五步清除客户电脑中的病毒和间谍软件

五步清除客户电脑中的病毒和间谍软件

作者：Erik Eckel
翻译：endurer，2009-07-10第2版

标签：感染，病毒，反间谍软件，间谍软件，广告软件 & 恶意软件，网络威胁，安全，病毒和蠕虫，Erik Eckel

 

　　IT顾问必须定期清除客户电脑中顽固、常常再生和有侵蚀作用的间谍软件和病毒。Erik Eckel分享了他迅速让系统回复稳定运行的首选策略。

 

　　客户们令间谍软件和病毒感染工作站、 PC和笔记本电脑是不可避免的。无论从网关防护到自动扫描，以至编写因特网使用策略的预防措施，恶意软件威胁甚至偷偷通过分层防御系统。

 

　　使情况变得更糟的是，许多客户都不愿意为独立的反间谍软件花钱，虽然他们明白需要最小的防毒保护。这是一个很好的例子，我称之为无理性。不会投资于预防措施的客户也能更易于证明，一旦他们的系统或网络受到带侵蚀腐化性质的破坏攻击，支付3或4倍于预防感染的费用来进行补救是正当的。

一些IT专家主张简单地擦除系统，重新安装windows，而另一些建议则类似放弃而让坏人获胜。事实在于两者之间。

　　以下尝试和正确的方法经常修复包括严重损坏在内的系统。我已经让系统回复到像不超出规范的大学生那样运行，即使电脑上有1,200个木马、病毒和蠕虫在活动，打到了我的工作台。在其他情况下，对受一个单一的用心险恶和恶意感染的系统，我需要重新安装操作系统。诀窍在于，在遇到有可能受感染的客户电脑时，了解哪个方法能尽快生效。

这是我发现的最有效的清除病毒和间谍软件步骤。在做好驱动器的镜像拷贝后（在与恶意感染斗争时，有一个退路总是最好的），我的步骤如下：

1、隔离驱动器

　　许多rootkit和特洛伊木马威胁是擅于尽快或在Windows启动前从操作系统中隐藏。我发现，即使是最好的防病毒和反间谍工具-包括的AVG反病毒专业版， Malwarebytes的Anti-Malware，以及SuperAntiSpyware -有时也在消除这种顽固的感染时陷入苦斗。
　　你需要专用系统来清除。把硬盘从让人讨厌的系统中拿出来，做为从盘放入专用测试机，并运行多种反病毒和间谍软件对整个从盘进行扫描。

2、清除临时文件

　　在驱动器仍是从盘时，浏览所有用户的临时文件，这些通常是在Windows XP的C:/Documents and Settings/用户名/Local Settings/Temp目录内或Windows Vista的C:/Users/用户名/App Data/Local/Temp文件夹内发现。
删除所临时文件夹中的东西；隐藏在这儿的威胁会争取在系统启动时重生。利用驱动器还是从盘的有利时机，更容易删除这些可恶的文件。

3、把驱动器装回并重复扫描

　　在运行一个完整的反病毒软件扫描，并用两个流行的、近期升过级并且不同的反间谍应用程序执行了两个全面的反间谍软件扫描（删除所有发现的感染）后，把硬盘装回系统。然后，再次进行同样的扫描。
　　尽管做了扫描和先前的清理，您仍可能会惊叹反恶意软件应用程序随后找到并删除许多残余活性感染的数量。只有通过执行这些额外本地扫描，可以确定你已经尽一切可能找到并删除了已知威胁。

4、测试系统

　　完成以上3个步骤后，大家可能很想认定系统可以良好工作不犯错误了。启动它，打开网页浏览器，并且立即删除所有离线文件和cookies.
　　接下来，到 IE连接选项（工具 | Internet选项 并选择 连接 选项卡）来确认恶意程序没有改变系统的默认代理服务器或局域网连接设置。改正你发现的问题并确信这些设置与你的网络或客户网络匹配。
　　然后，随机访问12-15个网站。寻找任何异常迹象，包括明显的弹出窗口，重定向网络搜索，被劫持的网页，以及类似的故障。不要顾虑，清理机器，直到您可以打开谷歌，雅虎及其他搜索引擎，并搜索完成了半打术语。请务必测试系统有能力访问流行的反恶意软件的网站，如AVG，赛门铁克和Malwarebytes。

