feifengyun - 2009-8-16 13:22:00
中了个木马 弄了2天了~
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)附件:
新建 文本文档.txt
夲號ヱ被ジ盜 - 2009-8-16 13:28:00
置顶帖找工具删除IEFO【映像劫持】
Sreng工具编辑启动项目-服务
删除:
[6to4 / 6to4][Stopped/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\6to4.dll><N/A>
[System Restore Service / srservice][Stopped/Disabled]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\srsvc.dll><N/A>
[Ias / Ias][Stopped/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\Ias.dll><N/A>
SREng工具编辑启动项目-注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
底下的
<{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}
<{5405A7B2-F3F5-446F-8715-2A4EF674E079}
<{9AD1DE62-196C-4C01-9A2F-0BEDEF727C59}
<{0220FBE7-F757-4C74-B246-D6703DCF1087}
<{76B9BA7A-81D0-4979-8598-8471F2AB5186}
<{93F33500-527E-4E33-AECA-69B15243A90E}
<{704C3595-DB85-40F6-A601-8D6F346907BD}
<{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}
<{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}
<{23DA65D2-C696-4EE4-BEE8-B4841DEC3E30}
<{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}
<{4642593F-4159-4C7B-9036-33D6CD7F1750}
<{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}
<{2EF0D734-21FD-4225-A1A2-BCD296182AAF}
<{CD478099-014D-4B3A-A4BB-B518F1019BC7}
<{51AA0D89-E9A9-4284-93E8-40C0FDD59304}
<{0A2D7F10-1153-4061-AA4B-ACB870212B57}
<{93DA1E7D-7C46-4F90-8674-EC90511FCA72}
<{8E6D4583-0FA1-41B2-BAAA-63352E6333CA}
<{108DA6C0-CFBF-41D4-9A09-C4D06AE6FFD2}
<{A23CA53C-731F-4033-92E8-C1DFB4E71D34}
<{A5CA6C70-7185-4466-AB45-B1C34E7A37CA}
<{DA112397-5376-4E52-A333-A85284658DEA}
<{E3531A16-FFEA-416F-82DF-32FEDE02EABF}
<{F8C6B7B5-DAE0-4B78-BF2A-101C9A9CCA27}
<{1719B301-B494-4185-9379-242461F9CF02}
<{38FEFE05-702C-440D-AD5C-B796209A1CC5}
<{50EBD6A5-0CF6-4E59-AE08-CCD991AA0596}
<{737858A9-9AEA-4838-9B49-54DA731F7F37}
<{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}
<{427E02E6-39DB-4424-A49C-7553CD1331F5}
<{D6129F8A-6F6E-41D7-BBC9-AC7426759CED}
<{69B265A2-A172-4D27-BDF1-917E6D8B1DCC}
<{BD07AE7E-DB9C-4FFB-BD21-99DCC8434610}
feifengyun - 2009-8-16 13:32:00
直接用Sreng工具编辑 还是先用【映像劫持】
xyz002 - 2009-8-16 13:33:00
先镜象劫持
夲號ヱ被ジ盜 - 2009-8-16 13:34:00
先用【映像劫持】
feifengyun - 2009-8-16 13:42:00
SREng工具编辑启动项目-注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
底下的
<{122B901E-493F-4AD9-BC69-7DE8C3E52FCC}
<{5405A7B2-F3F5-446F-8715-2A4EF674E079}
<{9AD1DE62-196C-4C01-9A2F-0BEDEF727C59}
<{0220FBE7-F757-4C74-B246-D6703DCF1087}
<{76B9BA7A-81D0-4979-8598-8471F2AB5186}
<{93F33500-527E-4E33-AECA-69B15243A90E}
<{704C3595-DB85-40F6-A601-8D6F346907BD}
<{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}
<{8708994F-1758-4C2C-9A3F-FA22D6CCCB41}
<{23DA65D2-C696-4EE4-BEE8-B4841DEC3E30}
<{1055CA44-51F8-486B-8CBD-DC7AD4213F1E}
<{4642593F-4159-4C7B-9036-33D6CD7F1750}
<{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}
<{2EF0D734-21FD-4225-A1A2-BCD296182AAF}
<{CD478099-014D-4B3A-A4BB-B518F1019BC7}
<{51AA0D89-E9A9-4284-93E8-40C0FDD59304}
<{0A2D7F10-1153-4061-AA4B-ACB870212B57}
<{93DA1E7D-7C46-4F90-8674-EC90511FCA72}
<{8E6D4583-0FA1-41B2-BAAA-63352E6333CA}
<{108DA6C0-CFBF-41D4-9A09-C4D06AE6FFD2}
<{A23CA53C-731F-4033-92E8-C1DFB4E71D34}
<{A5CA6C70-7185-4466-AB45-B1C34E7A37CA}
<{DA112397-5376-4E52-A333-A85284658DEA}
<{E3531A16-FFEA-416F-82DF-32FEDE02EABF}
<{F8C6B7B5-DAE0-4B78-BF2A-101C9A9CCA27}
<{1719B301-B494-4185-9379-242461F9CF02}
<{38FEFE05-702C-440D-AD5C-B796209A1CC5}
<{50EBD6A5-0CF6-4E59-AE08-CCD991AA0596}
<{737858A9-9AEA-4838-9B49-54DA731F7F37}
<{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}
<{427E02E6-39DB-4424-A49C-7553CD1331F5}
<{D6129F8A-6F6E-41D7-BBC9-AC7426759CED}
<{69B265A2-A172-4D27-BDF1-917E6D8B1DCC}
<{BD07AE7E-DB9C-4FFB-BD21-99DCC8434610}
这些都删?我笨 不好意思麻烦了
xyz002 - 2009-8-16 13:44:00
删
feifengyun - 2009-8-16 13:48:00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]这个删不
路上行人 - 2009-8-16 13:48:00
请教下:
[System Restore Service / srservice][Stopped/Disabled]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\srsvc.dll><N/A>
为什么删这项啊?虽然srsvc.dll没有签名,但好像是微软出的吧?:kaka2:
merrk_chuan - 2009-8-16 13:52:00
夲號ヱ被ジ盜 - 2009-8-16 14:01:00
原帖由 feifengyun 于 2009-8-16 13:48:00 发表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]这个删不
不删这个...
feifengyun - 2009-8-16 14:09:00
10楼的高手 你的附件下下来用不起 出现这样的提示 没有找到COMRES.DLL 因此这个应用程序未能启动
dipahole - 2009-8-16 20:11:00
将c:/windows/system32/comres.dll 更名为2.dll
用附件的 comres.dll 粘贴到c:/windows/system32下.
附件:
comres.rar
© 2000 - 2025 Rising Corp. Ltd.