主题:【原创】关于清理“流氓”软件的一点体会 -- 兼答虎子 -- Highway
说来真巧,今天晚上有一个朋友打电话来,说是他的电脑有问题,让我过去看看。我问他有什么症状,他说有的杀毒软件会报告说有病毒存在但是却无法杀掉。而MacFee说没有病毒。具体表现就是电脑运行很慢,时不时Popup一些广告。
去了他家,我做的第一件事是用msconfig看了一下子启动的程序,果然,哪里有二三十项垃圾程序。我全部uncheck了这些项目。然后再Task Manager来关闭这些垃圾程序(End Process)。但很快我发现有两个程序无法杀掉。好像是comwiz.exe和winnet.exe。Kill这两个Process的时候没有错误消息,但不到一秒钟后他们马上就又出现了。
我这时候Reboot了machine。启动后发现comwiz.exe和winnet.exe已经在运行。用msconfig一看,这两个选项不知为什么又回来了。一会儿功夫,广告等东西又开始Popup了。
我想了想这两个程序的原理(我不认为这是病毒),如果让我写这样的程序,我是可以做到的。其原理是:
1)在install的时候,修改registry,使自己成为自动启动程序。
2)当程序被kill的时候(Windows的一个Event),Fork一个新的Process,再次运行自己(保证永远不被杀死)。其逻辑有点像死循环。由于程序被载入运行的时候该文件被lock,用户无法删除这个可执行文件。
3)监视registry文件(文件被改动的时候,Windows会Raise一个event)。如果有人将自己设为非自启动,将其改回来。
这样,在用户login以后,该程序已经启动。用户无法停止它,无法删除它,它可以胡作非为了。
那我们该怎么办呢?
我这样试了一下,感觉效果还挺好。
1)Reboot Machine,在启动前按F8健进入Safe Mode,从Safe Mode启动。 2)Safe Mode启动时,Windows只载入系统核心程序,不会运行自启动程序。 3)找到“流氓”软件所在位置(directory) ,将其删除。这时候它不在运行,文件没有被lock,所以你可以delete它。 4)运行msconfig,uncheck“流氓”软件项。 5)Reboot Machine,正常启动。
这样,问题解决了。我大概试验了5分钟左右,没有什么异常产生。并且希望明天他不要再打电话找我。
这是一个比较老实的“流氓”软件,不是病毒。否则他修改了Core Services,我就没法Clean Start了。所谓的“先下手为强”我必须在他启动之前完成我的工作。只要能防止它启动,那就有办法删除它。
别的“流氓”软件是怎么个“流氓”法我不知道,有的可能会想别的怪招,也学更为过者甚至和病毒差不多了(比如修改操作系统本身以保证自己总被启动)。这些等家伙碰到了再用砖拍,现在先不着急!
本帖一共被 3 帖 引用 (帖内工具实现)
一个叫LOOK2ME.COM的总POPUP,GOOGLE了一下,有一个自动清除的程序,用了一下效果很好,现在没有了。
msconfig用了,公司有spyremover(阿康,俺公司没那么抠,只是俺不知道)也可以做同样的事,把不必要的终止了,基本删除了。
唯一的问题是现在一开机,IE的START PAGE前面总被加上一个TOOL BAR,还没有找到办法。
战斗不止呀
对系统照成影响的的。放手去干吧!(出了事别找我)
PC Magazine的4月号有一期专门讲解Spyware,你们可以上网看看。地址是www.pcmag.com
1. Make sure to run an antispyware application. Perform on-demand scans regularly to root out spyware that slips through the cracks. Reboot after removal and rescan to make sure no ticklers, which are designed to reinstall spyware, have resurrected any deleted apps. Additionally, even though we are not overly impressed with any app's real-time blocking abilities, activate whatever your app of choice offers; it's nearly always better than nothing. 2. Give your antispyware some backup. In addition to an antispyware app, make sure to run both software and hardware firewalls and antivirus applications to protect yourself against Trojan horses (and viruses, naturally). 3. Beware of peer-to-peer file-sharing services. Many of the most popular applications include spyware in their installation procedures (see the sidebar "Spyware-Free P2P―for Free"). Also, never download any executables via P2P, because you can't be absolutely certain what they are. Actually, it's a good idea to avoid downloading executables from anywhere but vendors or major, well-checked sites. 4. Watch out for cookies. While they may not be the worst form of spyware, information gathered via cookies can sometimes be matched with information gathered elsewhere (via Web bugs, for example) to provide surprisingly detailed profiles of you and your browsing habits. PC Magazine's own Cookie Cop 2 (www.pcmag.com/utilities) can help you take control of cookies. 5. Squash bugs. Web bugs are spies that are activated when you open contaminated HTML e-mail. Get rid of unsolicited e-mail without reading it when you can; turn off the preview pane to delete messages without opening them. In Outlook 2003, Tools | Options, click on the Security tab and select Change Automatic Download Settings. Make sure Don't download pictures or other content automatically in HTML e-mail is checked. 6. Don't install anything without knowing exactly what it is. This means reading the end-user license agreement (EULA) carefully, as some EULAs will actually tell you that if you install the app in question, you've also decided to install some spyware with the software. Check independent sources as well, as some EULAs won't tell you about spyware. 7. Protect yourself against drive-by downloads. Make sure your browser settings are stringent enough to protect you. In IE, this means your security settings for the Internet Zone should be at least medium. Deny the browser permission to install any ActiveX control you haven't requested. 8. Keep up to date on the ever-changing world of spyware. Knowing the threat will help you defeat it. There are several great sites you can visit to keep abreast of this issue. PestPatrol's Research Center (www.pestpatrol.com/pestinfo) has one of the most comprehensive lists of spyware and related threats we've seen. SpywareInfo is another good online source of information. Finally, PC Magazine's Security Scout utility (www.pcmag.com/utilities) aggregates dozens of security-specific news feeds and brings them right to your desktop.