5、挖出深层残余感染

　　如果仍然有任何感染残存，比如搜索被重定向或访问特定网站被阻止，尝试确定造成麻烦的活动进程的文件名。趋势科技公司的HijackThis ，微软的Process Explorer， Windows自带的微软系统配置实用程序（开始|运行，输入msconfig ）是有助于查找可恶进程的优秀工具。
　　如果有必要，搜索并删除注册表中所有与可恶的可执行文件有关的条目。然后重新启动系统，然后再试一次。
　　如果系统仍然显现为损坏或无法使用，就该开始考虑重新安装了。如果在所有这些步骤后仍证明感染存在，您可能战败了。
　　你们的方法是什么呢？一些IT顾问比较喜欢的策略与我上面所列的不同；然而，我还没有发现其它过程能在迅速让系统回复稳定方面做的更好的。
　　一些IT顾问对花招深信不疑。我已经研究了KNOPPIX作为一个替代方案。并且我已经进行了几次实战，我把被感染的Windows驱动器作为从盘接入苹果笔记本电脑，以便删除Windows驱动器中特别顽固的文件。
　　其他技术人员建议利用Reimage这样的工具，但甚至在让这个工具识别常规网卡时，我都遇到了麻烦，没网卡，自动修复工具无法工作。
　　在清除客户电脑中的病毒和间谍软件方面，你们有什么建议吗？欢迎您发表评论参加讨论。

 

英文出处：http://blogs.techrepublic.com.com/project-management/?p=714&tag=nl.e101

Five step process for removing viruses and spyware from client machines

Author: Erik Eckel

Category: consulting

Tags: Infection, Virus, Anti-spyware, Spyware, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Erik Eckel

IT consultants must regularly remove stubborn, often regenerative and corrupting spyware and viruses from client machines. Erik Eckel shares his preferred strategy for quickly returning systems to stable operation.

It’s inevitable that clients will infect workstations, PCs, and laptops with spyware and viruses. Regardless of preventive steps, from gateway protection to automated scans to written Internet use policies, malware threats sneak through even layered defenses.

What makes the situation worse is that many clients aren’t willing to invest in standalone antispyware software, even though they understand the need for minimal antivirus protection. This is a perfect example of what I call Reactive Rationality. Clients who won’t invest in preventive measures find it easier to justify paying three or even four times the cost of prevention to remediate infections once a debilitating disruption strikes their systems or network.

Some IT professionals advocate simply wiping systems and reinstalling Windows, while others suggest that’s akin to giving up and letting the bad guys win. The truth lies somewhere in between.

《endurer注：1、akin to：类似(近于,的同族)》

Following tried-and-true methods frequently repairs even heavily damaged systems. I’ve returned systems to college students that ran as well as they did out of the box, even though some 1,200 lively Trojans, viruses, and worms were active on the machine when it hit my workbench. In other cases, systems with a single sinister and nefarious infection required me to reinstall the operating system. The trick is to discover which method is called for as quickly a possible when encountering an infected client PC.

《endurer注：1、out of the box：“Out of box”用于描述某种不确定的事件。常常作为副词来形容某种观点的不确定性。据说这个词同20世纪早期的英国数学家亨利·恩斯特·杜德耐解答一个著名数学谜语的思路相关。题目要求用四条直线连接平面上三乘三分布的九个点，要求一笔连成，也就是在画线的时候笔不能离开纸面。解决这个数学问题的关键在于要克服传统的在三乘三边界内画点的思想，如果将线连接到边界之外，那么问题可以迎刃而解，这样就产生了“Out of box”这个词。相应的，将思维受限这种情况称为“boxed－in”。在IT领域，节奏变化很快，因此每个人都在寻找“Out of box”的思维方式，尝试创新。

