GupShup Forums - View Single Post - Trojan PWS-LegMir

Mirch · Oct 21st, 2008, 01:12 PM

Source Yahoo answers.
I am suffered from a trojan (PWS-LEGMir.dll). No antivirus is effective.Help? - Yahoo! Answers

Ouch. It's a password stealer. If you recently accessed secure websites like Paypal or your credit card accounts online, GO TO ANOTHER PC, LOGIN TO THOSE ACCOUNTS, CHANGE THE PASSWORDS.

Don't go back to those accounts on the 1st PC until you solve this problem.

What happens when you try to delete the .dll file? If you delete it but it re-emerges when you boot that's a ROOTKIT.

How big is the risk? Open your History file with Ctrl-H. You may also have a symbol in the row of icons at the top of your browser that says History when you drag the mouse pointer across it.

Drag your mouse pointer across History items for the last several days. If any look like secure websites, change the passwords IMMEDIATELY. If you don't recognize a website or it has an unusual location such as .ru (Russia), hover the mouse pointer over the link. If the link has your login ID and password, you are about to lose your credit rating and bank deposits.

This is Rootkit BLOCKING process. When you understand how Rootkits work you can obstruct them from reinfecting every time you boot.

- - -

The first question is, how do you know you have Hacktool?

Most rootkits are stealthy; they only get active when you access a secured website such as online banking. Then, surreptitiously, they transmit you login ID and password to someplace like Russia. Goodbye bank account.

If you think you have a rootkit AND if you used the internet recently to access secure websites, then examine your HISTORY.

For IE, click the icon which looks like a sundial. For other browsers try Ctrl-H.

When you roll your mouse cursor over a history link, you should see the complete path. A path could even show the URL for the secure website, your login ID, and your password, all embedded in one big link.

Copy the offending link. Use Tools > Internet Options > Security > Restricted Sites to block access to that web address.

Notify your banks or credit cards that your security has been hacked and CHANGE YOUR PASSWORDS.

I developed my own rootkit blocking system.

The problem is that you kill it, then it reappears everytime you boot. You can never completely kill it.

I'll break it down.
1) Whenever a virus emerges, it creates specific files, usually in the Windows\System32 directory but they could be in several places.
2) Run a program like Spybot. Carefully log the complete file name and path of the files that Spybot removes.
3) CREATE A FAKE FILE TO OCCUPY THE EXACT LOCATION OF EACH INFECTED FILE. Take a word processor such as notepad. To illustrate, make a file called FakeFile.txt with a line of text like "This is my rootkit blocking system".
4) Copy the Fakefile to each subdirectory where the infected file was located. Example: c:\Windows\System32\Fakefile.t...
5) Make as many copies of Fakefile.txt as you need.
6) RENAME each Fakefile.txt to the exact name of the infected file. Example: Rename Filefile.txt to BadVirus.exe .
7) Change the properties to Read Only.

You may need to unlock the infected file before you can delete, rename, etc. I use a shareware program called Unlocker.

http://www.softpedia.com/get/system/syst...

You may have better results by Safe Booting, I prefer Unlocker.

Why does this system work? Because most rootkits create the same file names in the same locations, over and over.
When they see an existing file, they don't think to write over it or create an alternate file name

Simple and effective, BUT you may need to go one step farther. Find a program called HijackThis and find a website that will analyze the HijackThis log.

You post the log. They tell you how to fix the problem. You may have to remove registry keys.

Here's a simple tip for using my blocking system. Rename the fakefile using a distinctive combination of upper and lower case characters. Your blocking version might be named bAdViRUS.eXE . That way, you will know it's yours and not the original.

Oct 21st, 2008, 01:12 PM	#2 (permalink)
Mirch Senior Member Join Date: Jan 8, 2008 - 4:31 pm Location: Saat samandar par Posts: 11,666 Blog Entries: 8	Source Yahoo answers. I am suffered from a trojan (PWS-LEGMir.dll). No antivirus is effective.Help? - Yahoo! Answers Ouch. It's a password stealer. If you recently accessed secure websites like Paypal or your credit card accounts online, GO TO ANOTHER PC, LOGIN TO THOSE ACCOUNTS, CHANGE THE PASSWORDS. Don't go back to those accounts on the 1st PC until you solve this problem. What happens when you try to delete the .dll file? If you delete it but it re-emerges when you boot that's a ROOTKIT. How big is the risk? Open your History file with Ctrl-H. You may also have a symbol in the row of icons at the top of your browser that says History when you drag the mouse pointer across it. Drag your mouse pointer across History items for the last several days. If any look like secure websites, change the passwords IMMEDIATELY. If you don't recognize a website or it has an unusual location such as .ru (Russia), hover the mouse pointer over the link. If the link has your login ID and password, you are about to lose your credit rating and bank deposits. This is Rootkit BLOCKING process. When you understand how Rootkits work you can obstruct them from reinfecting every time you boot. - - - The first question is, how do you know you have Hacktool? Most rootkits are stealthy; they only get active when you access a secured website such as online banking. Then, surreptitiously, they transmit you login ID and password to someplace like Russia. Goodbye bank account. If you think you have a rootkit AND if you used the internet recently to access secure websites, then examine your HISTORY. For IE, click the icon which looks like a sundial. For other browsers try Ctrl-H. When you roll your mouse cursor over a history link, you should see the complete path. A path could even show the URL for the secure website, your login ID, and your password, all embedded in one big link. Copy the offending link. Use Tools > Internet Options > Security > Restricted Sites to block access to that web address. Notify your banks or credit cards that your security has been hacked and CHANGE YOUR PASSWORDS. I developed my own rootkit blocking system. The problem is that you kill it, then it reappears everytime you boot. You can never completely kill it. I'll break it down. 1) Whenever a virus emerges, it creates specific files, usually in the Windows\System32 directory but they could be in several places. 2) Run a program like Spybot. Carefully log the complete file name and path of the files that Spybot removes. 3) CREATE A FAKE FILE TO OCCUPY THE EXACT LOCATION OF EACH INFECTED FILE. Take a word processor such as notepad. To illustrate, make a file called FakeFile.txt with a line of text like "This is my rootkit blocking system". 4) Copy the Fakefile to each subdirectory where the infected file was located. Example: c:\Windows\System32\Fakefile.t... 5) Make as many copies of Fakefile.txt as you need. 6) RENAME each Fakefile.txt to the exact name of the infected file. Example: Rename Filefile.txt to BadVirus.exe . 7) Change the properties to Read Only. You may need to unlock the infected file before you can delete, rename, etc. I use a shareware program called Unlocker. http://www.softpedia.com/get/system/syst... You may have better results by Safe Booting, I prefer Unlocker. Why does this system work? Because most rootkits create the same file names in the same locations, over and over. When they see an existing file, they don't think to write over it or create an alternate file name Simple and effective, BUT you may need to go one step farther. Find a program called HijackThis and find a website that will analyze the HijackThis log. You post the log. They tell you how to fix the problem. You may have to remove registry keys. Here's a simple tip for using my blocking system. Rename the fakefile using a distinctive combination of upper and lower case characters. Your blocking version might be named bAdViRUS.eXE . That way, you will know it's yours and not the original. I am a man with a plan. A plan to live a simple , fulfilling life.