打印

[原创] (免疫补丁下载)最新IGM、机器狗病毒穿透还原防御研究讨论，解决方法

热血沸腾

将爱情进行到底

论坛历史版主

Rank: 7 Rank: 7 Rank: 7

Everlasting

帖子: 698
精华: 1
积分: 3772
威望: 1326
盟币: 315

楼主大中小发表于 2007-12-9 02:35 只看该作者

(免疫补丁下载)最新IGM、机器狗病毒穿透还原防御研究讨论，解决方法

本文网址:http://bbs.bitscn.com/146706 复制

现在的080106版本的发布修正了，重起计算机后
Loguser.dll出错的问题，又加入最新12,19日所出的“冬日桃花”Worm.Win32.Anilogo.b的部分免疫
当运行了发布的071210，由于360安全卫士查杀木马时误报有

本身免疫的病毒包括了以下

Wxptdi下载器既c:\windows\system32\Wxptdi.sys

gdwli32盗号木马 C:\WINDOWS\system32\drivers\comint32.sys

这些问题我不想再解释了，懂的人，应该明白到底是不是真的木马！

运行前注意事项：

如果有开机启动维护“通道”的朋友们，直接调用就可以
不需要保存！

本人近日被IGM、机器狗搞的极度郁闷！

做网吧维护。部分网吧用冰点、讯闪、还原卡、网维大师 vd还原系统！

除了。网维大师未被穿透，其他均遭病毒祸害！！那个叫残啊！

东跑跑，西跑跑

分析：

以前用了类似与本论坛历史版主歪歪的防御免疫批处理
又加了本人测试了病毒样本。的加强批处理

如下：

md c:\PROGRA~1\1.exe >nul 2>nul
md c:\PROGRA~1\2.exe >nul 2>nul
md c:\PROGRA~1\3.exe >nul 2>nul
md c:\PROGRA~1\4.exe >nul 2>nul
md c:\PROGRA~1\5.exe >nul 2>nul
md c:\PROGRA~1\6.exe >nul 2>nul
md c:\PROGRA~1\7.exe >nul 2>nul
md c:\PROGRA~1\8.exe >nul 2>nul
md c:\PROGRA~1\9.exe >nul 2>nul
md c:\PROGRA~1\10.exe >nul 2>nul
md c:\PROGRA~1\11.exe >nul 2>nul
md c:\PROGRA~1\12.exe >nul 2>nul
md c:\PROGRA~1\13.exe >nul 2>nul
md c:\PROGRA~1\14.exe >nul 2>nul
md c:\PROGRA~1\15.exe >nul 2>nul
md c:\PROGRA~1\16.exe >nul 2>nul
md c:\PROGRA~1\17.exe >nul 2>nul
md c:\PROGRA~1\18.exe >nul 2>nul
md c:\PROGRA~1\19.exe >nul 2>nul
md c:\PROGRA~1\20.exe >nul 2>nul
md c:\PROGRA~1\21.exe >nul 2>nul
md c:\PROGRA~1\22.exe >nul 2>nul
md c:\PROGRA~1\23.exe >nul 2>nul
md c:\PROGRA~1\24.exe >nul 2>nul
md c:\PROGRA~1\25.exe >nul 2>nul
md c:\PROGRA~1\26.exe >nul 2>nul
md c:\PROGRA~1\27.exe >nul 2>nul
md c:\PROGRA~1\27.exe >nul 2>nul
md c:\PROGRA~1\arpqc.exe >nul 2>nul
md c:\PROGRA~1\explorer.exe >nul 2>nul
cacls c:\PROGRA~1\explorer.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\arpqc.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\1.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\2.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\3.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\4.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\5.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\6.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\7.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\8.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\9.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\10.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\11.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\12.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\13.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\14.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\15.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\16.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\17.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\18.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\19.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\20.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\21.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\22.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\23.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\24.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\25.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\26.exe /e /p everyone:n >nul 1>nul
cacls c:\PROGRA~1\27.exe /e /p everyone:n >nul 1>nul

