Lssass.exe Killing and graphic analysis _ virus killing

Lssass.exe may be a Trojan horse (back door) kind of dongdong. Rising 19.39.30 Virus Library not to find this poison.

This trojan is more cunning. The processing must be carefully distinguished between true and false. Otherwise, easy to be fooled!

Trojan running, with false SERVICES.EXE replace the real System program Services.exe (C:\WINDOWS\system32\ directory of the System program Services.exe renamed Hbaxcsnp.dll, moved to C:\ Windows\system32\wins\ directory); C:\WINDOWS\system32\ directory of SERVICES.EXE into a Trojan horse program. This fake SERVICES.EXE file is the same size as the real system program, except that the MD5 value is different. In addition, a qrafgsy.dll to the C:\WINDOWS\system32\ directory is released, and this DLL is run in the fake SERVICES.EXE process.

Typical symptoms after the recruit:

When you view a list of processes with IceSword, you can find two services.exe processes. One is the DLL icon (the real system process; Figure 1) and the other is the. exe icon (trojan process; Figure 2). The only visible exception to the Sreng scan log is:






[pid:628] [C:\windows\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\UmxSbxExw.dll] [Computer Associates International, Inc., 6.0.1.58]
[C:\windows\system32\UmxSbxw.dll] [Computer Associates International, Inc., 6.0.1.58]
[pid:1716] [C:\windows\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\UmxSbxExw.dll] [Computer Associates International, Inc., 6.0.1.58]
[C:\windows\system32\UmxSbxw.dll] [Computer Associates International, Inc., 6.0.1.58]
[C:\windows\system32\qrafgsy.dll] [N/A,]


Note: There is an exception module Qrafgsy.dll in the Services.exe process with the process number pid:1716.
Here, it is necessary to emphasize a basic common sense: the real system process Services.exe load earlier, its PID number is not too large. Judging by the process number alone, you can also know that the SERVICES.EXE of pid:1716 is false.

With IceSword manual Anti-Virus process:

1, the end of the fake SERVICES.EXE process. Note: Do not end the services.exe process of the DLL icon (pointing to C:\WINDOWS\system32\wins\hbaxcsnp.dll), otherwise the system crashes and reboots immediately.
2, delete the C:\WINDOWS\system32\ directory of SERVICES.EXE and Qrafgsy.dll (Figure 3).
3, will C:\WINDOWS\system32\wins\hbaxcsnp.dll renamed as Services.exe, copy back to C:\WINDOWS\system32\ directory.
4, restart.