Addendum: The story below is somewhat dated….today I would use SDFix and the Microsoft Malicious Software Removal Tool to remove a rootkit infection.增编:下面的故事是有些过时... 。今天,我将使用SDFix和微软恶意软件清除工具删除的rootkit感染。
At my work, had to repair WindowsXP machine infected with variant of the Win32/cutwail rootkit virus (among several others, as it turned out).在我的工作,已修复WindowsXP机器感染了变异的Win32/cutwail的rootkit病毒(除其他一些,因为它证明) 。 First noticed the PC in my role as system administrator, because of increased network traffic which is to be expected, as this is a Trojan that sends mass-mail.首先注意到了PC在我担任系统管理员,由于增加了网络流量这是预料之中,因为这是一个木马程序,将大量的电子邮件。
Running CA online virus scan detects the problem but is unable to remove the infection.运行加利福尼亚州在线病毒扫描侦测到问题,但无法消除感染。 Repeated scans (after reboot) report the file ip6fw.sys (win firewall driver) as infected.反复扫描(后重新启动)报告档案ip6fw.sys (赢得防火墙驱动程序)作为感染。 So upon boot the PC re-infects itself again.Also notice that the Win Firewall is turned off and can not be enabled.因此,开机后电脑重新感染本身again.Also注意到,温防火墙是关闭的,不能启用。 Trying to enable the Windows Firewall returns “Firewall can not be started because of unknown error”.试图启用Windows防火墙的回报“防火墙无法启动,因为未知的错误” 。 Followed these instructions to get the Firewall to work again. 按照这些指示让防火墙工作一次。
Next noticed that upon boot the message “Cannot lock volume for direct access” is returned from chkdsk when it tries to run.下一步注意到,开机后的讯息“无法锁定卷直接访问”传回的CHKDSK时,它试图运行。 Microsoft has a KB out that describes the issue but states that installing the latest service pack should help.微软有kB的了 ,说明这个问题,但指出,安装最新服务包应该帮助。 It does not.它没有。
Additionally the process “csrss.exe” hogs the CPU by using 80% of CPU time without any programs running on the PC which is probably a side effect of the Trojan infestation.此外,该进程“ csrss.exe ”猪的CPU使用80 %的CPU时间没有任何程序上运行的电脑可能是副作用的木马侵扰。 Also machine runs multiple instance of iExplorer.exe that "come and go" when viewed in the task manager.另外机器运行多个实例iExplorer.exe说, “来来去去”查看时在任务经理。 Use Windows Boot CD in repair mode and perform chkdsk “manually”.使用Windows启动裁谈会在修复模式和执行CHKDSK会“手动” 。 Notice that the files core.sys and cache.core.sys in the windows/system32/drivers/ directory have a file date from around the time of the PC’s virus infection.请注意,该文件core.sys和cache.core.sys在windows/system32/drivers /目录有一个文件的日期从当时的电脑病毒感染。 So take a chance and delete the files using the repair console (gotta have aWinXP installation disk for that). Now upon normal boot the chkdsk utility works again(!) and goes thru a long process of checking the HD.因此,需要一个机会,并删除文件使用修复控制台(总得有aWinXP安装盘为) 。现在时正常启动Chkdsk实用工具的作品再次( ! ) ,并经过一个漫长的过程检查的HD 。 Install McAfee AV but when trying to run McAfee for virus scan, get “Blue Screen” with message “irql_not_less_or_equal”, meaning that a kernel mode app tried to access memory outside of its scope.安装McAfee的AV但是当试图运行McAfee的病毒扫描,获得“蓝屏”的消息“ irql_not_less_or_equal ” ,即内核模式应用程序试图存取记忆体以外的范围。 Next try to boot in safe mode (F8), but then the system hangs upon loading “agpCQ.sys”, a video device driver.下一步尝试启动在安全模式( F8键) ,然后系统挂起时加载“ agpCQ.sys ” ,视频设备驱动程序。
Next boot from CD again and rename the offending device driver from “”agpCQ.sys” to “agpCQ.sy$”.下一步从CD启动,并重新命名得罪设备驱动程序从“ ” agpCQ.sys “到” agpCQ.sy $ “ 。 Now Safe Boot works and the system does not fail with “irql_not_less_or_equal” anymore, BUT the system refuses to execute McAfee virus scan in safe mode…any attempt to run McAfee is simply ignored…looks like removal of the cutwail virus is tricky.So boot system in safe mode with networking, run CA online virus scan , which now finds two infected files that I remove.现在,安全启动工程和系统不能失败“ irql_not_less_or_equal ”了,但系统拒绝执行McAfee的病毒扫描在安全模式...任何企图运行McAfee是完全忽视...看起来像清除病毒cutwail tricky.So开机系统在安全模式与网络,运行加利福尼亚州在线病毒扫描 ,现在发现两个感染的文件,我删除。 Next boot in normal mode.下次启动正常模式。 Now McAfee finds a rootkit infection and removes it…good.现在, McAfee公司发现了rootkit的感染和清除它...好。 But McAfee says that a reboot is required…and upon rebooting the system shuts down with “irql_not_less_or_equal” again (!).但McAfee说,需要重新启动...并呼吁重新启动系统关机与“ irql_not_less_or_equal ”再次( ! ) 。 So it looks like the McAfee virus scanner causes the “irql_not_less_or_equal” blue screen when it tries to clean up the rootkit virus…所以,看起来像McAfee的病毒扫描程序会导致“ irql_not_less_or_equal ”蓝屏时,它试图清理的rootkit病毒...