md %systemroot%\system32\drivers\pcihdd.sys >nul 1>nul(底层硬盘驱动)
md %systemroot%\system32\drivers\usrinit.exe >nul 1>nul
md %systemroot%\system32\vml.exe >nul 1>nul

echo y|cacls.exe %systemroot%\system32\drivers\pcihdd.sys /d everyone  >nul 1>nul
echo y|cacls.exe %systemroot%\system32\userinit.exe /g  everyone:r >nul 1>nul
echo y|cacls.exe %systemroot%\system32\usrinit.exe /d everyone >nul 1>nul
echo y|cacls.exe %systemroot%\system32\vml.exe /d everyone >nul 1>nul
echo y|cacls.exe %systemroot%\system32\pthreadVC.dll /d everyone >nul 1>nul
echo y|cacls.exe %systemroot%\system32\wpcap.dll /d everyone >nul 1>nul

经过以上免疫防御，病毒是防住了！但对最新的变种还是难逃死劫
中了最新变种后。因为对userinit.exe加了任何用户只读权限，及usrinit.exe的“占位拒绝访问”
出现了，被穿透后！开机“卡屏”卡住explorer.exe！当进安全模式。呼出任务管理器，发现没有
explorer.exe造成进不去系统。当重新运行explorer.exe时。出现一些相关错误提示信息（我没有记录）
此时的还原系统（冰点6.0 6.2企业、单机6.1 讯闪3.1），已经被穿透！
为查原因。我又找对比文件工具对未中毒前与中毒后的所有文件做了对比
发现了中毒后3个异常驱动文件存在再drivers文件夹中

2006-07-18  08:00          24,128 17uye0t4hj.sys
2007-12-08  00:12          14,720 comint32.sys
2006-07-18  08:00          27,264 vsv0j.sys

看到这，其实我们早应该想道，谁规定底层硬盘驱动的系统文件名非要pcihdd.sys
对pcihdd.sys 的“占位拒绝访问”只是一时的方法！病毒作者又不是傻蛋，看到你们发现了他的“必杀”
肯定要变换名字了，可以是324sdf.sys pchisdfhdd.sys！只对pcihdd.sys又有何用？
综上述问题
本人求教过自由风
给的方法是。给drivers加任何用户只读访问！这方法我也想过。值得一测试！
当我改为只读的时候，进行了游戏测试。目前发现只有劲舞团无法运行，其他还没发现异常！
到这真是闷。
又想到，网上广传以久的userinit.exe“偷梁换柱”的方法。（就是给userinit.exe重命名为其他
比如usdferinit.exe，或者建立bat调用。修改HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 项下
"Userinit" 键值）好好想想，乖乖。。发现被穿透的系统，人家不光修改userinit.还修改其他系统文件
具体是什么没有找到暂时。但被穿透后，已经种植了别的木马！那偷梁换柱又有何用？还是没有解决根本问题所在！
极度思考中啊。
别忘了。虽然给drivers只加只读权限，劲舞团启动时报错，要再drivers目录下找amdfix.sys，还要要求修改权限
当然是行不通了，就出了下面的提示

别忘了，只读更新用道的runas 命令，哈，虽然有些繁琐，但还是行的通的！但只为劲舞团一个游戏
有些显然有些冤了！
唉，我有费劲周折，想到了注册表，想要加载系统驱动，并且还是在系统运行的情况下
这类穿透还原的病毒，会在注册表"HKLM\SYSTEM\CurrentControlSet\Services"下建立相关键值
同时在HKEY_CLASSES_ROOT\CLSID中建立系统关联,其实我们主要封住服务拒绝添加完全可以防护穿透
又想到了“网络高手”们用的setacl.exe（下面提供下载地址）需要拷贝到%systemroot%\system32\目录下
本机是没有setacl.exe
用批处理来完成对注册表权限控制！
经过这么多分析，我用工具跟踪了中毒以后对系统所做的更改！整理，编写了下面的批处理
跟大家分享下。
需要注意的是，如果是讯闪跟冰点还原，请自己先把还原装上，再运行对注册表"HKLM\SYSTEM\CurrentControlSet\Services"
加入任何用户只读权限，不然的话，在没装“冰点、或者讯闪还原之前，运行等于把冰点和讯闪也防住了，因为他们要添加相应的服务！

