check that the exeroute.exe associated with the .exefile will check the virus file every time it runs. If the file does not exist, create a new one.

The priority level of the. comfile is higher than that of. .exe. That is, when we enter the command msconfig, the system runs the virus program msconfig.com, but not the system configuration program msconfig.exe!

It seems that the extension must be specified to run built-in system commands in the future.

In addition, you have to associate the restoration program with the EXE file for backup. Generally, anti-virus software checks and fixes EXE file associations at startup. However, it is still unknown whether this function is available for online virus detection and removal.

In addition, a Suspicious File setup.exe: AntiVir is reported as dropper/dmsec. a dropper.