栏目

首页 首页 windows7查看内容

CMD32.exe U盘病毒详细介绍

最近更新| 发布者: 站长-黑杰克| 查看: |

CMD32.exe U盘病毒详细介绍
中毒表现:
 
释放文件 
%Windows%CMD32.exe 
%System%voice.cpl 
%System%timedate.cpl 
 
各分区根目录释放 
X:autorun.inf 
autorun.inf 内容 
[autorun] 
Open=EvilDay.exe 
shellexecute=EvilDay.exe 
shell打开(&O)command=EvilDay.exe 
shell=打开(&O) 
shell2=浏览(&B) 
shell2Command=EvilDay.exe 
shell3=资源管理器(&X) 
shell3Command=EvilDay.exe
 
修改注册表: 
病毒创建启动项 
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] 
"NOTEPAD"="%Windows%CMD32.exe" 
修改自动播放禁用设置 
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer] 
"NoDriveTypeAutoRun"=dword:0000005b 
禁用“显示所有文件和文件夹” 
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL] 
"CheckedValue"=dword:00000000 
禁用“注册表编辑器” 
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem] 
"DisableRegistryTools"=dword:00000001
 
清除方法:
 
1.结束进程 
%Windows%CMD32.exe 
 
2.删除病毒文件 
%Windows%CMD32.exe 
%System%voice.cpl 
%System%timedate.cpl 
X:autorun.inf
 
3.修改回系统时间
 
4.重启计算机 
下载SREng 
打开sreng-系统修复-windows shell/ie-全选-修复- 
 
5.删除病毒创建的注册表 
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun] 
"NOTEPAD" 
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL] 
"CheckedValue"
 
6.修改注册表,修复被禁用的“自动播放” 
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer] 
"NoDriveTypeAutoRun"=dword:00000091 
 
7.删除 Image File Execution Options 映像劫持项 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsTwister.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSNATask.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysWarn.exe][HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssloemnit.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsFilMsg.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsgss.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.EXE] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.EXE]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRvaMon.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsrva.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMain.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMon.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC.exe] 
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC1.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC2.exe]
 
清除完成!


文章由天启科技原创,抄袭必究,转载请注明:
本文地址:http://www.goodgoodhack.com/a/windows7/2014.html
文章由天启科技站长黑杰克原创,免费学习黑客技术,业务联系站长QQ9326665

最新视频