如下：

@rem 正在设置变量
@set OP=/grant everyone /read  /p:no_dont_copy
@set UpdatePolicy=GPUpdate /Force>nul 2>nul

@rem 更改系统服务项，拒绝加入服务，为只读权限
@rem HKLM
@setacl MACHINE\SYSTEM\CurrentControlSet\Services /registry %OP%>nul 2>nul
@rem 更改注册表系统关联项，为只读权限
@rem CLASSES_ROOT
@setacl CLASSES_ROOT\WScript.Shell /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\CLSID /registry %OP%>nul 2>nul
@setacl CLASSES_ROOT\TypeLib /registry %OP%>nul 2>nul
@REM [刷新本地安全策略]
@%UpdatePolicy%>nul 2>nul
@rem 禁止常见网马
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\4.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\8.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\10.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\11.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\12.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\13.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\14.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\15.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\16.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\17.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\18.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\19.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\20.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\21.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\22.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\23.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\24.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\25.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\26.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\27.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\down.EXE" /v debugger /t reg_sz /d debugfile.exe /f
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IGM.EXE" /v debugger /t reg_sz /d debugfile.exe /f

@rem 修改系统重要漏洞权限问题
@rem 终止conime.exe进程
taskkill /im conime.exe
@rem 拒绝访问权限
echo y|cacls %systemroot%\system32\conime.exe /d everyone >nul 1>nul
@rem 复制移动重命名userinit.exe
copy %systemroot%\system32\userinit.exe %systemroot%\system32\tiniresu741.exe /y
echo y|cacls %systemroot%\system32\tiniresu741.exe /g everyone:r >nul 1>nul
echo y|reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t reg_sz /d C:\WINDOWS\system32\tiniresu741.exe,"
echo y|cacls C:\WINDOWS\Fonts /g everyone:r >nul 1>nul
@REM [刷新本地安全策略]
@%UpdatePolicy%>nul 2>nul

