当前位置:首页 > 软件下载 > 正文

实战某恶意软件的卸载

恶意软件名称:天天看高清影视
恶意软件官网:http://www.tiantiankan123.com/
恶意软件行为:捆绑360,后台广告,无法卸载,说明与实际功能不符

缘起:
这个软件是一位群友让我帮他卸载的,最初以为是简单的NSIS打包错误,后面发现这坑货果然让宝宝纠结……

2016061001

如图,双击以正常方式安装软件,为了模拟那位群友的问题,特意安装到D盘根路径

2016061002

如图,实际上是有后台弹窗的,而且广告还不少

2016061003

如图,已正常手段将其卸载

2016061004

出现CRC效验经典报错
使用NCRC命令跳过CRC效验,发现并无效果

————————————————————————————
恢复虚拟机快照,监控安装记录,获得以下内容
------------------------------------------------------------------------------

 

<?xml version="1.0" encoding="UTF-8" ?>
<ProgramTraces version="1">
	<Folders>
		<Folder>D:\Codecs</Folder>
		<Folder>D:\Skin</Folder>
		<Folder>D:\TTKVOD_CACHE</Folder>
		<Folder>D:\cache</Folder>
		<Folder>D:\icons</Folder>
		<Folder>D:\plugins</Folder>
	</Folders>
	<Files>
		<File>C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt</File>
		<File>C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temp\VGX4E.tmp</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temp\VGX4F.tmp</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\511135[1].swf</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\CA2BWJXU.htm</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\core[1].php</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\imp[1].htm</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\update[1].ini</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\12374_1915[1].htm</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\CAMZIJ25.1wdgry6</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\hm[2].js</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\stat[2].gif</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\63d15be5c[1].swf</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\c[1].php</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\crossdomain[1].xml</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\dm[1].gif</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\getPosData0[1].4339639663845502</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\mjd9md[1].swf</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\privacy[2].js</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\121.199.32[1].htm</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\20160426120421_64395[1].flv</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\CAN6QLRJ.6bcz98</File>
		<File>C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\gid8md[1].flv</File>
		<File>C:\Documents and Settings\Administrator\UserData\GT6J864H\cdn.ttkvod[1].xml</File>
		<File>D:\14_43260.dll</File>
		<File>D:\28_83260.dll</File>
		<File>D:\Bento4CDll.dll</File>
		<File>D:\DLVideoParser.dll</File>
		<File>D:\FilmAccMD.dll</File>
		<File>D:\FilmEveryday.exe</File>
		<File>D:\GNU.reg</File>
		<File>D:\HotKey.ini</File>
		<File>D:\HttpDownloader.dll</File>
		<File>D:\JJP2P.dll</File>
		<File>D:\MPlayer.dll</File>
		<File>D:\UpdateEx.exe</File>
		<File>D:\amrn.dll</File>
		<File>D:\amrw.dll</File>
		<File>D:\atrc.dll</File>
		<File>D:\avcReg.reg</File>
		<File>D:\colorcvt.dll</File>
		<File>D:\cook.dll</File>
		<File>D:\ddnt3260.dll</File>
		<File>D:\dnet3260.dll</File>
		<File>D:\drv1.dll</File>
		<File>D:\drv2.dll</File>
		<File>D:\drvc.dll</File>
		<File>D:\hxltcolor.dll</File>
		<File>D:\libcurl.dll</File>
		<File>D:\libvlc.dll</File>
		<File>D:\libvlccore.dll</File>
		<File>D:\msvcr100.dll</File>
		<File>D:\pncrt.dll</File>
		<File>D:\qclp.dll</File>
		<File>D:\ra32clv1.dll</File>
		<File>D:\raac.dll</File>
		<File>D:\ralf.dll</File>
		<File>D:\rv10.dll</File>
		<File>D:\rv20.dll</File>
		<File>D:\rv30.dll</File>
		<File>D:\rv40.dll</File>
		<File>D:\setup.ini</File>
		<File>D:\sipr.dll</File>
		<File>D:\ttkupd.exe</File>
		<File>D:\ttkvodConfig.db</File>
		<File>D:\uninst.exe</File>
		<File>D:\xgengine.exe</File>
	</Files>
	<RegistryKeys>
		<Key>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\天天看高清影视</Key>
	</RegistryKeys>
	<RegistryValues>
		<Value Key="HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache">C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\z8E7XBs1\ttkupd.exe</Value>
		<Value Key="HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache">D:\ttkupd.exe</Value>
		<Value Key="HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache">D:\xgengine.exe</Value>
	</RegistryValues>
</ProgramTraces>

