返回列表 发帖
b451226

Rank: 1

帖子
27 
积分
48 
威望
64  
金钱
62  
在线时间
1 小时 
1 跳转到 »
发表于 2009-2-11 12:15 | 显示全部帖子
Svchost.exe[转载]04
将1.hiv装载进Regshot中的1st shot,然后对当前的注册表做2st   shot的快照,然后使用compare进行比较,其比较的结果如下:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet   Explorer\PortLess\FdsnqbTsuni`: "tjnkbu"   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet   Explorer\PortLess\Wfttphuc: "tofiXdo"   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Security\Security:   01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C   00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00   00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00   00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00   00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02   00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01   02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01   01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll:   "C:\WINNT\system32\Svchostdll.dll"   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\program:   "SvchostDLL.exe"   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\Interactive:   0x00000000   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Type:   0x00000020   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Start:   0x00000002   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl:   0x00000001   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ImagePath:   "%SystemRoot%\System32\Svchost.exe -k netsvcs"   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\DisplayName:   "Intranet Services"   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ObjectName:   "LocalSystem"   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\IPRIP\Security\Security:   01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C   00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00   00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00   00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00   00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02   00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01   02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01   01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00   HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet\Services\IPRIP\Parameters\Service

Dll:   "C:\WINNT\system32\Svchostdll.dll" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\program:   "SvchostDLL.exe"   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\Parameters\Interactive:   0x00000000   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\Type:   0x00000020   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\Start:   0x00000002   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\ErrorControl:   0x00000001   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\ImagePath:   "%SystemRoot%\System32\Svchost.exe -k netsvcs"   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\DisplayName:   "Intranet Services"   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

\Services\IPRIP\ObjectName:   "LocalSystem"   可以看出,PortLess BackDoor   V1.2将自己注册为了服务IPRIP,它使用的启动参数是"%SystemRoot%\System32\Svchost.exe -k   netsvcs",它使用的DLL文件是"C:\WINNT\system32\Svchostdll.dll"。通过这里,我们就可以找到PortLess,将它使用的服务禁止掉,然后将对应的DLL文件删除,并将注册表中这些多出来的键值干掉,三下五除二就将Portless弄得一干二净!现在大家知道怎么清理掉用Svchost加载的后门了吧?!


这个看不懂,越看越糊涂了。如果你们也看不懂,不要问我哦。

我也是正在努力的。

不过我是机子中毒才开始看这方面的东西。

TOP

返回列表