Off site wscript.shell √ directive line
 

The easiest way is to directly delete the fitting uninstall program file. Save the following code into a. BAT file,Lacoste Prep CB Trainers, (the following are WIN2000, case in point, if you use 2003, the system folder should be C: WINDOWS )
regsvr32 / u C: WINNT System32 wshom.ocx
del C: WINNT System32 wshom.ocx
regsvr32 / u C: WINNT system32 shell32.dll
del C: WINNT system32 shell32.dll
then scamper about, WScript.Shell, Shell.application, WScript.Network ambition be uninstalled. You may be hinted not cancel file, do not ignore it, you reset the server, you ambition ascertain these 3 are prompted to How to Uninstall Wscript.Shell and other objects
1, uninstall wscript.shell object
run in cmd: regsvr32 WSHom.Ocx / u
2, uninstall the FSO object
run in cmd: regsvr32.exe scrrun.dll / u
3, uninstall the stream object
run in cmd:
regsvr32 / s / u
If you want to re-enable: Please / u parameter on out on the line!
disallowed WScript.Shell
prevent such viruses is to uninstall the Windows scripting host,
characteristic method is: My Computer → Control Panel → Add / Remove Programs to install WINDOWS → →
Accessories → details → Windows scripting host → OK. In truth, there is a course more uncomplicated,
Type the following command followed along 2
: regsvr32 / u wshom.ocx enter, regsvr32 / u wshext.dll Enter
to join to the registry. wsh registered value of the deleted object. So that those who have to depend on the object by running the virus
not find the object is not run down.

hindrance methods Wscript.Shell components:
can adjust the registry, the makeup was renamed.
HKEY_CLASSES_ROOT WScript.Shell and HKEY_CLASSES_ROOT WScript.Shell.1
changed its name to other names,Lacoste Swerve Keyline Trainers, such as: to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName phone when their future use can be normal call this component of the
clsid values ​​have to change it
HKEY_CLASSES_ROOT WScript.Shell CLSID item worth
HKEY_CLASSES_ROOT WScript.Shell.1 CLSID
too the value of the project can be cleared to prevent the harm of such Trojans.
HKEY_CLASSES_ROOT Shell.Application
and
HKEY_CLASSES_ROOT Shell.Application.1
changed its name to other names, such as: to Shell.Application_ChangeName or Shell.Application.1_ChangeName
own After the call when you can use this to call this component of the normal.
clsid values ​​will also change the look
HKEY_CLASSES_ROOT Shell.Application CLSID item value
HKEY_CLASSES_ROOT Shell.Application CLSID
value of the project can be deleted to prevent the perils of such Trojans.
=============================================== =======
above the sea in the pertinent code, the code from the above we can discern namely the common ASP Trojan, Webshell ASP components using effectively the following types:
① WScript.Shell (classid: 72C24DD5-D70A-438B-8A42-98424B88AFB8)
② WScript.Shell.1 (classid: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B)
③ WScript.Network (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
④ WScript.Network.1 (classid: 093FF999-1EA0-4079-9525-9614C3504B74)
⑤ FileSystem Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228)
⑥ Adodb.stream (classid: 00000566-0000-0010-8000-00AA006D2EA4)
⑦ Shell.applicaiton ....
hehe, yet we're conscious of the harm to our WEB SERVER IIS is the malefactor who had the maximum!! start surgeon, come on ...
2: The solution:
delete or rename the following
① dangerous ASP components:
WScript.Shell,Lacoste R75 P2 Trainers, WScript.Shell.1, Wscript.Network, Wscript.Network.1,Lacoste Strap Trainers, adodb.stream,
Shell.application
started running -------> ---------> Regedit, open the Registry Editor,Lacoste Trainers 2010, press Ctrl + F to find, enter the above order
Wscript.Shell other component name and the corresponding ClassID, and then delete or change the name (in this circumstance suggest that you renamed, such as
If some pages use ASP program, then do the above components, fair the time to write ASP code in the component with our name changed
said normal use. Of course, whether you are sure your applying does not use ASP or more components, or straight
then delete some of the centers by ease ^ _ ^, it is generally not done usually these components. Deleted or renamed, iisreset
rose instantly later restart IIS
effect. )
[NOTE: Because Adodb.Stream this component will be secondhand in many pages, so if your virtual host server is open, then
② on the File System Object (classid: 0D43FE01-F093-11CF-8940-00A0C9054228) that is often said that the FSO's
security issues, if your server will need to use the words of FSO, (part of the virtual host server functions normally take to open FSO) can refer to my other 1 security solution on the FSO article: Microsoft Windows 2000 Server FSO security risks solution. If you are sure not to use it, can anti-up for this component can be.
③ direct anti-up, usage of unloading these perilous components: (serviceable in ① and ② level do not want such a heavy method)
uninstall wscript.shell object, alternatively instantly below the bat run: regsvr32 / u% windir% / system32/WSHom.Ocx
uninstall FSO object, or directly under the cmd run: regsvr32.exe / u% windir% / system32/scrrun.dll
uninstall stream object,Lacoste Radiate Croc Trainers, or directly under the cmd run: regsvr32 / s / u
If you want to restore, then just remove the / U or more narrated to re-up components such as ASP: regsvr32.exe% windir% / system32/scrrun.dll
④ Webshell on the use of set domainObject = GetObject (
user information such as prevention, we can service the Workstation [provide web links and communications] service to stop the Lanmanworkstation
and disable then. After this treatment, Webshell display will be blank at the process.
3 in agreement with the method of 1,2 components of ASP types of dangerous handling, with Ah Jiang asp needle a mini,
Operating System And then ocean test Wsript.Shell to run cmd command prompt is not to create Active
aboard the image. Not everybody can no longer harm apt the waiter because the ASP Trojan and restless almost the security of the system.