Lsass.exe virus Trojan Hand removal method

Virus symptoms:

There are 2 Lsass.exe processes in the process, one is system, and one is the current username (the process is a virus). Double-click D: The disk can not open, only through the right click to open the selection. Scan it with a Kaspersky And you can kill it. But there are two more Lsass.exe processes after the reboot. The virus is a Trojan program, After poisoning will be in the D-packing directory generated command.com and autorun.inf two files, while intrusion Registry damage System file association. The virus modifies the registry to start the Run key value, pointing to the LSASS.exe, modifying the Hkey_classes_ The. exe,exefile key value under root and create a new Windowfile key value. The exe file Open link is associated to the virus program%system\exert.exe it generates.

The virus creates the following file:

c:\program files\common files\INTEXPLORE.pif
c:\program files\internet explorer\INTEXPLORE.com
%SYSTEM\debug\debugprogram.exe
%SYSTEM\system32\Anskya0.exe
%SYSTEM\system32\dxdiag.com
%SYSTEM\system32\MSCONFIG.com
%SYSTEM\system32\regedit.com
%SYSTEM\system32\LSASS.exe
%SYSTEM\system32\EXERT.exe

Treatment methods:

1. To end the LSASS virus process first

Call the Business Manager (Ctrl+alt+del) and find that it is not feasible to end the process by simply right-clicking the current username Lsass.exe. The process will pop up a reminder box for the system process to stop; Click on the menu on Task Manager to view-> select columns. In the pop-up dialog box, select PID (process identifier) and click OK. Find the image name "LSASS.exe" and the user name is not an item of "SYSTEM", remember its PID number. Click "Start"-"Run", enter "CMD", click "OK" to open the command line console. Enter "Ntsd-c q-p (PID)", such as "Ntsd-c q-p 1064" on my computer. Then make sure that the virus process is turned off.

2. Delete the batch code of the virus generation file

REM =====================DD.Bat==============================
del C:\Program Files\Common Files\INTEXPLORE.pif /a/f/q
del C:\Program Files\Internet Explorer\INTEXPLORE.com /a/f/q
del C:\WINDOWS\EXERT.exe /a/f/q
del C:\WINDOWS\IO.SYS.BAK /a/f/q
del C:\WINDOWS\LSASS.exe /a/f/q
del C:\WINDOWS\Debug\DebugProgram.exe /a/f/q
del C:\WINDOWS\system32\dxdiag.com /a/f/q
del C:\WINDOWS\system32\MSCONFIG.COM /a/f/q
del C:\WINDOWS\system32\regedit.com /a/f/q
del D:\Autorun.inf /a/f/q
del D:\command.com /a/f/q
REM ====================DD.Bat================================

Copy the above code into Notepad and save it in bat format, such as Dd.bat. Run this file after saving it.