Introduction to the principle of rootkits virus and its solution

Rootkits virus is mainly divided into two major categories:

The first is the process injection type rootkits, and the other is the drive level rootkits.

The first rootkits technology typically runs through releasing dynamic-link library (DLL) files and injecting them into executables and system service processes, preventing the operating system and applications from accessing infected files.

The second kind of rootkits technology is more complex, when the system starts to rootkits the virus to load the driver the way, before the anti-virus software is loaded into the system, obtains the legitimate operating system control right. When antivirus software accesses the file system through the system APIs and NTAPI, it returns a false result when it discovers a file that is rootkits infected, preventing the operating system and the application from accessing the infected file.

The first type of rootkits virus is better handled and can be easily removed by using antivirus software without any serious consequences.

The second type of rootkits virus, because of its driver loading system is considered to be a driving part of the current stage does not have a better solution. A few anti-virus software in handling the use of this type of rootkits virus may even occur leakage of the phenomenon of leakage, most anti-virus software will find such a virus, but often eliminate failure, some of the author in the actual work encountered several problems, now summed up the solution to share with you:

The first example of the phenomenon is that the operating system can operate normally, but anti-virus software can not start, in the absence of any suspicious before and after the situation, CPU occupancy rate is very high, no doubt the system was infected with the virus, because the system itself can not remove the virus, had to put the machine hard drive off Mount another virus-free operating system to disinfect it from disk, because all files on the virus disk are processed only as normal files on the clean operating system, and the virus is quickly purged. Solve the problem.

The second example is a little more serious, the system appears in the desktop after the blue screen, asked the operator, the day before the anti-virus software report virus, antivirus restart system that appears desktop blue screen, excluding because of hardware and program problems, the judge is rootkits virus damage operating system in a startup file caused, Hanging from the disk after the virus was found, but as the operating system master disk boot, still appear into the desktop that blue screen phenomenon, according to experience, considering the rootkits virus may first destroy antivirus software, and the original anti-virus software has been unable to start, So still hanging from the disk using other operating systems to forcibly delete the original system anti-virus software files, and then reload the original system, problem solving, reload antivirus software, after killing no virus.

Based on the above two examples, the author concludes that the rootkits virus is not only a strong camouflage, complete removal of difficulties, but also to the operating system will cause a certain degree of damage.