Ali talks about security-manual deletion of Rdriv. sys Virus

Two days ago, the server logs that accept my server management were displayed in the Symantec System Center, and the virus file rdriv. sys could not be completely deleted. I checked some materials and put them here. If you need them, please refer to them. The following method has not been confirmed. Please use it with caution.

1. Virus

When "Network Neighbor" is opened, "No transaction processing is set for the server" is displayed. After you change the working group of the file server, you can open the Working group. However, the above failure occurs in less than 10 minutes!

2. Virus description

This is a Rootkit kernel Trojan. It hides its processes, key values in the registry, created files, and created services, and tries its best not to be discovered by users of infected machines, this allows Trojans to reside on victim machines for a long time. The virus will steal the user's system and personal data, record that the user's keyboard input is stored in the rt_passfile.txt file, and leak it out through the Trojan. At the same time, the virus can receive predefined commands sent from outside, such as uploading and downloading files, running programs, updating Trojans and configuration files, setting access passwords, and launching DDOS attacks on specified websites, once a user is in the Trojan, it is difficult to clear it, causing a great harm to the user.

The special feature of Rootkit is that it hides its own processes, and even the registry key value cannot be hidden. Here, the hiding is exactly the same. For example, a virus contains two files, one *. exe and *. sys, they run in the memory at the same time, but no virus is found in the anti-virus software, especially *. exe (but when these two virus files are not running, the anti-virus software can be found and cleared on the hard disk)

3. Scan and kill methods

We recommend that you disable System Restoration and clear cache files. Restart to safe mode, or use a CD to enable read of Hard Disk Data.

3. 1. files to be deleted

Unzip windows‑image.exe (bot virus with Rootkit)
%Windows#extel.exe
%Windows‑edit.exe (this is a normal file. If mapi32.exe exists at the same time, it may be suspected to be infected)
% Windows % System32driv. sys (Rootkit file carried by bot virus)
%Windows%System32mapi32.exe
% Windows % System32msdirectx. sys
% Windows % system32SSMS. EXE
Bling.exe
Netwmon.exe
Wuamgrd.exe

3.2 services to be deleted

Go to [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices] to check whether a service with the same name as the deleted file exists. If yes, delete the service.

3.3 repairing network neighbors

If Windows XP cannot access the Internet neighbors after virus removal, fix the problem in "Group Policy"> "Windows Settings"> "Security Settings"> "Local Policy"> "user permission assignment" and add all users to the computer from the network.