电脑中了免杀远控,救救孩子
本帖最后由 弟中帝 于 2021-11-18 21:13 编辑前两天下了一个软件,打开后火绒没报毒。过了一会直接弹出一个打开摄像头的提示。
我尝试过删除所有运行时产生的文件。发现没用。每次开机,都会有个cmd的进程启动。Temp目录也会多出两个文件
下面是运行时产生的文件.
下面是每次开机都会启动的命令
救救孩子吧,这个远控太厉害了。每次打开电脑鼠标都会自己动远控样本链接:https://fengshen1.lanzouw.com/iNDfSwmq3eh 谢谢各位大佬鼎力相助,能在吾爱论坛认识大家很幸运。我听取了大佬们的意见,在服务启动项里找到了SNMP,把他的启动传参去掉之后,就没有这个问题了。感谢大家,问题已解决 进到pe 干掉这个文件和目录,也可以新建一个同样名字的,设置只读权限,再到启动项里清掉它应该可以了。 屠神-远控样本.exe(进程ID: 2116)命令行:"c:\users\admini~1\appdata\local\temp\屠神-远控样本.exe"
cmd.exe(进程ID: 2128)命令行:cmd /c c:\users\admini~1\appdata\local\temp\AEROìØD§.bat
sc.exe(进程ID: 2152)命令行:sc config UxSms start= auto
sc.exe(进程ID: 2280)命令行:sc config Themes start= auto
net.exe(进程ID: 2292)命令行:net start Themes
net1.exe(进程ID: 2300)命令行:C:\Windows\system32\net1 start Themes
bcdedit.exe(进程ID: 2308)命令行:bcdedit.exe /set nointegritychecks on
reg.exe(进程ID: 2316)命令行:reg add "HKCU\Software\Microsoft\Windows\DWM" /v Composition /t reg_dword /d 00000001 /f
reg.exe(进程ID: 2324)命令行:reg add "HKCU\Software\Microsoft\Windows\DWM" /v CompositionPolicy /t reg_dword /d 00000002 /f
net.exe(进程ID: 2332)命令行:net stop uxsms
net1.exe(进程ID: 2340)命令行:C:\Windows\system32\net1 stop uxsms
net.exe(进程ID: 2460)命令行:net start uxsms
net1.exe(进程ID: 2468)命令行:C:\Windows\system32\net1 start uxsms
ipconfig.exe(进程ID: 2512)命令行:ipconfig /flushdns
cmd.exe(进程ID: 2524)命令行:cmd /c sc config "UxSms" start= demand
sc.exe(进程ID: 2548)命令行:sc config "UxSms" start= demand
cmd.exe(进程ID: 2560)命令行:cmd /c net stop "Desktop Window Manager Session Manager"
net.exe(进程ID: 2584)命令行:net stop "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2592)命令行:C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
cmd.exe(进程ID: 2604)命令行:cmd /c net start "Desktop Window Manager Session Manager"
net.exe(进程ID: 2740)命令行:net start "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2752)命令行:C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
rundll32.exe(进程ID: 2628)命令行:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
cmd.exe(进程ID: 2640)命令行:cmd /c net stop "Desktop Window Manager Session Manager"
net.exe(进程ID: 2792)命令行:net stop "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2824)命令行:C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
cmd.exe(进程ID: 2648)命令行:cmd /c net start "Desktop Window Manager Session Manager"
net.exe(进程ID: 2800)命令行:net start "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2832)命令行:C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
rundll32.exe(进程ID: 2688)命令行:"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"C:\Windows\Resources\Themes\aero.theme"
cmd.exe(进程ID: 2700)命令行:cmd /c net stop "Desktop Window Manager Session Manager"
net.exe(进程ID: 2856)命令行:net stop "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2876)命令行:C:\Windows\system32\net1 stop "Desktop Window Manager Session Manager"
cmd.exe(进程ID: 2708)命令行:cmd /c net start "Desktop Window Manager Session Manager"
net.exe(进程ID: 2868)命令行:net start "Desktop Window Manager Session Manager"
net1.exe(进程ID: 2892)命令行:C:\Windows\system32\net1 start "Desktop Window Manager Session Manager"
cmd.exe(进程ID: 3196)命令行:C:\Windows\system32\cmd.exe
Ay.dat(进程ID: 3216)命令行:C:\Ay.dat
cmd.exe(进程ID: 3236)命令行:cmd /c C:\Ayjz.exe -AYJZ-C:\Windows\system32\drivers\bbVCNgzRL
Ayjz.exe(进程ID: 3260)命令行:C:\Ayjz.exe -AYJZ-C:\Windows\system32\drivers\bbVCNgzRL
cmd.exe(进程ID: 3292)命令行:cmd /c C:\Ayjz.exe -AYJZ-C:\Windows\system32\drivers\bbVCNgzRL
Ayjz.exe(进程ID: 3316)命令行:C:\Ayjz.exe -AYJZ-C:\Windows\system32\drivers\bbVCNgzRL
WerFault.exe(进程ID: 3352)命令行:C:\Windows\system32\WerFault.exe -u -p 2116 -s 492 断网进安全模式看看会不会启动,安全模式下用360杀毒试试。 好久没见远控了,估摸着有上线地址,屏蔽就完事了 感觉应该艾特一下火绒来看看。
@火绒安全实验室 圣君 发表于 2021-11-18 17:16
进到pe 干掉这个文件和目录,也可以新建一个同样名字的,设置只读权限,再到启动项里清掉它应该可以了。
这个方法不错 启动项,计划任务,用文件监控看一下。联网行为找个IP 拉黑。或者直接开防火墙阻断端口。 远控小问题。实在不行把样本发来。我们给你分析分析。 先提取一下文件样本然后 @火绒安全实验室