1. Delete all previously searched lpk.dll files (excluding C:WINDOWS\system32 and C:WINDOWS\system32\dllcache directories). Delete the 36KB hrlXX.tmp file in the c: \ documents and settings \ administrator \ local settings \ temp directory.
2. When deleting some lpk.dll, there will be a system error, as shown in the figure below.
This is because the virus file has been activated and cannot be directly deleted in the ordinary way. At this time, you can see lpk.dll who reported the deletion error hanging under the running process of the system. Find the lpk.dll being loaded one by one, and right-click to delete it.
3. In the process of checking the system processes one by one with XueTr, it is found that a very suspicious module file hra33.dll is loaded under one of the svchost.exe processes, and there is no digital signature.
Right-click to view the file properties of this module, and you can see that the file size is also 43KB, which is the same as that of lpk.dll and the date of creation is the same as that of lpk.dll. Besides, do you think this file name is familiar? Looking back, you will find that the name of this file is very similar to the name of the hrlXX.tmp file in the temp directory. To sum up, it has been confirmed that this file has the same properties as lpk.dll, so it can be deleted directly with XueTr.
4. After the above deletion, you will find that the lpk.dll virus file just deleted reappears, which is really a "mole". Obviously, there are still residual virus bodies in the system that constantly release lpk.dll files, and further inspection is needed to completely remove them. By checking the current service of the system through XueTr, a very suspicious service is found, and the corresponding image file kkwgks.exe has no digital signature.
Looking at the properties of the kkwgks.exe file, it is found that the creation time of the file is the same as that of lpk.dll, and the file size is the same as that of the hrlXX.tmp file in the Temp directory, which is very suspicious. Delete directly.
5. Deleting the kkwgks.exe file will terminate the virus service. You also need to delete the above step 1-3 to clear all files such as lpk.dll and publish them again, and then restart the computer search and check it again. The original virus file no longer exists.
Behavior analysis of lpk.dll virus
After the above manual processing, we can simply analyze the virus behavior in reverse thinking as follows.
After the 1. virus runs, it will copy itself to the system system32 directory, name it with a random number (that is, the kkwgks.exe above), and create a service named Nationalgnf.
2. After the new service was started, svchost.exe was replaced by virus image in a special way. What you see in this process is still svchost.exe. This seems nothing unusual, but at this time, the virus has been hidden in svchost.exe. The functions that the virus completes here include:
(1), and complete all backdoor tasks of the virus;
(2) generate hraxx. dll in the system system32 directory (xx is the generated random name);
(3) Continuously release the hrlXX.tmp file in the system temporary file directory (XX is the generated random name). The hrlXX.tmp file here is actually a backup of kkwgks.exe file under system32, which is very dangerous and is used to recover the deleted exe virus file under system32.
(4) Generate a fake lpk.dll in the directory where the executable file is located, and hide the attributes. When exe in the same directory runs, it will automatically load and activate the virus.
Lpk.dll virus is a common virus, which is difficult to remove after infection. It will put its copies in all parts of the whole system, and there are many ways to take care of each other, which must be deleted before it can be cleaned up.
1. Open my computer and select Show System Files in Tools, Folder Options and View, so that you can easily see the hidden lpk.dll files.
2. Download a killing tool. I downloaded ravrbot.exe, Jinshan's killing tool.
About the method of clearing lpk.dll virus.
3. Running antivirus directly will prompt that antivirus failed.
About the method of clearing lpk.dll virus.
4. Next, first clear the lpk.dll files in the same directory of the antivirus tool, and then kill the virus again, and you can clean it up.
About the method of clearing lpk.dll virus.
If you encounter something that explorer can't clean, just end the explorer process and kill the virus.
5. After this cleaning, if you restart the system, you will be infected again, because this virus still has a service running all the time.
About the method of clearing lpk.dll virus.
Shocked, I pretended to have typed the English of the service wrong.
6. I think this step should be clear. Stop, disable or delete this service, and then kill the virus again, which should not appear again. Note that the file name of this service is randomly generated, but the service name is unchanged. You can see that this service has the action of connecting to a specific server, which should be downloading instructions from the network or something.
About the method of clearing lpk.dll virus.
Reprint please indicate the address of this article: About the method of clearing lpk.dll virus.
Lpk.dll virus is a common virus, which is difficult to remove after infection. It will put its copies in all parts of the whole system, and there are many ways to take care of each other, which must be deleted before it can be cleaned up.
The following are the general cleaning steps I have tried:
1. Open my computer and select Show System Files in Tools, Folder Options and View, so that you can easily see the hidden lpk.dll files.
2. Download a killing tool. I downloaded ravrbot.exe, Jinshan's killing tool.
About the method of clearing lpk.dll virus.
3. Running antivirus directly will prompt that antivirus failed.
About the method of clearing lpk.dll virus.
4. Next, first clear the lpk.dll files in the same directory of the anti-virus tools, and then kill the virus again, and you can clean it up.
About the method of clearing lpk.dll virus.
If you encounter something that explorer can't clean, just end the explorer process and kill the virus.
5. After this cleaning, if you restart the system, you will be infected again, because this virus still has a service running all the time.
About the method of clearing lpk.dll virus.
Shocked, I pretended to have typed the English of the service wrong.
6. I think this step should be clear. Stop, disable or delete this service, and then kill the virus again, which should not appear again. Note that the file name of this service is randomly generated, but the service name is unchanged. You can see that this service has the action of connecting to a specific server, which should be downloading instructions from the network or something.
About the method of clearing lpk.dll virus.