本帖一共被 1 帖 引用 (帖内工具实现)
1. You find a new finger-size hardware device connected between your keyboard cable's plug and the corresponding socket on the back of your computer. Or maybe someone recently offered you "a better keyboard." 2. Your phone bill includes expensive calls to 900 numbers that you never made―probably at an outrageous per-minute rate. 3. You enter a search term in Internet Explorer's address bar and press Enter to start the search. Instead of your usual search site, an unfamiliar site handles the search. 4. Your antispyware program or another protective program stops working correctly. It may warn you that certain necessary support files are missing, but if you restore the files they go missing again. It may appear to launch normally and then spontaneously shut down, or it may simply crash whenever you try to run it. 5. A new item appears in your Favorites list without your putting it there. No matter how many times you delete it, the item always reappears later. 6. Your system runs noticeably slower than it did before. If you're a Windows 2000/XP user, launching the Task Manager and clicking the Processes tab reveals that an unfamiliar process is using nearly 100 percent of available CPU cycles. 7. At a time when you're not doing anything online, the send or receive lights on your dial-up or broadband modem blink just as wildly as when you're downloading a file or surfing the Web. Or the network/modem icon in your system tray flashes rapidly even when you're not using the connection. 8. A search toolbar or other browser toolbar appears even though you didn't request or install it. Your attempts to remove it fail, or it comes back after removal. 9. You get pop-up advertisements when your browser is not running or when your system is not even connected to the Internet, or you get pop-up ads that address you by name. 10. When you start your browser, the home page has changed to something undesirable. You change it back manually, but before long you find that it has changed back again. 11. And the final sign is: Everything appears to be normal. The most devious spyware doesn't leave traces you'd notice, so scan your system anyway.
Highway注:没有一个软件是包治百病的,他们各有优缺点,如果问题严重的话,你可以都试一试!
1) 换用其他Browser.比如Mozilla。
2) 不在IE中显示Toolbar (View --〉Toolbars --〉uncckeck)
3) 搞掉Toolbar (使用Regedit, 修改HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar下面的项目)。如果改完后敌人又改了回来,reboot到safe mode下去改动。可以使用微软的regclean.exe清理一下(上网download)
4)如果Toolbar不是很捣乱,就留着。比如我就使用google的toolbar很方便(可以Remove from control panel)
5)捣乱的toolbar应该还是一种Spyware,用我推荐的那些工具一个一个的试,直到搞掂为止。
6) 把计算机寄给我,我来给你搞。我这里电锯,大锤,铰链等设备一应俱全,不会搞不定的。费用也不高,1小时不超过100美刀。
7)Reinstall the whole thing!
8) Buy a brand new computer!
9) ......
游戏时,出现窗口要求 unload debuger, 然后退出,前天可以运行,几个月前该游戏如此发过一次疯,卸载acdsee 4.0 后恢复正常,,此次发病前,已与acdsee 6.0和平共处过相当长的时间,无法只得将症状出现前安装的的几个软件全部喀嚓掉,又擦了注册表,问题依旧。
请问何解?
Debugger程序和游戏有冲突。
如果你安装了Visual Studio 2002/2003/2005,你就安装了一个debugger程序,全名是Machine Debug Manager。对于.net程序开发调试是很重要的。
你可以在Task Manager里中止他(mdm.exe),或者是到Services Console中Stop它。
希望这对你有所帮助!