The easiest way is to directly remove the corresponding unloaded file. Save the following code into a. BAT file, (the following are WIN2000, for example, if you use 2003, the system folder should be C: \ WINDOWS \)
regsvr32 / u C: \ WINNT \ System32 \ wshom.ocx
del C: \ WINNT \ System32 \ wshom.ocx
regsvr32 / u C: \ WINNT \ system32 \ shell32.dll
del C: \ WINNT \ system32 \ shell32.dll
then run about, WScript.Shell, Shell.application, WScript.Network will be uninstalled. May be prompted to not delete files, do not cares, what the server restart, you will find these three are prompted to "× security" of the.
how to uninstall other objects Wscript.Shell
1, uninstall wscript.shell object
run in cmd: regsvr32 WSHom.Ocx / u
2, uninstall the FSO object
in cmd run: regsvr32.exe scrrun.dll / u
3, uninstall the stream object
under the cmd run:
regsvr32 / s / u "C: \ Program Files \ Common Files \ System \ ado \ msado15.dll"
If you want to re-enable: Please send / u parameter on out on the line!
against WScript.Shell
against such viruses is to uninstall the Windows scripting host,
specific method is: My Computer → Control Panel → Add / Remove Programs to install WINDOWS → →
Accessories → Details → Windows scripting host → OK. In fact, there is a way more simple,
Type the following command followed by two
: regsvr32 / u wshom.ocx carriage return, regsvr32 / u wshext.dll carriage return,
can put the registry. wsh object registration value deleted. So that those who object to run the virus must rely on the result of
could not find the object was unable to run down.
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
prevention methods Wscript.Shell components:
can modify the registry, the component was renamed.
HKEY_CLASSES_ROOT \ WScript.Shell \ and HKEY_CLASSES_ROOT \ WScript.Shell.1 \
changed its name to other names, such as: to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName their own time after the call that you can use normal call this component of the
clsid value will also have to change it
HKEY_CLASSES_ROOT \ WScript.Shell \ CLSID \ project value
HKEY_CLASSES_ROOT \ WScript.Shell.1 \ CLSID \ project value
also can be deleted to prevent the harm of such Trojans.
against Shell.Application component method:
can modify the registry, the component was renamed.
HKEY_CLASSES_ROOT \ Shell.Application \
and
HKEY_CLASSES_ROOT \ Shell.Application.1 \
changed its name to other name, such as: to Shell.Application_ChangeName or Shell.Application.1_ChangeName
own After the call, when using this you can call this component of the normal.
clsid value will also have to change it
HKEY_CLASSES_ROOT \ Shell.Application \ CLSID \ project value
HKEY_CLASSES_ROOT \ Shell.Application \ CLSID \ project value
can be deleted to prevent the dangers of such Trojans.
=============================================== =======
above the ocean in the relevant code, from the above code is not difficult to see that the general ASP Trojan, Webshell ASP components using mainly the following categories:
① WScript.Shell (classid: 72C24DD5-D70A-438B-8A42-98424B88AFB8)
② WScript.Shell.1 (classid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
③ WScript.Network (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
④ WScript.Network.1 (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
⑤ FileSystem Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228)
⑥ Adodb.stream (classid: (00000566-0000-0010-8000-00AA006D2EA4))
⑦ Shell.applicaiton ....
hehe, but we're clearly the harm to our WEB SERVER IIS is the culprit who had the most!! start surgeon, come on ...
2: The solution:
① delete or rename the following dangerous ASP components:
WScript.Shell, WScript.Shell.1, Wscript.Network, Wscript.Network.1, adodb.stream,
Shell.application
started running -------> ---------> Regedit, open the Registry Editor, press Ctrl + F to find, enter the above order
Wscript.Shell components such as names and corresponding ClassID, and then remove or change the name (in this case suggest that you renamed, such as
fruit, some pages use ASP program, then do the above components, just the time to write ASP code changes with our component name
that can be used normally. Of course, if you believe your ASP program does not use the above components, or directly
then remove the heart of some ^ _ ^ practical, it is generally not done routinely over these components. Deleted or renamed, iisreset
rose immediately after restart IIS
effect. )
[NOTE: Because Adodb.Stream this component will be used in many pages, so if your virtual host server is open, then
② on the File System Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228) that is often said that the FSO's
security problems, if your server will need to use FSO, then (some virtual host server functions normally required to open FSO) can refer to my other one security solution on the FSO article: Microsoft Windows 2000 Server FSO security risks solution. If you are sure not to use it, you can register this component can be directly counter.
③ direct anti-registration, uninstall these dangerous components approach: (useful in ① and ② class do not want such a cumbersome method)
uninstall wscript.shell object, or directly under the cmd run: regsvr32 / u% windir% / system32/WSHom.Ocx
uninstall FSO object, or directly under the cmd run: regsvr32.exe / u% windir% / system32/scrrun.dll
uninstall stream object, or directly under the cmd run: regsvr32 / s / u "C: / Program Files / Common Files/System/ado/msado15.dll"
If you want to restore, then just remove the / U can be re-registered over the relevant ASP component for example: regsvr32.exe% windir% / system32/scrrun.dll
④ on Webshell the use of set domainObject = GetObject ("WinNT ://.") to get the server process, service and
user information such as the prevention, we can service the Workstation [provide network links and communication] that Lanmanworkstation service to stop
and disabled can. After this treatment, Webshell Department will show the process blank.
3 in accordance with the method of the ASP class 1,2 dangerous components are treated, A River asp probe a little, "the details of the server CPU" and "service
device operating system, "not finding out, the content is blank. Then run the cmd marine test Wsript.Shell to prompt the command is not to create Active
on the image. Then we could no longer do harm to the server for the ASP Trojan safety concern over the future of the system.
没有评论:
发表评论
注意:只有此博客的成员才能发布评论。