Rootkits viruses are mainly divided into two categories:
The first is the process injection Rootkits, and the other is the driver-level Rootkits. The first Rootkits technology usually releases dynamic link library (DLL) files and injects them into executable files and system service processes for running, prevent the operating system and applications from accessing infected files.
The second type of Rootkits technology is complicated. When the system starts, the Rootkits virus loads the driver before the anti-virus software is loaded into the system to obtain legal control of the operating system. When anti-virus software accesses the file system through system APIs and NTAPI, a false result is returned when detecting a file infected with Rootkits, this prevents the operating system and applications from accessing infected files.
The first type of Rootkits virus can be easily cleared by using anti-virus software without causing any serious consequences.
The second type of Rootkits virus is regarded as a part of the driver because it is loaded into the system as a driver. At present, there is no better solution. A few anti-virus software may even cause leakage detection and removal when handling the use of such Rootkits viruses. Most anti-virus software will find such viruses, but they often fail to be cleared, I have encountered several problems in my practical work. I will summarize the solutions and share them with you:
In the first example, the operating system runs normally, but anti-virus software cannot be started. Without any suspicious frontend and backend processes, the CPU usage is very high and the system is undoubtedly infected with viruses, because the system itself cannot clear the virus, you have to remove the machine's hard disk and mount it to another operating system that is not infected with the virus to take the virus from the disk, because all files on the virus disk are only processed as common files in the clean operating system, the virus is quickly cleared. Solve the problem.
In the second example, the problem is more serious. After the system enters the desktop, a blue screen appears. After asking the operator, the antivirus software reported a virus the previous day. After the virus is restarted, a blue screen is displayed on the desktop, after eliminating hardware and program problems, it is determined that the rootkits virus is causing damage to a STARTUP file in the operating system. The virus is detected after virus removal from the disk, but it is guided as the operating system's main disk, there is still a blue screen on the desktop. Based on experience, considering that the rootkits virus may first destroy anti-virus software, and the original anti-virus software cannot be started, as a result, the original anti-virus software files are forcibly deleted from the disk using other operating systems, and then reloaded into the original system. The problem is solved, anti-virus software is reloaded, and no virus is detected after removal.
Based on the above two examples, I have concluded that the Rootkits virus is not only vulnerable to counterfeiting, but also difficult to completely remove, and will cause damage to the operating system to a certain extent.