Save the following code as one. BAT file, (WIN2000 for example, if 2003 is used, the system folder should be C:\WINDOWS\)
Copy Code code as follows:
Regsvr32/u C:\WINNT\System32\wshom.ocx
Del C:\WINNT\System32\wshom.ocx
Regsvr32/u C:\WINNT\system32\shell32.dll
Del C:\WINNT\system32\shell32.dll
Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded. You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".
How to uninstall objects such as Wscript.Shell
1. Uninstall Wscript.Shell Object
Run under cmd: regsvr32 wshom.ocx/u
2, uninstall the FSO object
Run under cmd: regsvr32.exe scrrun.dll/u
3. Unload Stream Object
Run under cmd:
regsvr32/s/u "C:\Program Files\Common Files\system\ado\msado15.dll"
If you want to re-enable it: please put the/u parameter on the line!
prohibit Wscript.Shell
The way to prevent this type of virus is to uninstall Windows Scripting Host.
The specific method is: My computer → control Panel → add/Remove Programs → install windows→
Attachment → detailed information →windows scripting host→ determined. In fact, there is another way to be simpler,
Type the following two-paragraph command: regsvr32/u wshom.ocx carriage return, regsvr32/u wshext.dll carriage return,
You can delete the registration value of the. WSH object in the registry. So that those viruses that have to be run on objects
Unable to run without the object being found.
\\\\\\\\\\\\\\\\\\\\\\\\\\
ways to prevent Wscript.Shell components:
You can rename this component by modifying the registry.
Hkey_classes_root\wscript.shell\ and Hkey_classes_root\wscript.shell.1\
Renamed to another name, such as: Change to Wscript.shell_changename or wscript.shell.1_changename the call later when you use this can normally call this component
Also change the CLSID value
Hkey_classes_root\wscript.shell\clsid\ the value of the project
Hkey_classes_root\wscript.shell.1\clsid\ the value of the project
It can also be deleted to prevent the harm of such Trojans.
Ways to prevent shell.application components:
You can rename this component by modifying the registry.
hkey_classes_root\shell.application\
And
Hkey_classes_root\shell.application.1\
Change to a different name, such as: Shell.application_changename or Shell.application.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root\shell.application\clsid\ the value of the project
Hkey_classes_root\shell.application\clsid\ the value of the project
It can also be deleted to prevent the harm of such Trojans.
======================================================
Above is the ocean in the relevant code, from the above code we can see that the general ASP Trojan, Webshell mainly use the following categories
ASP components:
①wscript.shell (CLASSID:72C24DD5-D70A-438B-8A42-98424B88AFB8)
②WSCRIPT.SHELL.1 (CLASSID:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
③wscript.network (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)
④wscript.network.1 (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)
⑤filesystem Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228)
⑥adodb.stream (CLASSID:{00000566-0000-0010-8000-00AA006D2EA4})
⑦shell.applicaiton .....
Hehe, we know who is the most responsible for endangering our web SERVER IIS!! Start fencing, come on ...
2: The solution:
① deletes or renames the following hazardous ASP components:
Wscript.Shell, WSCRIPT.SHELL.1, Wscript.Network, Wscript.network.1, ADODB.stream,
Shell.Application
Start-------> run--------->regedit, open Registry Editor, press Ctrl+f to find, enter above
Wscript.Shell the name of the component and the corresponding ClassID, then delete or change the name (it is recommended that you rename it, as
Some of the Web page ASP program use the above components, just write the ASP code when we change the component name
Said it can be used normally. Of course if you are sure that your ASP program does not use the above components, or straight
Delete the mind some ^_^, according to the general generally will not do these components. After deleting or renaming, iisreset
After restarting IIS, you can increase the efficiency. )
[Note: Because ADODB.stream this component has a lot of pages that will be used, so if your server is running a virtual host,
It is recommended to deal with the situation of vinegar. ]
② about the File System Object (classid:0d43fe01-f093-11cf-8940-00a0c9054228), which is often said to be the FSO
Security issues, if your server must use the FSO, (part of the virtual host server generally need to open the FSO function) can refer to my another article on the FSO security solution: Microsoft Windows Server FSO security hidden trouble solution. If you are sure you don't want to use it, you can simply reverse-register the component.
③ Direct counter Registration, uninstall these dangerous components method: (Practical to do not want to use ① and ② class such trivial method)
Uninstall the Wscript.Shell object, under CMD or run directly: regsvr32/u%windir%/system32/wshom.ocx
Uninstall the FSO object, under CMD or run directly: regsvr32.exe/u%windir%/system32/scrrun.dll
Uninstall Stream object, under CMD or run directly: regsvr32/s/u "c:/program files/common files/system/ado/msado15.dll"
If you want to recover, just remove/u to re-register the above related ASP components such as: Regsvr32.exe%windir%/system32/scrrun.dll
④ about Webshell using Set domainobject = GetObject ("winnt://.") To get the server's processes, services, and
Users and other information to prevent, you can workstation[services in the provision of network links and communications] that is, LanmanWorkstation service stop
and disable it. After this processing, Webshell shows that the process will be blank.
3 in accordance with the 1, 2 Methods of ASP class hazardous components processing, with Arjunolic ASP probe test, "Server CPU Details" and "service
Device operating System "is not found, the content is blank." Then use the ocean Test Wsript.shell to run the cmd command is also a hint that active cannot be created
Yes, like. Everyone can no longer for the ASP Trojan damage to the security of the server system and worried