网友JOYCE指教说：就该是按他们已有的规范或程式去处理.
"Out of the box" is also used as a synonym for "off the shelf," meaning a ready-made software, hardware, or combination package that meets a need that would otherwise require a special development effort. 》

Here are the virus and spyware steps I find most effective. After making an image copy of the drive (it’s always best to have a fallback option when battling malicious infections), these are the steps I follow:

1. Isolate the drive

Many rootkit and Trojan threats are masters of disguise that hide from the operating system as soon as or before Windows starts. I find that even the best antivirus and antispyware tools — including AVG Anti-Virus Professional, Malwarebytes Anti-Malware, and SuperAntiSpyware — sometimes struggle to remove such entrenched infections.

《endurer注：1、master of：精通(控制，掌握)…的人》

You need systems dedicated to removal. Pull the hard disk from the offending system, slave it to the dedicated test machine, and run multiple virus and spyware scans against the entire slaved drive.

2. Remove temporary files

While the drive is still slaved, browse to all users’ temporary files. These are typically found within the C:/Documents and Settings/Username/Local Settings/Temp directory within Windows XP or the C:/Users/Username/App Data/Local/Temp folder within Windows Vista.

Delete everything within the temporary folders; many threats hide there seeking to regenerate upon system startup. With the drive still slaved, it’s much easier to eliminate these offending files.

《endurer注：1、seek to：追求,争取》

3. Return drive and repeat scans

Once you run a complete antivirus scan and execute two full antispyware scans using two current, recently updated and different antispyware applications (removing all found infections), return the hard disk to the system. Then, run the same scans again.

Despite the scans and previous sanitization, you may be surprised at the number of remaining active infections the antimalware applications subsequently find and remove. Only by performing these additional native scans can you be sure you’ve done what you can to locate and remove known threats.

4. Test the system

Once you finish the previous three steps, it’s tempting to think a system is good to go but don’t make that mistake. Boot it up, open the Web browser, and immediately delete all offline files and cookies.

《endurer注：1、it is tempting to：人们可能很想》

Next, go to the Internet Explorer Connection settings (Tools | Internet Options and select the Connections tab within Internet Explorer) to confirm that a malicious program didn’t change a system’s default proxy or LAN connection settings. Correct any issues you find and ensure settings match those required on your network or the client’s network.

Then, visit 12-15 random sites. Look for any anomalies, including the obvious pop-up windows, redirected Web searches, hijacked home pages, and similar frustrations. Don’t consider the machine cleaned until you can open Google, Yahoo, and other search engines and complete searches on a string of a half-dozen terms. Be sure to test the system’s ability to reach popular antimalware Web sites such as AVG, Symantec, and Malwarebytes.

5. Dig deeper on remaining infections

If any infection remnants remain, such as redirected searches or blocked access to specific Web sites, try determining the filename for the active process causing the trouble. Trend Micro’s HijackThis, Microsoft’s Process Explorer, and Windows’ native Microsoft System Configuration Utility (Start | Run and type msconfig) are excellent utilities for helping locate offending processes.

If necessary, search the registry for entries for an offending executable and remove all incidents. Then reboot the system and try again.

If a system still proves corrupt or unusable, it’s time to begin thinking about a reinstall. If an infection proves persistent after all these steps, you’re likely in a losing battle.

What’s your method?Some IT consultants prefer a different strategy from what I outline above; however, I haven’t found another process that works better at quickly returning systems to stable operation.

Some IT consultants swear by fancier tricks. I’ve investigated KNOPPIX as one alternative. And I’ve had a few occasions where, in the field, I’ve slaved infected Windows drives to my Macintosh laptop in order to delete particularly obstinate files in the absence of a boot disk.

《endurer注：1、swear by:对起誓(极其信赖)；确定》
2、in the field：实地(野外,在战地,在作战,在参加比赛)》

Other technicians recommend leveraging such tools as Reimage, although I’ve experienced difficulty getting the utility to even recognize common NICs, without which the automated repair tool cannot work.

What methods do you recommend for removing viruses and spyware from clients’ machines? Join the discussion by posting a comment.