五步清除客户电脑中的病毒和间谍软件
五步清除客户电脑中的病毒和间谍软件
作者:Erik Eckel
翻译:endurer,2009-07-10第2版
标签:感染,病毒,反间谍软件,间谍软件,广告软件 & 恶意软件,网络威胁,安全,病毒和蠕虫,Erik Eckel
IT顾问必须定期清除客户电脑中顽固、常常再生和有侵蚀作用的间谍软件和病毒。Erik Eckel分享了他迅速让系统回复稳定运行的首选策略。
客户们令间谍软件和病毒感染工作站、 PC和笔记本电脑是不可避免的。无论从网关防护到自动扫描,以至编写因特网使用策略的预防措施,恶意软件威胁甚至偷偷通过分层防御系统。
使情况变得更糟的是,许多客户都不愿意为独立的反间谍软件花钱,虽然他们明白需要最小的防毒保护。这是一个很好的例子,我称之为无理性。不会投资于预防措施的客户也能更易于证明,一旦他们的系统或网络受到带侵蚀腐化性质的破坏攻击,支付3或4倍于预防感染的费用来进行补救是正当的。
一些IT专家主张简单地擦除系统,重新安装windows,而另一些建议则类似放弃而让坏人获胜。事实在于两者之间。
以下尝试和正确的方法经常修复包括严重损坏在内的系统。我已经让系统回复到像不超出规范的大学生那样运行,即使电脑上有1,200个木马、病毒和蠕虫在活动,打到了我的工作台。在其他情况下,对受一个单一的用心险恶和恶意感染的系统,我需要重新安装操作系统。诀窍在于,在遇到有可能受感染的客户电脑时,了解哪个方法能尽快生效。
这是我发现的最有效的清除病毒和间谍软件步骤。在做好驱动器的镜像拷贝后(在与恶意感染斗争时,有一个退路总是最好的),我的步骤如下:
1、隔离驱动器
许多rootkit和特洛伊木马威胁是擅于尽快或在Windows启动前从操作系统中隐藏。我发现,即使是最好的防病毒和反间谍工具-包括的AVG反病毒专业版, Malwarebytes的Anti-Malware,以及SuperAntiSpyware -有时也在消除这种顽固的感染时陷入苦斗。
你需要专用系统来清除。把硬盘从让人讨厌的系统中拿出来,做为从盘放入专用测试机,并运行多种反病毒和间谍软件对整个从盘进行扫描。
2、清除临时文件
在驱动器仍是从盘时,浏览所有用户的临时文件,这些通常是在Windows XP的C:/Documents and Settings/用户名/Local Settings/Temp目录内或Windows Vista的C:/Users/用户名/App Data/Local/Temp文件夹内发现。
删除所临时文件夹中的东西;隐藏在这儿的威胁会争取在系统启动时重生。利用驱动器还是从盘的有利时机,更容易删除这些可恶的文件。
3、把驱动器装回并重复扫描
在运行一个完整的反病毒软件扫描,并用两个流行的、近期升过级并且不同的反间谍应用程序执行了两个全面的反间谍软件扫描(删除所有发现的感染)后,把硬盘装回系统。然后,再次进行同样的扫描。
尽管做了扫描和先前的清理,您仍可能会惊叹反恶意软件应用程序随后找到并删除许多残余活性感染的数量。只有通过执行这些额外本地扫描,可以确定你已经尽一切可能找到并删除了已知威胁。
4、测试系统
完成以上3个步骤后,大家可能很想认定系统可以良好工作不犯错误了。启动它,打开网页浏览器,并且立即删除所有离线文件和cookies.
接下来,到 IE连接选项(工具 | Internet选项 并选择 连接 选项卡)来确认恶意程序没有改变系统的默认代理服务器或局域网连接设置。改正你发现的问题并确信这些设置与你的网络或客户网络匹配。
然后,随机访问12-15个网站。寻找任何异常迹象,包括明显的弹出窗口,重定向网络搜索,被劫持的网页,以及类似的故障。不要顾虑,清理机器,直到您可以打开谷歌,雅虎及其他搜索引擎,并搜索完成了半打术语。请务必测试系统有能力访问流行的反恶意软件的网站,如AVG,赛门铁克和Malwarebytes。
5、挖出深层残余感染
如果仍然有任何感染残存,比如搜索被重定向或访问特定网站被阻止,尝试确定造成麻烦的活动进程的文件名。趋势科技公司的HijackThis ,微软的Process Explorer, Windows自带的微软系统配置实用程序(开始|运行,输入msconfig )是有助于查找可恶进程的优秀工具。
如果有必要,搜索并删除注册表中所有与可恶的可执行文件有关的条目。然后重新启动系统,然后再试一次。
如果系统仍然显现为损坏或无法使用,就该开始考虑重新安装了。如果在所有这些步骤后仍证明感染存在,您可能战败了。
你们的方法是什么呢?一些IT顾问比较喜欢的策略与我上面所列的不同;然而,我还没有发现其它过程能在迅速让系统回复稳定方面做的更好的。
一些IT顾问对花招深信不疑。我已经研究了KNOPPIX作为一个替代方案。并且我已经进行了几次实战,我把被感染的Windows驱动器作为从盘接入苹果笔记本电脑,以便删除Windows驱动器中特别顽固的文件。
其他技术人员建议利用Reimage这样的工具,但甚至在让这个工具识别常规网卡时,我都遇到了麻烦,没网卡,自动修复工具无法工作。
在清除客户电脑中的病毒和间谍软件方面,你们有什么建议吗?欢迎您发表评论参加讨论。
英文出处:http://blogs.techrepublic.com.com/project-management/?p=714&tag=nl.e101
Five step process for removing viruses and spyware from client machines
Author: Erik Eckel
Category: consulting
Tags: Infection, Virus, Anti-spyware, Spyware, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Erik Eckel
IT consultants must regularly remove stubborn, often regenerative and corrupting spyware and viruses from client machines. Erik Eckel shares his preferred strategy for quickly returning systems to stable operation.
