CMD32.exe U盘病毒详细介绍
中毒表现:
释放文件
%Windows%CMD32.exe
%System%voice.cpl
%System%timedate.cpl
各分区根目录释放
X:autorun.inf
autorun.inf 内容
[autorun]
Open=EvilDay.exe
shellexecute=EvilDay.exe
shell打开(&O)command=EvilDay.exe
shell=打开(&O)
shell2=浏览(&B)
shell2Command=EvilDay.exe
shell3=资源管理器(&X)
shell3Command=EvilDay.exe
#p#副标题#e#
修改注册表:
病毒创建启动项
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOTEPAD"="%Windows%CMD32.exe"
修改自动播放禁用设置
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoDriveTypeAutoRun"=dword:0000005b
禁用“显示所有文件和文件夹”
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue"=dword:00000000
禁用“注册表编辑器”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=dword:00000001
清除方法:
1.结束进程
%Windows%CMD32.exe
2.删除病毒文件
%Windows%CMD32.exe
%System%voice.cpl
%System%timedate.cpl
X:autorun.inf
3.修改回系统时间
4.重启计算机
下载SREng
打开sreng-系统修复-windows shell/ie-全选-修复-
5.删除病毒创建的注册表
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOTEPAD"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue"
6.修改注册表,修复被禁用的“自动播放”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoDriveTypeAutoRun"=dword:00000091
7.删除 Image File Execution Options 映像劫持项
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsTwister.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSNATask.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysWarn.exe][HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssloemnit.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsFilMsg.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsgss.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.EXE]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.EXE]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRvaMon.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsrva.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMain.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMon.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC1.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC2.exe]
清除完成!