@rem 以下建立零字节文件
:progra~1
md c:\progra~1\conime0.exe >nul 2>nul
md c:\progra~1\common~1\system\dumdp.exe >nul 2>nul
md c:\progra~1\common~1\system\schovt.exe >nul 2>nul
md c:\progra~1\intern~1\plugins\Sy_Win7k.Jmp >nul 2>nul
md c:\progra~1\intern~1\plugins\Wn_Sys8x.Sys >nul 2>nul
:windows
md c:\windows\919331WL.DLL >nul 2>nul
md c:\windows\919331L.exe >nul 2>nul
md c:\windows\919331M.exe >nul 2>nul
md c:\windows\919331MM.dll >nul 2>nul
md c:\windows\919331W.exe >nul 2>nul
md c:\windows\919331WO.DLL >nul 2>nul
md c:\windows\dgjgxs.exe >nul 2>nul
md c:\windows\GenProtect.exE >nul 2>nul
md c:\windows\LYLOADER.EXE >nul 2>nul
md c:\windows\qnovjk.exe >nul 2>nul
md c:\windows\rzedhp.exe >nul 2>nul
md c:\windows\sqgrhk.exe >nul 2>nul
md c:\windows\tempaq >nul 2>nul
md c:\windows\urmwqj.exe >nul 2>nul
:windows\system32\
md %systemroot%\system32\1243.ocx >nul 2>nul
md %systemroot%\system32\1252.ocx >nul 2>nul
md %systemroot%\system32\126.ocx >nul 2>nul
md %systemroot%\system32\avwghmn.dll >nul 2>nul
md %systemroot%\system32\avwghst.exe >nul 2>nul
md %systemroot%\system32\avwlgmn.dll >nul 2>nul
md %systemroot%\system32\avwlgst.exe >nul 2>nul
md %systemroot%\system32\avzxkmn.dll >nul 2>nul
md %systemroot%\system32\avzxkst.exe >nul 2>nul
md %systemroot%\system32\exuagz.dll >nul 2>nul
md %systemroot%\system32\gddji32.dll >nul 2>nul
md %systemroot%\system32\gdmsi32.dll >nul 2>nul
md %systemroot%\system32\gdrxjhi32.dll >nul 2>nul
md %systemroot%\system32\GenProtect.dll >nul 2>nul
md %systemroot%\system32\HookHelp.sys >nul 2>nul
md %systemroot%\system32\kaqhkaz.exe >nul 2>nul
md %systemroot%\system32\kaqhkzy.dll >nul 2>nul
md %systemroot%\system32\kawdfaz.exe >nul 2>nul
md %systemroot%\system32\kawdfzy.dll >nul 2>nul
md %systemroot%\system32\kvdxjis.exe >nul 2>nul
md %systemroot%\system32\kvdxjma.dll >nul 2>nul
md %systemroot%\system32\LogUser.dll >nul 2>nul
md %systemroot%\system32\LYLOADER.EXE >nul 2>nul
md %systemroot%\system32\LYMANGR.DLL >nul 2>nul
md %systemroot%\system32\MSDEG32.DLL >nul 2>nul
md %systemroot%\system32\n948ibn.dll >nul 2>nul
md %systemroot%\system32\okmhaaz.exe >nul 2>nul
md %systemroot%\system32\poztkv.dll >nul 2>nul
md %systemroot%\system32\pyhqzen.dll >nul 2>nul
md %systemroot%\system32\ratbnpi.dll >nul 2>nul
md %systemroot%\system32\ratbntl.exe >nul 2>nul
md %systemroot%\system32\rsztmpm.dll >nul 2>nul
md %systemroot%\system32\rsztmsp.exe >nul 2>nul
md %systemroot%\system32\rzedhp.DLL >nul 2>nul
md %systemroot%\system32\sj[1].exe >nul 2>nul
md %systemroot%\system32\svcost.exe >nul 2>nul
md %systemroot%\system32\swrceac.exe >nul 2>nul
md %systemroot%\system32\swrcezc.dll >nul 2>nul
md %systemroot%\system32\tutility.txt >nul 2>nul
md %systemroot%\system32\urmwqj.dll >nul 2>nul
md %systemroot%\system32\usrinit.exe >nul 2>nul
md %systemroot%\system32\VOHWPIBU.dll >nul 2>nul
md %systemroot%\system32\wxptdi.sys >nul 2>nul
md %systemroot%\system32\xgpyhqz.dll >nul 2>nul
md %systemroot%\system32\nwfoxgl.pyh >nul 2>nul
md %systemroot%\system32\gddji32.cfg >nul 2>nul
md %systemroot%\system32\gdqji32.cfg >nul 2>nul
md %systemroot%\system32\okmhazy.dll >nul 2>nul
md %systemroot%\system32\com\comrepl32.exe >nul 2>nul

@rem 最新添加底层硬盘驱动
md %systemroot%\system32\drivers\comint32.sys >nul 2>nul
md %systemroot%\system32\drivers\nmhw.sys >nul 2>nul
md %systemroot%\system32\drivers\52th06nua.sys >nul 2>nul
md %systemroot%\system32\drivers\17uye0t4hj.sys >nul 2>nul
md %systemroot%\system32\drivers\vsv0j.sys >nul 2>nul