It’s inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses.
What makes the situation worse is that many clients aren’t willing to invest in standalone antispyware software, even though they understand the need for minimal antivirus protection. This is a perfect example of what I call Reactive Rationality. Clients who won’t invest in preventive measures find it easier to justify paying three or even four times the cost of prevention to remediate infections once a debilitating disruption strikes their systems or network.
Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that’s akin to giving up and letting the bad guys win. The truth lies somewhere in between.
《endurer注:1、akin to:类似(近于,的同族)》
Following tried-and-true methods frequently repairs even heavily damaged systems. I’ve returned systems to college students that ran as well as they did out of the box, even though some 1,200 lively Trojans, viruses, and worms were active on the machine when it hit my workbench. In other cases, systems with a single sinister and nefarious infection required me to reinstall the operating system. The trick is to discover which method is called for as quickly a possible when encountering an infected client PC.
《endurer注:1、out of the box:“Out of box”用于描述某种不确定的事件。常常作为副词来形容某种观点的不确定性。据说这个词同20世纪早期的英国数学家亨利·恩斯特·杜德耐解答一个著名数学谜语的思路相关。题目要求用四条直线连接平面上三乘三分布的九个点,要求一笔连成,也就是在画线的时候笔不能离开纸面。解决这个数学问题的关键在于要克服传统的在三乘三边界内画点的思想,如果将线连接到边界之外,那么问题可以迎刃而解,这样就产生了“Out of box”这个词。相应的,将思维受限这种情况称为“boxed-in”。在IT领域,节奏变化很快,因此每个人都在寻找“Out of box”的思维方式,尝试创新。
网友JOYCE指教说:就该是按他们已有的规范或程式去处理.
"Out of the box" is also used as a synonym for "off the shelf," meaning a ready-made software, hardware, or combination package that meets a need that would otherwise require a special development effort. 》
Here are the virus and spyware steps I find most effective. After making an image copy of the drive (it’s always best to have a fallback option when battling malicious infections), these are the steps I follow:
1. Isolate the drive
Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools — including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware — sometimes struggle to remove such entrenched infections.
《endurer注:1、master of:精通(控制,掌握)…的人》
You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.
2. Remove temporary files
While the drive is still slaved, browse to all users’ temporary files. These are typically found within the C:/Documents and Settings/Username/Local Settings/Temp directory within Windows XP or the C:/Users/Username/App Data/Local/Temp folder within Windows Vista.
Delete everything within the temporary folders; many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it’s much easier to eliminate these offending files.
《endurer注:1、seek to:追求,争取》
3. Return drive and repeat scans
Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different antispyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.
Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the antimalware applications subsequently find and remove. Only by performing these additional native scans can you be sure you’ve done what you can to locate and remove known threats.
4. Test the system
Once you finish the previous three steps, it’s tempting to think a system is good to go but don’t make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies.
《endurer注:1、it is tempting to:人们可能很想》
Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn’t change a system’s default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client’s network.
Then, visit 12-15 random sites. Look for any anomalies, including the obvious pop-up windows, redirected Web searches, hijacked home pages, and similar frustrations. Don’t consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system’s ability to reach popular antimalware Web sites such as AVG, Symantec, and Malwarebytes.
5. Dig deeper on remaining infections
If any infection remnants remain, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro’s HijackThis, Microsoft’s Process Explorer, and Windows’ native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes.
If necessary, search the registry for entries for an offending executable and remove all incidents. Then reboot the system and try again.
If a system still proves corrupt or unusable, it’s time to begin thinking about a reinstall. If an infection proves persistent after all these steps, you’re likely in a losing battle.
What’s your method?Some IT consultants prefer a different strategy from what I outline above; however, I haven’t found another process that works better at quickly returning systems to stable operation.