So decide to boot normally into administrator account, then run CA online virus scan to temporarily deactivate the active cutwail rootkit virus, then run McAfee virus scanner.所以决定到正常开机管理员帐户,然后运行加利福尼亚州在线病毒扫描暂时停用积极cutwail的rootkit病毒,然后运行McAfee的病毒扫描。 No go…still get “irql_not_less_or_equal” message with blue screen.没有去...仍然可以获得“ irql_not_less_or_equal ”信息与蓝色屏幕。 Ergo: McAfee virus scan driver causes blue screen when trying to clean PC, probably when trying to do the rootkit part of its cleanup routines.前置: McAfee的病毒扫描驱动蓝屏的原因时,试图清洁电脑,可能在试图这样做的rootkit的一部分,其清理程序。
Next decide to download new virus scan utility: CounterSpy from Sunbelt Software. Run a full system scan with CounterSpy.下一步决定下载新的病毒扫描工具:反间谍从Sunbelt软件公司。运行完整的系统扫描与反间谍。 It detects several threads but is unable to clean system.这几个线程检测,但无法清洁系统。
Next download F-Secure Rootkit removal tool Blacklight-Beta .下一步下载F - Secure公司的rootkit清除工具Blacklight - Beta版。 It finds the hidden process iExplore.exe in the c:\Program Files\Internet Explorer directory.它认为,隐藏进程iExplore.exe在c : \ Program Files文件\ Internet Explorer的目录。 This file is locked so the only way to rename it is to rename the directory that contains the file, thereby blocking access to it.此档案已被锁定所以唯一的办法重新命名它是重新命名的目录,其中包含的文件,从而阻止访问。 After that, the file unlocks and can be renamed.在此之后,该文件解锁,可重新命名。
The key to finally cleaning up the system is to delete the Windows\Temp directory.关键的最后清理系统,删除Windows \ Temp目录。 Notice that this directory contains a lot of suspisiously named files that can not be removed during normal operation, so use the Repair Console to do this.请注意,此目录包含了很多suspisiously命名文件,不能删除在正常运作,所以使用修复控制台来做到这一点。 After deleting the Temp direcory do not forge to create a new (empty) Windows\Temp directory or Windows will not work correctly.删除后的Temp direcory没有形成创建一个新的(空)的Windows \ Temp目录或Windows将无法正常工作。
So in summary this worked:因此,在总结这一工作:
- re-instate windows firewall …this was probably deactivated by the Trojan-Proxy.Win32.Xorpix backdoor virus found by CounterSpy 重新指令Windows防火墙 ...这可能是停用的木马,后门病毒Proxy.Win32.Xorpix发现了反间谍
- manually delete core.sys and core.cache.sys in the system32 directory using the Windows Repair console to get chkdsk to work again手动删除core.sys和core.cache.sys在system32目录使用Windows修复控制台获得的CHKDSK再次
- rename offending agpCQ.sys to be able to do a safe boot (F8 key)命名得罪agpCQ.sys能够做到安全启动( F8键)
- rename folder that contains iExplore.exe (gotta do this in Safe Mode from Command prompt, else folder is locked) to prevent multiple instance of iExplore.exe that eat up processor time重命名文件夹,其中包含iExplore.exe (来这里是在安全模式下从命令提示符下,其他的文件夹被锁) ,以防止多个实例iExplore.exe吃了处理器时间
- In Safe Mode with Command Prompt, delete \Windows\Temp\ folder.在安全模式带命令行提示,删除\的Windows的\ Temp \文件夹中。 This folder contains Rootkit Win32.Agent.eq virus which is detected by CounerSpy but NOT removed.此文件夹包含rootkit的Win32.Agent.eq病毒检测CounerSpy ,但不会被删除。
- Boot normally and run CounterSpy again to make sure all infections are gone.开机正常运行反间谍再次,以确保所有感染了。
- Re-create Windows\Temp folder as it is being used by Windows for temporary storage when programms are executed.重新建立Windows \ Temp文件夹,因为它正在使用Windows的临时储存时programms执行。
It took one full day of work to get the PC (a Dell Lattitude Laptop) back to normal.经过一整天的工作,让电脑(戴尔Lattitude笔记本电脑)恢复正常。
