duanch1981 发表于 2008-11-24 20:03 只看TA 11楼 |
---|
百度上搜来的希望对你有用! 最近电脑突然卡,发现杀毒软件老是报告userinit.exe被修改 如果打开C:\WINDOWS\system32文件夹(如果您的系统不在c盘安装,请找到对应的目录),找到userinit.exe、explorer.exe、ctfmon.exe、conime.exe文件,点击右键查看属性,如果在属性窗口中看不到文件的版本标签的话,说明已经中了机器狗。 病毒创建userinit.exe,放入到%systemroot%system32目录下。然后,userinit.exe开始接手工作。userinit.exe进程结束。 userinit.exe上台后,开始创建svchost.exe进程。任务完成后,userinit.exe进程自动结束 svchost.exe就是主角登场了,它开始在本地端口4444号上监控,同时疯狂下载诸如kaqhjaz.exekawdeaz.exe等病毒。如果它想,估计还会下载其它N多病毒。 通过以上三个动作,病毒已完成取得了系统指挥大权的全部过程。当病毒干完它想干的事情后,一切进程都稍无声息的消失不见。于是乎,你不小心的话,根本就不会认为你的系统已被成功入侵了。真是天衣无缝呀!!前面两个进程,在进程列表里,停留的时间极短,几乎是一闪而过。而后面主角svchost.exe,我想你怎么也不会怀疑到它头上。系统服务的核心进程,大部分都是用它启动. 另外,最新的机器狗病毒,arp防火墙监控不到!! 穿破还原后,连接IP为xxx.xxx.xxx.xxx这个IP下载更厉害的变种病毒,破坏GHOST文件,自动打开SERVER服务,局域内迅速传播! 如果已经被这个病毒迫害了系统,不能登陆,查看: 机器狗及其变种造成userinit.exe异常的解决方案 http://www.antidu.cn/html/3/2008/1/antidu_200814163642.html 解决方法: Userinit.exe修复工具 http://bbs.antidu.cn/thread-3602-1-1.html 机器狗病毒Userinit.exe免疫程序 http://www.antidu.cn/html/8/2007/11/antidu_20071130203704.html Zonga告诉大家解决方法: 利用注册表法::(转载请注明来自本空间http://hi.baidu.com/nuanruohan) 以下分二部分,一部分是批处理,一部分是注册表!请确保c:\windows\system32\userinit.exe是无毒文件 @echo off md %systemroot%\system32\1 md %systemroot%\system32\1\2 copy /y c:\windows\system32\userinit.exe c:\windows\system32\1\2\ echo y|cacls c:\windows\system32\1\2 /p everyone:f echo y|cacls c:\windows\system32\1 /p everyone:n md %systemroot%\system32\drivers\pcihdd.sys cacls %systemroot%\system32\drivers\pcihdd.sys /e /p everyone:n echo y|cacls c:\windows\system32\userinit.exe /p everyone:n md c:\WINDOWS\AVPSrv.exe >nul 2>nul md c:\WINDOWS\DiskMan32.exe >nul 2>nul md c:\WINDOWS\IGM.exe >nul 2>nul md c:\WINDOWS\Kvsc3.exe >nul 2>nul md c:\WINDOWS\lqvytv.exe >nul 2>nul md c:\WINDOWS\MsIMMs32.exe >nul 2>nul md c:\WINDOWS\system32\3CEBCAF.EXE >nul 2>nul md %windir%\system32\drivers\svchost.exe >nul 2>nul md c:\WINDOWS\system32\a.exe >nul 2>nul md c:\WINDOWS\upxdnd.exe >nul 2>nul md c:\WINDOWS\WinForm.exe >nul 2>nul md c:\WINDOWS\system32\rsjzbpm.dll >nul 2>nul md c:\WINDOWS\system32\racvsvc.exe >nul 2>nul md c:\WINDOWS\cmdbcs.exe >nul 2>nul md c:\WINDOWS\dbghlp32.exe >nul 2>nul md c:\WINDOWS\nvdispdrv.exe >nul 2>nul md c:\WINDOWS\system32\cmdbcs.dll >nul 2>nul md c:\WINDOWS\system32\dbghlp32.dll >nul 2>nul md c:\WINDOWS\system32\upxdnd.dll >nul 2>nul md c:\WINDOWS\system32\yfmtdiouaf.dll >nul 2>nul echo y|cacls.exe c:\WINDOWS\AVPSrv.exe /d everyone >nul 1>nul echo y|cacls.exe %windir%\system32\drivers\svchost.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\DiskMan32.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\IGM.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\Kvsc3.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\lqvytv.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\MsIMMs32.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\3CEBCAF.EXE /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\a.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\upxdnd.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\WinForm.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\rsjzbpm.dll /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\racvsvc.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\cmdbcs.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\dbghlp32.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\nvdispdrv.exe /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\cmdbcs.dll /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\dbghlp32.dll /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\upxdnd.dll /d everyone >nul 1>nul echo y|cacls.exe c:\WINDOWS\system32\yfmtdiouaf.dll /d everyone >nul 1>nul echo reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IGM.EXE" /v debugger /t reg_sz /d debugfile.exe /f echo gpupdate exit 下面是注册表部分! Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\1\\2\\userinit.exe," [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Userinit] "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f, 00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00, 5c,00,31,00,5c,00,32,00,5c,00,75,00,73,00,65,00,72,00,69,00,6e,00,69,00,74, 00,2e,00,65,00,78,00,65,00,00,00 "TypesSupported"=dword:00000007 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\Userinit] "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f, 00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00, 5c,00,31,00,5c,00,32,00,5c,00,75,00,73,00,65,00,72,00,69,00,6e,00,69,00,74, 00,2e,00,65,00,78,00,65,00,00,00 "TypesSupported"=dword:00000007 另存为*.reg 运行以上两个文件,立即搞定. 3.防userinit.exe修改方法:(转载请注明来自本空间http://hi.baidu.com/nuanruohan) 第一步:复制一份没有中毒的userinit.exe到SYSTEM32目录, 第二步:把复制的userinit.exe改名为其他的文件名比如:mylogin.exe 第三步:修改[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]下的Userinit键值:C:\WINDOWS\system32\userinit.exe, 为:C:\WINDOWS\system32\mylogin.exe, 注意键值后面有个英文逗号 第四步:为userinit.exe免疫:意思就是建立一个userinit.exe目录.去掉所有权限 |
0 |
|
---|