Some IT consultants swear by fancier tricks. I’ve investigated KNOPPIX as one alternative. And I’ve had a few occasions where, in the field, I’ve slaved infected Windows drives to my Macintosh laptop in order to delete particularly obstinate files in the absence of a boot disk.
《endurer注:1、swear by:对起誓(极其信赖);确定》
2、in the field:实地(野外,在战地,在作战,在参加比赛)》
Other technicians recommend leveraging such tools as Reimage, although I’ve experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool cannot work.
What methods do you recommend for removing viruses and spyware from clients’ machines? Join the discussion by posting a comment.
五步清除客户电脑中的病毒和间谍软件相关推荐
- 计算机感染木马或病毒,电脑中木马病毒的症状
大家好,我是时间财富网智能客服时间君,上述问题将由我为大家进行解答. 电脑中木马病毒的症状是: 1.文件或文件夹无故消失 当发现电脑中的部分文件或文件夹无缘无故消失,就可以确定电脑已经中了病毒.部分电 ...
- 电脑中病毒所有html文件,电脑中了病毒所有文件都多了三个文件是什么原因以及解决办法...
360安全卫士v10.3.0.2007官方最新版 类型:360工具大小:63M语言:中文 评分:7.9 标签: 立即下载 电脑中了病毒所有文件都多了三个文件是什么原因以及解决办法,最近不少人的电脑中了 ...
- 电脑中病毒所有html文件,电脑中了病毒文件如何解决
最近给别人刻录光盘.对方从网上发了一个压缩包,打开看了一下,看到里面有个exe文件,好奇心驱使,打开了那个exe文件,结果发现电脑里的所有文件夹都变成了exe文件.下面是学习啦小编跟大家分享的是电脑中 ...
- 有哪些计算机病毒症状,电脑中了病毒有哪些症状
电脑中了病毒有哪些症状 电脑病毒最简单的检查方法是用较新的防病毒软件对磁盘进行全面的检测.以下是小编整理的电脑病毒的检查方法,供大家参考,希望大家能够有所收获! 如何及早的发现新病毒: 首先应注意内存 ...
- 「推荐」五步搞定电脑网络安全 五步防止黑客攻击
随着电脑的普及,很多新手朋友都开始有了电脑,但很多朋友对于安全上网都不是很了解,今天小编通过网络为新手朋友总结了5条新手安全上网小技巧.网络安全是指网络系统的硬件.软件及其系统中的数据受到保护,不因偶 ...
- 30秒清除你电脑中的垃圾(使你电脑急速如飞)
要轻松流畅上网你是否注意到你的电脑系统磁盘的可用空间正在一天天在减少呢?是不是像老去的猴王一样动作一天比一天迟缓呢? 没错!在Windows在安装和使用过程中都会产生相当多的垃圾文件,包括临时文件(如 ...
- 30秒清除你电脑中的垃圾
要轻松流畅上网你是否注意到你的电脑系统磁盘的可用空间正在 一天天在减少呢?没错!在Windows安装和使用过程中都会产生相当多的垃圾文件,包括临时文件(如:*.tmp.*._mp)日志文件 (*.lo ...
- 怎样防止自己的电脑中肉鸡病毒?
关闭445端口,可以隔绝大多数的肉鸡病毒. 为什么? 445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了它,黑客们才有了可乘之机,他们能通过该 ...
- 外国小哥恶搞:用ESP32单片机伪装成GPU,让朋友电脑中“勒索病毒
丰色 发自 凹非寺 量子位 | 公众号 QbitAI "你的电脑已被BIOS Root Kit病毒感染." "所有文件都已被加密." "关机和重启都没 ...
最新文章
- 手机客户端和web端开发的异同
- 【青少年编程】【蓝桥杯】绘制扇子
- 我的博士之路(壮根美颜-康亚龙):五年读博路,苦熬曙光明
- 简单的鼠标可拖动div 兼容IE/FF
- 杰思安全获数千万元A+轮投资,绿盟科技领投,德联资本跟投
- 《2020雇佣关系趋势报告》今发布:近三成受访者兼职,近七成工作量增加、考核变严格
- 【云上ELK系列】Logstash迁移Elasticsearch数据方法解读
- 数字三角形,最长上升子序列,背包模型 AcWing算法提高课 (详解)
- Spring配置文件和Java配置
- js系列教程6-BOM操作全解
- C# 从服务器下载文件
- Vue电商后台管理系统功能展示
- junit5 入门系列教程-05-junit5 断言(assert)
- mysql 索引失效的7种情况
- 统计分析——假设检验、中心极限定理
- diameter协议栈_Diameter协议摘要
- enumerate用法总结
- 选择适合你的虚拟现实体验
- android 设备序列号_如何查找您的Android设备的序列号
- PHP从网站抓取图片并保存本地的代码