Lpk. dll virus symptoms and manual processing

Source: Internet
Author: User
Tags tmp file

The lpk. dll virus is believed to be familiar to everyone. It has been prevalent for some time, and the corresponding killing tool can also be searched and downloaded from the Internet, which is sufficient to indicate the extensiveness and danger of the virus. This article analyzes the behavior of the virus and presents you with all the manual processes.

Rising experts pointed out that not all lpk. dll files are viruses. The lpk. dll file exists in the normal system. It is a language pack for Microsoft operating systems and is located in the C: \ WINDOWS \ system32 and C: \ WINDOWS \ system32 \ dllcache directories.

Lpk. A typical feature of the dll virus is to infect the directory with executable files, hide itself, delete it, and generate it again. When the exe file in the same directory is running, lpk. the dll will be dynamically linked by Windows to activate the virus, and thus cannot be completely cleared.

Therefore, when you find that the lpk. dll file exists in many folders on the disk, you can be sure that your computer has won the trick. The lpk. dll virus is a malicious backdoor virus. After a computer is infected with the virus, more malicious programs will be downloaded in the background, which can cause remote control and theft of user data. Many users will habitually reinstall the system after discovering the tricks on the computer. However, reinstalling the system does not clear the lpk in the non-system disk directory..

Virus symptom

1) show all hidden files, including operating system files, by setting Folder Options, and then search for lpk in full. dll. In this case, lpk exists in many directories. dll file with the same size and hidden attributes.

Figure 1: virus: The LPK. dll file exists in many directories during full search, with the same size and hidden attributes.

Note: When you search for lpk. dll in full mode, check "search for hidden files and folders", as shown in:

Figure 2: Select "search for hidden files and folders" when searching

2) C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temp directory to generate many tmp files in the same size and naming rules. From the file suffix, these files seem to be temporary files, but they are actually in PE format, not ordinary tmp files.

Figure 3: virus: a large number of tmp files with clear specifications are in the same size.

3) use the xuetrworkflow system, and upload er.exe and many other processes to load lpk. dll.

Figure 4: virus: lpk. dll is loaded in many processes.

Solution

1) delete all previously searched lpk. dll files (excluding the C: \ WINDOWS \ system32 and C: \ WINDOWS \ system32 \ dllcache Directories ). Delete the hrlXX. tmp file 36 kb in the C: \ Documents and Settings \ Administrator \ Local Settings \ Temp directory.

2) When some lpk. dll files are deleted, the system reports an error, for example.

Figure 5: An error is reported when you delete some lpk. dll files because the virus file has been called.

This is because the virus file has been activated and called and cannot be deleted directly in normal mode. In this case, you can see that the lpk. dll file with the error is being deleted in the running process of the system. Locate the lpk. dll file that is being loaded one by one, right-click it, and select delete it.

Figure 6: You can use a tool to delete these activated lpk. dll calls from the process.

3) in the process of using xuetrto check the system progress one by one, it is found that a suspicious module File hra33.dll is loaded under a svchost.exe process and there is no digital signature.

Figure 7: A suspicious dll module is loaded under a svchost process.

Right-click to view the module File properties. The file size is 43KB, which is the same as that of lpk. dll and the creation date is the same as that of lpk. dll. Do you think this file name is very familiar? Recall that the file name is similar to the hrlXX. tmp file name in the temp directory. To sum up, it can be determined that the file is of the same nature as lpk. dll and can be deleted directly using XueTr.

Figure 8: view the detailed information of this module to identify it as a virus file.

4) after the above deletion operation is complete, search for the entire disk again and you will find that the just-deleted lpk. dll virus file has appeared again, which is truly "invisible ". Obviously, the lpk. dll file is continuously released by the residual virus in the system, and you need to thoroughly check and clear it. With xuetr, you can check the system's current service and find that a suspicious Service does not have a digital signature for the corresponding image file kkwgks.exe.

Figure 9: Check the system service again and find that the file corresponding to the Service does not have a digital signature.

When the file named mongokkwgks.exe is created, it is found that the file creation time is the same as that of lpk. dll, and the file size is the same as that of hrlXX. tmp In the Temp directory. It is suspicious to delete it directly.

Figure 10: view the program to find the file is a virus.

5) The virus service is terminated by deleting the kkwgks.exe file. You also need to perform the delete operation in step 1-3 to release the lpk again. clear all dll and other files, restart the computer, and then search for the entire disk again. The original virus files no longer exist.

Virus Behavior Analysis

After the above manual processing, you can reverse thinking to analyze the virus behavior as follows.

1) after the virus runs, the system 32 directory will be replaced with a random number of names (named kkwgks.exe), and a service named Nationalgnf will be created.

2) run in the virus. The functions completed here include:

A. Complete all backdoor tasks of the virus;

B. Generate hraXX. dll IN THE SYSTEM system32 directory (XX is the generated random name );

C. It is very dangerous to back up the. exe Virus File deleted under system32;

D. Generate a false lpk. dll file in the directory where the executable file exists. The property is hidden. When the exe file in the same directory runs, it will automatically load and activate the virus.

Summary

After the above analysis and processing process, we believe that you have a certain understanding of the lpk. dll virus. Although there are many variants of these types of viruses, they are highly infectious and highly risky, you don't have to worry if you really encounter them. You can search for and download their exclusive killing tools on the Internet, and most anti-virus software has imported them into the database, it is not difficult to solve the problem through proper tools

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.