Today, I was lucky.

After killing various CNNIC plug-ins, the system still encountered problems.

Suspicious File lsass.exe found

After searching on Google for a long time, I finally found the following article to kill this:

Http://space.cnfan.net /? Action/viewspace/Itemid/70

Manual cleanup: Legendary Terminator variant JBA (Trojan. psw. lmir. JBA)
& X oj5yco # eguestitpro personal space & A _ w. aj2h8p
Virus File itpro personal space 6q! P "| zgi % ^
Itpro personal space | _ Wu? P) @ 3 S x 7 t
Virus name: Legendary Terminator variant JBA (Trojan. psw. lmir. JBA)
Y & [S |-e) z4x [_ 9zo % pguest Virus Type: it is a Trojan horse that is transmitted over the network. itpro personal space-C) w6d # RP3 {+ EZ
Virus hazard level:★★★☆Itpro personal space 1z7t & _ ^ r' I/{5bz: EJ
Virus outbreaks and hazards: itpro personal space II, n5bg U & T, U
This virus is a trojan that can run on Windows 9x, NT, 2000, XP, and other operating systems. The virus will forcibly terminate the processes of multiple antivirus software so that they cannot run normally. It will frequently check the window of the "Legend" client. If the window exists, it will obtain the current mouse position, record the keyboard information, and finally send the recorded information to the specified mailbox, to steal users' game accounts and passwords. Itpro personal space % flac j!] /HL x

] % Ywm '$ I & iguest: the virus is very toxic, and manual removal is complicated. You must follow the steps strictly. Otherwise, cleaning may fail. We recommend that you use anti-virus software to clear the virus.
Ut mk1d. r1t *] Guest
V % t; _ "F % Y: D # T-jguest manual deletion:
] ^ Z0b "G * ysguest: ends the virus process.
# Owy cx8l eguest right-click "Taskbar" and select "Task Manager ". Click "View"-> "Select column" in the menu, select "PID (process identifier)" in the pop-up dialog box, and click "OK ".
, Up'/m4b i2yguest
9u x/V % X5 ^ _ g! J6 ~ Guestfinds the image named “lsass.exe, and the user name is not a "system" item. Remember Its PID Number. Itpro personal space IW l0} p4j) is & | \ n

5q'm}-Q fu * iguest click "start"-"run", enter "cmd", and click "OK" to open the command line console. Enter "ntsd-C q-P (PID)", for example, "ntsd-C q-P 1464" on my computer ". Itpro personal space! APV} g9f
Itpro personal space, AKD "GR % \ L
Note: After you run the "Process Manager" in this step, ask the task manager. Do not execute other programs. What needs to be done below is to delete the virus file. Itpro personal space * w8h2n4fm [L! U?
2. Delete the Virus File itpro personal space 9rm2k, Q: E
Open "my computer", set to display all the hidden file system files and display the file extension. Delete the following files (Windows XP for example 2000 machine is WINNT directory) itpro personal space J (c4j-x}
TIPS: After manually deleting the lsass.exeand exert.exe files, you will find that the files will soon be available again. What should I do? You can create a new TXT file immediately after deleting the virus file, rename it to the same name as the virus generated EXE file, and change the file attribute to read-only. This prevents virus files from being generated again.
Rh? 5 \ b6ogy * lguestdel crogram files \ common files \ intexplore. pifitpro personal space ^ FYT $ i7v \
Del crogram files \ Internet Explorer \ intexplore. comitpro personal space hb t. @ BPE
Del C: Windows \ exert.exe
R cbj R4 {(R "weguestdel C: Windows \ Io. SYS. Bak
Y Uy ^ d9p, b3a + q'8nbguestdel C: Windows \ lsass.exe
V7 ~ K "B $ L. GL 'guestdel C: Windows \ debug \ debugprogram.exe itpro personal space V % h0w: XF; U. N # G
Del C: Windows \ system32dxdiag.com
'Oss nqj g I '| guestdel C: Windows \ system32msconfig. com
, F! Z-TAis6knGuestdel C: windows \ system32 \ Regedit. comitpro personal space; jax8b}

J &? K1j. pycrguestitpro personal space. gh2m * RZ (QY
If the hard disk has another partition, right-click the partition and select "open ". Delete the "autorun. inf" and "command.com" files under the root directory of the partition.
_/RK-X8ZU? Xguest itpro personal space h.o KCB & Q ^ % M '_?

P y] a5il # w7fguest
; E2} 7 K, j8cnguest 3 Delete other junk information in the Registry itpro personal space 0dg + qbvd 'ife "^ 9e
This virus should be written to a considerable number of registry locations. If it is not fixed, some system functions may be abnormal.
7b xh w [guestitpro personal space LSB "ob j, FG
Rename "regedit.exe" under Windows directory to "regedit.com" and run it to delete the following items:
/'^ * N! Lej5oguest hkey_classes_rootwindowfilesitpro personal space | w * w, ZJ # FB? % N
Hkey_current_usersoftwarevb and VBA program settingsitpro personal space 'cyq3m
Check_associations under hkey_current_usersoftwaremicrosoftinternet assumermain
# R + O. W; D gguest hkey_local_machinesoftwareclientsstartmenuinternetintexplore.pif
IDW # Wo "B ++ }}}guesthkey_local_machinesoftwaremicrosoftwindowscurrentversionrun.
% M! Dlw [_ jguestitpro personal space 9ue't-lo9kde4n
Change the default value of hkey_classes_root.exe to "exefile"
B $ t1y) RH: z3qguestchange the default value of hkey_classes_rootapplicationsiexplore.exe shellopencommand to "" crogram filesinternet guest eriexplore.exe "% 1" itpro personal space 2 IVPI "B {, ky0x}
Change the default value of hkey_classes_rootclsid {871c5316-42a0-1069-a2ea-08002b30309d} shellopenhomepagecommand to "crogram filesinternet ‑eristme. EXE"
-U. hazmco0nguest: Change the default values of hkey_classes_root tpshellopencommand and hkey_classes_roothtmlfileshellopennewcommand to "" crogram filesinternet guest eristme.exe "% 1"
O; _ "zstguest: Change the default values of hkey_classes_roothtmlfileshellopencommand and hkey_classes_roothttpshellopencommand to" "crogram filesinternet guest eristme.exe"-nohome "itpro personal space limit 9l4
Change the default value of hkey_local_machinesoftwareclientsstartmenuinternet to "iexplore. EXE ".
V 'e;] 'ntkqguest
5Mt) i1z7} guest
D0E %} x4oguest: Change the Regedit extension in the Windows directory back to exe. The virus is cleared successfully and the Registry has been repaired.