winlogon.exe的(de)手動(dòng)解決方法
這隻鴿子提示:中招後,貼日誌(zhì)求助的日子即將結束!做好係統(tǒng)基礎安(ān)全(quán)防(fáng)護是(shì)每個(gè)用(yòng)戶的當務之急(jí)。“基礎(chǔ)安全防(fáng)護”絕不(bú)僅僅是(shì)打幾個補丁的(de)問(wèn)題。熟悉一兩個性能(néng)好的安全軟件(jiàn)的使用也是必(bì)要的。否(fǒu)則,中招後(hòu),你(nǐ)自(zì)己(jǐ)就著急吧!
這隻(zhī)鴿子的(de)要害是(shì)c:\windows\winlogon.dll。如果(guǒ)想辦法禁止這個dll加載運行,鴿子的文(wén)件全部(bù)可見圖1
這隻鴿子(zǐ)的要害是這(zhè)個c:\windows\winlogon.dll。
如果用SSM禁止c:\windows\winlogon.dll加載運(yùn)行,則這隻(zhī)鴿子(zǐ)的文件全部(bù)可見。
這(zhè)是Movgear.exe中捆綁的一隻灰鴿子(Movgear.exe樣本(běn)來自安全12公裏)。winlogon.exe的MD5值為(wéi):2de9f62c2b405e16cb66773747cf0f2d。
一、自Movgear.exe中提取winlogon.exe並將其植入係統後,autoruns、HijackThis、SREng日誌中均無任何異常發現。
winlogon.exe釋放(fàng)的文(wén)件有:
1、c:\windows\winlogon.exe
2、c:\windows\winlogon.dll
3、c:\windows\winlogonKey.dll
這(zhè)兩個dll插(chā)入IE瀏覽器進程。
即使不打開IE瀏覽器,IceSword的(de)進程列表中依(yī)然可見iexplore.exe。
c:\windows\winlogonKey.dll動態跟蹤(zōng)所有應(yīng)用程序進(jìn)程(一旦開啟,立(lì)即插入。)
注意:即(jí)使顯示隱藏文件,用WINDOWS的資源管理器(qì)也看不到灰鴿(gē)子釋放的這(zhè)三個文件。用IceSword才能(néng)看到。
二、注冊表改動包括(kuò):
1、在(zài)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
添加(jiā):winlogon.exe(指向(xiàng)c:\windows\winlogon.exe)
2、在HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
添加:
"{92780B25-18CC-41C8-B9BE-3C9C571A8263}"=dword:00002002
"{DEDEB80D-FA35-45d9-9460-4983E5A8AFE6}"=dword:00002002
"{FB5F1910-F110-11d2-BB9E-00C04F795683}"=dword:00002001
3、在HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard
添加:"Completed"=hex:01,00,00,00
4、在HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
添加:
"ITBarLayout"=hex:11,00,00,00,5c,00,00,00,00,00,00,00,34,00,00,00,1f,00,00,00,56,\
00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,\
00,00,26,00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,\
00,21,01,00,00,a0,0f,00,00,03,00,00,00,20,03,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,aa,00,5b,43,83,10,00,00,00,00,\
00,00,00,01,e0,32,f4,01,00,00,00
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,aa,00,5b,43,83,22,00,1c,00,08,\
00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,4c,00,00,00,01,14,02,00,00,00,00,00,c0,00,00,00,00,00,00,\
46,81,00,00,00,10,00,00,00,a0,8f,ff,ba,9d,d4,c6,01,00,9e,02,bb,\
9d,d4,c6,01,a0,8f,ff,ba,9d,d4,c6,01,00,00,00,00,00,00,00,00,01,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,5d,01,14,00,1f,50,\
e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,2f,43,3a,\
5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,5c,\
00,31,00,00,00,00,00,3a,31,09,3c,10,00,44,4f,43,55,4d,45,7e,31,\
00,00,44,00,03,00,04,00,ef,be,3a,31,9c,36,2a,35,f7,29,14,00,00,\
00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,\
