How can I deal with rogue software?

I am engaged in software, and I am often hired to solve various computer problems. Before I got up this morning, a person called to ask how IE crashed once it was opened. Help him find out, good guy. A lot of rogue plug-ins have been installed somehow. In fact, one of my most strange problems has always been how the rogue software is involved, and I cannot touch it. Some time ago, my123.com broke out. I just wanted to check what happened. I searched for a while and went to my123.com for a long time. I didn't have any things at all. I even posted a message to a recruiting blogger. Nobody cares about me. He may be confused, haha.

Speaking of how to deal with rogue software, I still have a lot of experience. I don't need to program it, so can ordinary computer users learn it. Let's talk about my experience.

1. First of all, we need to find a way to avoid winning tricks. One principle is to install as few messy software as possible. In addition, many rogue software are currently made into IE Plug-ins, so if you want to, you can consider changing the browser. I have switched to Firefox now, and IE is only available for websites with problems in Firefox. Another effective way to avoid the move is to restrict the running permissions of the browser. Most people use Windows to log on as an administrator (the same is true for me), which gives rogue software access. Limiting the running permissions of browsers can prevent hackers from secretly installing software on your hard disk, or modifying the registry and so on. Microsoft also saw this problem, so on Windows Vista, IE 7 introduced a new running mode, namely the protection mode. Internet Explorer 7, which runs in protection mode, prohibits a lot of permissions that are not needed to browse webpages, greatly improving the security of Internet access. On Windows 2000 or Windows XP, there is a software that can also be used to restrict the running permissions of the program. This is the ipvxec of sysinternals (which has been acquired by Microsoft) I mentioned earlier. Download psexec to the local disk. For example, if you want to run an IE with limited running restrictions, you can use the command line:

Export xec.exe-l-d "C: Program filesinternet unzip eriexplore.exe"

Of course, it would be too troublesome to run ie every time. We can make a shortcut for it: Pull the xec.exe shortcut to the desktop (don't tell me you won't ), then, right-click and choose Properties to edit the shortcut, and enter the following content in the target editing bar:

D: depositorysysinternalspstoolspsexec.exe-l-d "C: Program filesinternet ‑eristme.exe"

 

D: "depository" sysinternals "pstoolsis the directory where export xec.exe is located. You can use this shortcut to run ie later. If you use Firefox, you can do it in the same way. Is the difference between running ie normally and running IE with limited permissions:

2. Basically, as I said before, rogue software will not be used for you. But the world is unpredictable, and there is always a time to step on shit. If you suspect that you may be motivated or want to solve problems for others, you have to learn how to check rogue software. Of course, you can also use dummies such as super rabbits, but this is not cool enough, isn't it. Moreover, this type of software can only be used to identify known ones. The current rogue software layer is poor and difficult to defend against, so you 'd better learn to analyze it yourself. Of course it is not purely manual analysis, but it also requires auxiliary tools. Here I recommend the autoruns of sysinternals. Autoruns can list all programs that automatically run when Windows is started to the desktop or IE is turned on, including device drivers, system services, processes that run automatically upon logon, and Internet Explorer plug-ins. For example, there are a lot of programs that run automatically. How do I know which are rogue software and which are not? In fact, the authentication method is very simple. First, select verify code signatures and hide signed Microsoft entries from the Options menu on the autoruns interface, and then press F5 to scan again. Fewer startup items are listed:

Take a closer look at the startup items listed in the everything tab. The formal software will indicate the purpose and company name of the program in the description and publisher columns. If it is empty, it is very suspicious. It is generally not wrong to prohibit it (just remove the check box ). But this does not mean that the two columns are not available, so you can eliminate the suspicion. Any name looks strange, but you are not sure whether it is, you have to ask Google at this time. For example, in autoruns, right-click what you think is suspicious-> Google ":

If you see rogue software or malware on the searched web page, you will not be able to run it. If you do not have such words, it is correct to delete them. Otherwise, it is generally not:

3. The method described in step 2 can deal with the vast majority of rogue software. There are also some hooligans that use some advanced technologies, such as multi-process mutual protection and rootkit, to prohibit you from deleting it. For example, CNNIC has made several drivers to prevent you from modifying the registry key you set. To deal with such hooligans, you must first remember the program path of the boot item that you cannot delete, and then restart Windows, enter the safe mode command line (Press F8 without stopping during startup), see:

After logging on to the system, Windows will open a command line and delete the program in the command line.

4. If there are even more abnormal methods that cannot be deleted (I haven't met them yet), we need to use tricks, such as detaching the hard disk and attaching it to another machine, delete a file by another system. You can also create an ERD boot disc, start a mini windows from the disc, and then delete it. I will not go into details about how to create and use ERD.