Trojan. psw. lmir. LKH, Trojan. psw. wowar. QD, Trojan. Agent. kh0, etc.

EndurerOriginal

1Version

A netizen's computer encountered a problem: An error occurred while turning on IE and closed it. Let me help with the repair.

Via QQ Remote Assistance.

Double-click the IE icon on the desktop to bring up the 5460. dll error message box.

Pe_xscan is used to scan logs and the following suspicious items are found:
/==============
Pe_xscan by Purple endurer
2006-12-29 12:35:22
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

C:/Windows/EXPLORER. EXE * 1676
C:/Windows/system32/windhcp. ocx * 15:36:50
C:/Windows/system32/winsmd.exe * 3258*2006-12-25 9:47:46

O2-BHO xbtp00162 class-{EBA8FC1C-C7BB-4306-B019-99AA73D1021C}-C:/Windows/downlo ~ 1/5460. dll

* O3-IE Toolbar:-{6ae02e1c-8859-4f57-9097-5a55a56a4caf}-C:/Windows/Downloaded Program Files/5460.dll

O4-HKLM/../run: [soundm] winsmd.exe

O16-DPF: {6ae02e1c-8859-4f57-9097-5a55a56a4caf} (5460 toolbar)-hxxp: // images.5460.net/toolbar/webinstall/5460.cab

O23-service: NPF (netgroup Packet Filter Driver)-system32/Drivers/NPF. sys (auto start)
===============/

I haven't gotten to 5460.net for a long time. I couldn't think of a 5460. dll advertisement.

Download hijackthis and procview from http://endurer.ys168.com.

Use procview to terminate the process C:/Windows/system32/winsmd.exe.

Download bat_do and fileinfo to the http://purpleendurer.ys168.com.

Use fileinfo to extract the following file information. bat_do will package and back up the file and delete it. If it cannot be deleted, it will be executed at the next startup.

File description:C:/Windows/downlo ~ 1/5460. dll
Attribute: ---
Language: English (USA)
File version: 1, 0, 0, 4
Notes: IE Toolbar
Copyright: Copyright 2001-2003. All rights reserved.
Note:
Product Version: 1, 0, 0, 1
Product Name: IE Toolbar
Company Name: IE Toolbar
Legal trademark:
Internal name: IE Toolbar
Source File Name: toolbar. dll
Creation Time: 13:48:43
Modification time: 13:50:18
Access time: 12:50:42
Size: 544768 bytes, 532.0 KB
MD5: 9effd673d996bb65c4ff611a113784c8

Kaspersky reportsNot-a-virus: adware. win32.mytool. fThe rising report isTrojan. Agent. yjy.

File description:C:/Windows/system32/winsmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:52:52
Modification time: 9:47:46
Access time:
Size: 123697 bytes, 120.817 KB
MD5: 285c29347551fee9c6cee2c213493edf

Kaspersky reportsTrojan-PSW.Win32.Nilage.annThe rising report isTrojan. psw. lmir. LKH.

File description:C:/Windows/system32/Drivers/NPF. sys
Property:-sh-
Language: language neutral
File version: 3, 1, 0, 27
Note: NPF
Copyright: copyright? 2005 cace technologies. Copyright? 2003-2005 netgroup, Politecnico di Torino.
Note:
Product Version: 3, 1, 0, 27
Product Name: Winpcap netgroup Packet Filter Driver
Company Name: cace Technologies
Legal trademark:
Internal name: NPF + tme
Source File Name: NPF. sys
Creation Time: 13:56:41
Modification time: 11:16:46
Access time:
Size: 39920 bytes, 38.1008 KB
MD5: c153a16fc677f8cc2965227d424374e0

RisingTrojan. psw. wowar. QD.

File description:D:/Windows/system32/windhcp. ocx
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:59:45
Modification time: 15:36:50
Access time: 12:59:58
Size: 41472 bytes, 40.512 KB
MD5: d98249fd3ab41817f7bac87d97912b63

RisingTrojan. Agent. kh0.

Use hijackthis to fix the suspicious items listed above.

Go to the Registry to delete the project of the NPF (netgroup Packet Filter Driver) service.