用windows清理助手发现一个可疑文件:c:\windows\system32\lzx32.sys,但到指定的目录下却看不到它,隐藏、系统属性全开也没有,搜索、dir也找不到。
开始怀疑助手误扯,直接点清理又确实有文件删除出来(清理时选了备份,从备份文件中可以看到lzx32.sys),但再扫一遍该文件还在,用wsyscheck也找不到该文件,用xdelbox和powerrmv删除(直接输入文件路径),却说文件不存在。在system32中添加一个文件夹,改名为lzx32.sys,不让加,说明确实有该文件在,只是发现不了。
用PE启动光盘系统,终于发现它了,删除,放个同名文件夹,再启动原系统,用助手再扫,这才出现引用它的驱动在注册表中的位置。网上查了下相关病毒资料(不过是2006年的资料了):
“广告Rootkit(Rootkit.ADS)”病毒:警惕程度★★★☆,Rootkit,通过恶意网站传播,依赖系统:WIN9X/NT/2000/XP。
该病毒运行后,会在系统目录下生成名为lzx32.sys的文件,并创建名为pe386的系统服务以实现随系统启动自动运行。该病毒会自动将用户的IE浏览器主页锁定为一个网站,以提高该恶意网站的访问量。病毒采用Rootkit技术,隐藏自身文件和注册表信息,使它很难被一般用户发现和清除。
该病毒创建隐藏的服务项
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]
并释放隐藏文件:C:\Windows\System32\lzx32.sys
又找了下,发现一份英文资料,原来是利用NTFS流来隐藏的:
Virus Removal Story: Rootkit Rustock(a,b,c) - lzx32.sys
Rustock is a hidden rootkit with kernel driver "lzx32.sys".
I tested the sample rootkit file and I found that it's hardly hidden than other known rootkits. The lzx32.sys driver is loaded by the system at the early part of Windows boot. It's masked as the boot device. This why it's hard in removal.
UnHackMe 4 (with Partizan) detects the rootkit keys but it could not remove Rustock.
UnHackme Pro 4 correctly detected Rustock's registry key: PE386.
The driver is located in the NTFS stream in the %Windir%\System32:lzx32.sys.
It could not be deleted during Windows normal mode.
No panic!
I found the simple way how to stop Rustock :-).
Removal
Download RegRun Reanimator (3Mb)
Unzip it to any folder. Installation is not required.
Open reanimator.exe.
Click on the "Remove Rustock Rootkit".
You will be prompted for using "RootkitNO" utility.
Run it!
You will be prompted to restart your computer.
After restarting the Rustock file will be removed using Partizan.
After finishing removal process you may remove Partizan from your Windows boot.
Click on the "UnInstall Partizan" button.
Also you can delete "RootkitNo" folder from your drive where installed the Windows.
NTFS流相关知识:[NTFS流知识]
>> 除非说明均为原创,如转载请注明来源于http://www.stormcn.cn/post/213.html