Win32/PSW.Legendmir trojan HELP!

NOD32 always tells me this when I do an indepth scan.. i cant clean or delete it. Only option i have is to leave it alone which I refuse to do.

a variant of Win32/PSW.Legendmir trojan found in operating memory. System memory infection originated from file C:\WINDOWS\WINLOGON.EXE.

Anyone care to help?

Another thing is when NOD32 is off a lot of korean/japanese popups suddenly go up. I did an indepth scan and NOD32 seemed to delete almost everything. How do i take care of these evasive viruses/spyware/trojans?

Thanks

 

Try running a full scan in safe mode.... How to Start Windows in Safe Mode

 

Carefully perform the following to get rid of the malware you have into your computer :

Make sure your NOD32 is updated . Open Control Center -> Update -> Update now

Check your settings with Blackspear's tutorial (especially the on-demand scan)

Download Ad-Aware se Personal
Install Ad-Aware se and update it . Still do not scan with anything!

Boot your computer is Safe Mode
Do this by repeatedly typing F8 while Windows is starting before
Windows logo appears.Then you'll open the Windows Advanced menu where you can choose to boot the hard drive in SAFE MODE

Perform full scan with Ad-Aware se , remove the infections .
After you have made sure you have checked your NOD32 settings , goto Start->Programs->ESET->NOD32 , make sure you use Control Center Profile and perform full scan and clean . After that restart your computer

If this doesn't help , perform these instructions
Good luck !

 

Should the problem persist, drop an email to support @ eset.com with a link to this thread.

 

Ok I did what you guys told me to do... I did Ad-Aware and Nod 32 scan on safe mode, did blackspears settings also, etc etc. It detected and deleted about 35 viraii from C:/Windows and the system32 folder

Now after restarting my computer theres an error popping up that windows cannot find '1'. what is 1?

Another thing is when I open a program like yahoomessenger, windows asks me what program to use to open yahoomessenger. It happens to every program for that matter. I have to manually select the exe file of yahoomessenger every time I want to run it. The box for 'Always Use this program to open this kind of file' is always greyed out.

Im confused. I appreciate the help but It seems I need more.

 

Ok I really need some help now. I just found out that everything is screwed up since I did that whole process you guys told me. Programs arent working properly. When I try to open My computer properties it says rundll32 cannot be found. I cant use system restore because its off and I cant turn it on because I cant go to My Computer properties.

Help Help Help anyone! Id rather have a virus in my computer rather having it not working properly at all.

 

Hi LeponeX, you can place your Windows CD in the CDROM drive, then click on start > run, type in CMD, when the black window opens type in "sfc /scannow"

SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

Cheers

 

I currently dont have my Windows XP cd with me.
Any other remedies besides that?

 

Didn't you delete C:\WINDOWS\system32\rundll32.exe in error? If so, you can copy it from another machine running the same OS.

 

Nope I didnt delete any rundll32.exe but I think NOD32 deleted a rundll32.com which was detected as a virus.

So what options do I have guys?

Here I copied a partial list of the threat log that NOD32 deleted

Time Module Object Name Threat Action User Information
9/24/2006 1:41:17 AM Kernel file c:\program files\common~1\iexplore.pif a variant of Win32/PSW.Legendmir trojan
9/24/2006 1:40:55 AM Kernel file C:\WINDOWS\1.com a variant of Win32/PSW.Legendmir trojan
9/24/2006 1:40:53 AM Kernel file c:\windows\winlogon.exe a variant of Win32/PSW.Legendmir trojan
9/24/2006 1:40:51 AM Kernel file C:\WINDOWS\system32\rundll32.com a variant of Win32/PSW.Legendmir trojan

 

If it's possible, please make a copy of the NOD32 log entries (scanner log) to see which files have been deleted?
That might help us to think with you....

 

I tried to look for rundll32.exe in my windows\system32 folder and it was still there. I dont get it when I try to access 'My Computer Properties' an error occurs stating C:\WINDOWS\system32\rundll32.exe Application not found.

So confused.

 

Go to http://www.eset.com and in the "Free virus and spyware removers" drop-down menu select FixExe utility. Download and run it, and report us whether it resolved the issue.

 

One (1) is probably a warning which you receive from Windows . This means that the malware which NOD32 successfully removed has also created a Run (start-up) registry key to be able to run everytime you start your computer . NOD32 removed the file associated to that reg key so now Windows cannot run the whole command due to file missing (malware file 1.com in C:\Windows ) .
To fix this , open Start->Run , type regedit.exe and press ENTER. Very carefully navigate to Hkey_Local Machine - Software - Microsoft - Windows - Current version - Run and in the right part find a key with a name accosiated to C:\Windows\1.com and manually delete that particular key , carefully .
Exit with the X just like you close programs.

The utility that Marcos suggested should to the trick here . The malware has currupted this so it needs repairing .

What you need to do in addition to what I and others suggested above is to first make sure you are absolutely clean of any kind of threats . After that , you will really need your Windows CD to do a repair install of Windows . How to do a repair of Windows


After you repair , protect well your computer !

You are welcome !

 

Ok I tried running regedit but couldnt because again it tried to look for what program I should use to run regedit. I searched for the regedt32.exe in my system32 and tried running it and it didnt work. I dont know why

I downloaded the file that Marcos told me and I dont think it worked either. When I double clicked it it said that Exe association has been fixed, and a reboot is recommended. Did everything but it seems nothing changed. Opening programs are still screwed up, and rundll32.exe still cant be found by the computer.

Anything more?

Ill be getting my Windows CD by the week and hopefully that helps.
Im already starting to think of reformatting my comp. which to me is kinda sad.

 

Sometimes when a system becomes so bad this can be one of the best remedies, however, before this you can do a Windows Repair

Cheers

 

Thanks guys.. I really appreciate the help. But I think that waiting for my WINDOWS CS to come is the best before I do anything else more and mess it up. Ill keep you guys updated as soon as I try the Windows Fix. Thanks a bunch! -LeponeX

 

You are welcome !

I , as well as Blackspear , have posted links to instructions how to repair Windows , read them carefully before doing anything .
If this can't help and you decide to reinstall Windows with format of the hard drive , here are instructions how to do this

 

Ok just got my WINDOWS XP CD and did the Windows repair process. Unfortunately the process was unsuccessful. During the installation of windows the computer constantly asked me what program to use to run rundll.exe and a bunch of other exe's. After the installation nothing changed, my computer is still screwed up.

Anyone know what I am to do next?? Reformat

Help Pls. Thanks

 

Please drop an email to support @ eset.com with a link to this thread, I'll provide you with some tools that might shed more light.

 

Wow I got the problem finally fixed. What I did was copied the error message and typed it into yahoo. I saw this thread with one guy having the same problems, and one guy helped him by telling him to download exefix which is a 10kb file. Well i downloaded it too and tried it. Doubleclicked it and Whalla my computer worked fine like nothing happned.

No more rundll32.exe errors or problems opening programs.

Ill give you guys the link to that thread if you dont mind.

http://www.annoyances.org/exec/forum/winxp/1125368113

 

Well before I leave this forum... I would like to thank all the kind people who took the time and reply to every concern I had. Blackspeare, Marcos, Hi_techboy, duijv023 and Namor. I really REALLY appreciated the help guys.

Thanks and God Bless!

 

You are welcome ! Don't hesitate to come back again and ask more and more , and more ... ! We'll be here

 

You are welcome.

Cheers