@rem 以下为对零字节文件加入拒绝访问权限
:progra~1
echo y|cacls c:\progra~1\conime0.exe /d everyone >nul 1>nul
echo y|cacls c:\progra~1\common~1\system\dumdp.exe /d everyone >nul 1>nul
echo y|cacls c:\progra~1\common~1\system\schovt.exe /d everyone >nul 1>nul
echo y|cacls c:\progra~1\intern~1\plugins\Sy_Win7k.Jmp /d everyone >nul 1>nul
echo y|cacls c:\progra~1\intern~1\plugins\Wn_Sys8x.Sys /d everyone >nul 1>nul
:windows
echo y|cacls c:\windows\91331WL.DLL /d everyone >nul 1>nul
echo y|cacls c:\windows\919331L.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\919331M.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\919331MM.dll /d everyone >nul 1>nul
echo y|cacls c:\windows\919331W.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\919331WO.DLL /d everyone >nul 1>nul
echo y|cacls c:\windows\dgjgxs.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\GenProtect.exE /d everyone >nul 1>nul
echo y|cacls c:\windows\LYLOADER.EXE /d everyone >nul 1>nul
echo y|cacls c:\windows\qnovjk.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\rzedhp.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\sqgrhk.exe /d everyone >nul 1>nul
echo y|cacls c:\windows\tempaq /d everyone >nul 1>nul
echo y|cacls c:\windows\urmwqj.exe /d everyone >nul 1>nul

:windows\system32\
echo y|cacls %systemroot%\system32\1243.ocx /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\1252.ocx /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\126.ocx /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avwghmn.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avwghst.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avwlgmn.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avwlgst.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avzxkmn.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\avzxkst.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\exuagz.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\gddji32.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\gdmsi32.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\gdrxjhi32.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\GenProtect.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\HookHelp.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kaqhkaz.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kaqhkzy.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kawdfaz.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kawdfzy.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kvdxjis.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\kvdxjma.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\LogUser.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\LYLOADER.EXE /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\LYMANGR.DLL /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\MSDEG32.DLL /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\n948ibn.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\okmhaaz.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\poztkv.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\pyhqzen.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\ratbnpi.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\ratbntl.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\rsztmpm.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\rsztmsp.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\rzedhp.DLL /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\sj[1].exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\svcost.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\swrceac.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\swrcezc.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\tutility.txt /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\urmwqj.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\usrinit.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\VOHWPIBU.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\wxptdi.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\xgpyhqz.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\nwfoxgl.pyh /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\gddji32.cfg /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\gdqji32.cfg /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\okmhazy.dll /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\com\comrepl32.exe /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\drivers\comint32.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\drivers\nmhw.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\drivers\52th06nua.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\drivers\17uye0t4hj.sys /d everyone >nul 1>nul
echo y|cacls %systemroot%\system32\drivers\vsv0j.sys /d everyone >nul 1>nul

罪魁祸首其实都是网马（网页木马）造成的，只要我们用组策略来封禁，系统temp(临时文件)ie的Temporary Internet Files（临时缓存）运行可执行的危险程序如.exe .bat之类的脚本！
完全可以防止网页上的所有病毒，当然U盘，其他途径的就难说了！

本贴将不断收录，整理，最新的防御穿透病毒木马方案！同时也征集病毒样本
同一战线的朋友们，来支持下。发表下看法，建议！共同防御这次对我们工作的劫难！

有病毒样本的请加我QQ:196696310

网盟有防火墙保护。无法上传病毒样本

[ 本帖最后由热血沸腾于 2008-1-6 06:20 编辑 ]

