|
BKDR_NTRTKIT.A
特性 技术细节
快速连结 解决方案
--------------------------------------------------------------------------------
病毒种类: Backdoor
具破坏性: 会
可侦测的最新病毒码: 623
可侦测的最新扫描引擎: 5.400
风险程度: 低度
--------------------------------------------------------------------------------
感染报告: 低度
破坏力: 高度
感染力: 低度
--------------------------------------------------------------------------------
说明:
This backdoor program grants a remote user access to a target machine, leaving it compromised. It uses the Windows Rootkit technology to hide itself and its activities from manual detection.
It runs on Windows 2000 and XP.
解决方案:
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as BKDR_NTRTKIT.A.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro抯 free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Restarting in Safe Mode
On Windows XP
Restart your computer.
Press the F8 key when prompted.
If Windows XP Professional starts without the 揚ress select operating system to start?menu, restart your computer.
Press F8 after the Power-On Self Test (POST) is done.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows 2000 Advanced Options Menu then press Enter.
Removing Malware Entries from the Registry
On Windows XP
Click Start>Run, type REGEDIT, then press Enter.
In the left panel, locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Enum>Root>LEGACY_NPF
Click the key to highlight it. Right-click on this key and choose 揚ermisions?
Check the Allow Full-control box and click OK.
Press the delete key and choose Yes when prompted.
Do the same steps for the following registry key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Enum>Root>LEGACY_RTKIT
Locate this registry key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Rtkit
Delete the subkey Rtkit.
Locate this registry key:
HKEY_CURRENT_USER\S\Microsoft\Windows NT\
CurrentVersion\AppCompatFlags\Layers\
Delete the entry below:
%systemroot%\system32\ntrootkit.exe = WIN2000
Close Registry Editor.
On Windows 2000
Click Start>Run, type REGEDT32, then press Enter.
Locate the following key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Enum>Root>LEGACY_NPF
Click the key to highlight it.
Click on the Security tab and choose 揚ermisions?
Check the Allow Full-control box and click OK.
Press the delete key and choose Yes when prompted.
Do the same steps for the following registry key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Enum>Root>LEGACY_RTKIT
Locate this registry key:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Rtkit
Delete the subkey Rtkit.
Locate this registry key:
HKEY_CURRENT_USER\S\Microsoft\Windows NT\
CurrentVersion\AppCompatFlags\Layers\
Delete the entry below:
%systemroot%\system32\ntrootkit.exe = WIN2000
Close Registry Editor.
Deleting the Malware Folder
After removing the malware registry keys, go to %Windows%\System32, then locate the RTKIT folder and delete it.
(Note: %Windows% refers to the Windows folder which is usually C:\Windows or C:\WINNT.)
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as BKDR_NTRTKIT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro抯 free online virus scanner. |
|