使用批处理执行反安装

rd /s /q D:\Codecs
rd /s /q D:\Skin
rd /s /q D:\TTKVOD_CACHE
rd /s /q D:\cache
rd /s /q D:\icons
rd /s /q D:\plugins
del C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
del C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
del C:\Documents and Settings\Administrator\Local Settings\Temp\VGX4E.tmp
del C:\Documents and Settings\Administrator\Local Settings\Temp\VGX4F.tmp
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\511135[1].swf
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\CA2BWJXU.htm
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\core[1].php
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\imp[1].htm
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01IVOD2Z\update[1].ini
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\12374_1915[1].htm
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\CAMZIJ25.1wdgry6
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\hm[2].js
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDUF4XUB\stat[2].gif
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\63d15be5c[1].swf
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\c[1].php
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\crossdomain[1].xml
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\dm[1].gif
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\getPosData0[1].4339639663845502
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\mjd9md[1].swf
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O5MFKTEJ\privacy[2].js
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\121.199.32[1].htm
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\20160426120421_64395[1].flv
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\CAN6QLRJ.6bcz98
del C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S1MJ0DIR\gid8md[1].flv
del C:\Documents and Settings\Administrator\UserData\GT6J864H\cdn.ttkvod[1].xml
del D:\14_43260.dll
del D:\28_83260.dll
del D:\Bento4CDll.dll
del D:\DLVideoParser.dll
del D:\FilmAccMD.dll
del D:\FilmEveryday.exe
del D:\GNU.reg
del D:\HotKey.ini
del D:\HttpDownloader.dll
del D:\JJP2P.dll
del D:\MPlayer.dll
del D:\UpdateEx.exe
del D:\amrn.dll
del D:\amrw.dll
del D:\atrc.dll
del D:\avcReg.reg
del D:\colorcvt.dll
del D:\cook.dll
del D:\ddnt3260.dll
del D:\dnet3260.dll
del D:\drv1.dll
del D:\drv2.dll
del D:\drvc.dll
del D:\hxltcolor.dll
del D:\libcurl.dll
del D:\libvlc.dll
del D:\libvlccore.dll
del D:\msvcr100.dll
del D:\pncrt.dll
del D:\qclp.dll
del D:\ra32clv1.dll
del D:\raac.dll
del D:\ralf.dll
del D:\rv10.dll
del D:\rv20.dll
del D:\rv30.dll
del D:\rv40.dll
del D:\setup.ini
del D:\sipr.dll
del D:\ttkupd.exe
del D:\ttkvodConfig.db
del D:\uninst.exe
del D:\xgengine.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\天天看高清影视" /va /f

34d79a025aafa40f05ffc51bac64034f79f019e5


通知:博客已出售

粉丝可关注公众号:大学生的电脑课,获取最新动态。博客即将关闭

软件无法下载/安装/其它电脑问题,加企鹅群:709531763

有问题直接群里问,在线的时候有问必答,私聊一般都不看

想学电脑知识可以关注我的公众号[大学生的电脑课],里面没有软件只有教程,SB勿来

大学生的电脑课
文章标题:实战某恶意软件的卸载
本文作者:慕若曦
发表日期:2016-06-10 12:25 星期五    首发于    慕若曦博客
本文固定链接: https://www.muruoxi.com/pc/302.html
文章标签:
上一篇: 下一篇:

29 条评论

评论加载中...
  1. 20楼
    经典句子大全   

    不讲武德

    2021年1月12日 下午1:13 评论
  2. 19楼
    演员网   

    好厉害学习了

    2016年12月7日 下午3:21 评论
  3. 18楼
    Stevie   

    If you are interested in topic: earn online without investment ukraine – you should read about Bucksflooder first

    2016年9月12日 下午9:39 评论
  4. 17楼
    迎風别葉index   

    还原点大法好

    2016年7月16日 下午10:26 评论
  5. 16楼
    雨伤   

    这软件·这么贱。。。。

    2016年7月3日 上午10:33 评论
  6. 15楼
    JACK的机器人   

    好久没有遇到恶意软件了呢 :bobo_paomeiyan:

    2016年6月21日 下午9:34 评论
  7. 14楼
    themebetter   

    留个脚印,欢迎来themebetter问答讨论交流各种网站技术问题哦!

    2016年6月17日 下午4:38 评论
  8. 13楼
    Crazy青涩   

    犀利~那个安装记录在哪监控的啊QAQ

    2016年6月17日 下午12:40 评论

发表评论

╮( ̄▽ ̄)╭ |  (= ̄ω ̄=) |  (>﹏<) |  Σ( ° △ °|||)︴ |  Σ(っ °Д °;)っ |  X﹏X |  (╯-_-)╯╧╧

小提示:提交评论后刷新本页面即可看到隐藏的文件哦~
加载中……