附件: 您所在的用户组无法下载或查看附件

本帖最近评分记录

自由风威望 +10 辛苦了. 2007-12-20 03:15
自由风盟币 +10 辛苦了. 2007-12-20 03:15

纵然历经两千多年的时光洗礼，枝叶依然繁茂，绽放朵朵瑰丽奇葩理想、坚定、执着的追求

TOP

Juslo

试用网管

Rank: 1

帖子: 5
精华: 0
积分: 2
威望: 0
盟币: 0

沙发大中小发表于 2007-12-9 06:20 只看该作者

LanExpert LE80千兆网络分析仪

好帖子。。。沙发了

TOP

电信服务器租用600/月

linqq450

试用网管

Rank: 1

帖子: 81
精华: 0
积分: 115
威望: 97
盟币: 0

板凳大中小发表于 2007-12-9 08:47 只看该作者

高手实在是厚道说的这么详细顶个
我在的网吧还好了,中了大概20台天天都有中彩的,这些天突然没了,疑惑中

TOP

最新【网路岗七代】监控QQ/MSN等聊天内容

热血沸腾

将爱情进行到底

论坛历史版主

Rank: 7 Rank: 7 Rank: 7

Everlasting

帖子: 698
精华: 1
积分: 3772
威望: 1326
盟币: 315

地板大中小发表于 2007-12-9 11:15 只看该作者

引用:

原帖由 linqq450 于 2007-12-9 08:47 发表
我在的网吧还好了,中了大概20台天天都有中彩的,这些天突然没了,疑惑中

具体情况能否详细说明下？

纵然历经两千多年的时光洗礼，枝叶依然繁茂，绽放朵朵瑰丽奇葩理想、坚定、执着的追求

TOP

LanExpert LE80千兆网络分析仪

181428785

试用网管

Rank: 1

帖子: 18
精华: 0
积分: 5
威望: 0
盟币: 0

5楼大中小发表于 2007-12-9 15:22 只看该作者

试试看吧!

TOP

电信服务器租用600/月

无聊得滞

试用网管

Rank: 1

帖子: 35
精华: 0
积分: 107
威望: 91
盟币: 0

6楼大中小发表于 2007-12-9 16:08 只看该作者

我在的网吧最近几天也是遇到了这种情况，烦得很。

TOP

最新【网路岗七代】监控QQ/MSN等聊天内容

ljj1982114

试用网管

Rank: 1

新手上路

帖子: 4
精华: 0
积分: 2
威望: 0
盟币: 0

7楼大中小发表于 2007-12-9 17:42 只看该作者

为什么不让我下载啊

TOP

LanExpert LE80千兆网络分析仪

hhsz0001

试用网管

Rank: 1

帖子: 41
精华: 0
积分: 10
威望: 0
盟币: 0

8楼大中小发表于 2007-12-9 20:43 只看该作者

好的！！顶死你！！！

TOP

最新【网路岗七代】监控QQ/MSN等聊天内容

lioudengyiren

试用网管

Rank: 1

帖子: 24
精华: 0
积分: 16
威望: 0
盟币: 1

9楼大中小发表于 2007-12-10 01:42 只看该作者

DDDDDDDDDDDDDDDDDDDDDDDDDDD

TOP

点击一下开通网管u家，跟网管朋友面对面。

nicehxj

踏月留香

正式网管

Rank: 2

天老大，地老二，我老三

帖子: 625
精华: 0
积分: 861
威望: 510
盟币: 32

10楼 大中小发表于 2007-12-10 01:46 只看该作者

拿了

TOP

点击一下开通网管u家，跟网管朋友面对面。

时速企业邮箱/全球邮件收发自如	网管专用网络监控软件/免费下载	上海100M独享服务器租用/托管
广告位招租QQ58284700	国内唯一完全免费的VPN软件	央邦培训/中国IT教育十大品牌

[原创] (免疫补丁下载)最新IGM、机器狗 病毒穿透还原防御研究讨论，解决方法

(免疫补丁下载)最新IGM、机器狗 病毒穿透还原防御研究讨论，解决方法

引用:

[原创] (免疫补丁下载)最新IGM、机器狗病毒穿透还原防御研究讨论，解决方法

(免疫补丁下载)最新IGM、机器狗病毒穿透还原防御研究讨论，解决方法