61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,\
00,73,00,00,00,18,00,4c,00,31,00,00,00,00,00,2a,35,cb,2e,16,00,\
4e,45,54,57,4f,52,7e,31,00,00,34,00,03,00,04,00,ef,be,3a,31,11,\
39,2a,35,cb,2e,14,00,00,00,4e,00,65,00,74,00,77,00,6f,00,72,00,\
6b,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,18,00,56,\
00,31,00,00,00,00,00,2a,35,cb,2e,11,00,46,41,56,4f,52,49,7e,31,\
00,00,3e,00,03,00,04,00,ef,be,2a,35,cb,2e,2a,35,cb,2e,14,00,28,\
00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,00,\
40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,31,32,36,39,33,00,18,\
00,30,00,35,00,00,00,00,00,2a,35,f1,2e,10,00,fe,94,a5,63,00,00,\
1c,00,03,00,04,00,ef,be,2a,35,f1,2e,2a,35,f1,2e,14,00,00,00,fe,\
94,a5,63,00,00,14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,\
00,00,00,00,6c,69,6e,62,61,6f,68,65,00,00,00,00,00,00,00,00,1e,\
8c,63,4d,34,72,b3,48,8a,de,83,67,8f,38,be,10,b1,a9,fd,89,90,40,\
db,11,b2,29,00,d0,59,c0,b8,59,1e,8c,63,4d,34,72,b3,48,8a,de,83,\
67,8f,38,be,10,b1,a9,fd,89,90,40,db,11,b2,29,00,d0,59,c0,b8,59,\
00,00,00,00
5、在(zài)HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
添加:"Settings"=hex:0c,00,02,00,0a,01,ef,75,60,00,00,00
6、在HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
添加:
{0055C089-8582-441B-A0BF-17B458C2A3A8}
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
{AE7CD045-E861-484F-8273-0445EE161910}
{DEDEB80D-FA35-45D9-9460-4983E5A8AFE6}
{FB5F1910-F110-11D2-BB9E-00C04F795683}
7、在HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\鏈接
添加(jiā):"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
三(sān)、進行上述觀察後,重啟係(xì)統(tǒng)。
重啟後,卡巴斯基報警(我的卡(kǎ)巴斯基為啟動(dòng)加載):發現灰鴿子。但卡(kǎ)巴斯(sī)基僅僅將c:\windows\winlogon.dll刪除(chú);c:\windows\winlogon.exe和c:\windows\winlogonKey.dll卡巴斯基並不報毒(dú)。汗!!卡巴斯(sī)基越來越不爭氣(qì)了另外發現(xiàn)其(qí)winlogonKey.log文(wén)件。文件(jiàn)內(nèi)容為:
#?>.?:4?74;
四、查(chá)殺流程:
1、打開注冊表編輯器,展開HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
刪除灰鴿子的(de)服務項(xiàng):winlogon.exe
2、重啟係統。用IceSword找到並刪除鴿子釋放(fàng)的那三個(gè)文件。
4、清理(lǐ)注(zhù)冊表(刪除鴿子(zǐ)添加的(de)注冊(cè)表(biǎo)項)。
10月31日更新(xīn)
查殺方法(fǎ)..
安全模式(shì)下操作.
刪除文(wén)件
C:\Downloads
C:\WINDOWS\system32\AddrConfig.bin
C:\WINDOWS\system32\oobe\data
C:\WINDOWS\system32\wbem\ddes
C:\WINDOWS\system32\wbem\kbd101ab.dll
C:\WINDOWS\system32\wbem\SysOption.bin
C:\WINDOWS\system32\wbem\winlogon.exe
刪除注冊(cè)表
HKCR\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}
HKCR\Interface\{468262B9-8400-4A49-B2E5-CE8550EB1347}
HKCR\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0
HKCR\VCFIWZDY32.VCFIWZDY
關鍵詞(cí):winlogon.exe
閱(yuè)讀本文後您(nín)有(yǒu)什麽感想? 已有 人(rén)給出(chū)評價(jià)!
- 1
- 1
- 1
- 1
- 1
- 1