现在使用磁盘"自动运行"或"打开方式"进行运行的木马非常盛行,一般会被称为u盘病毒(因为会利用u盘传播)。
前一种方式是采用autorun.inf,利用磁盘自动运行功能。此类可以通过组策略禁用,或者直接删除autorun.inf即可,清除和还原比较方便,一般安全工具都可以清除(如360safe、arswp等),清除后重启或注销一般可恢复。
后一种方式是修改了注册表,在HKEY_CLASSES_ROOT/Drive/shell下添加open项(系统默认是没这个项的,默认使用了folder的打开方式),往往安全工具没有对这个进行清除,安全工具删除了木马/病毒文件后,注册表项未清除,导致双击盘符无法正常打开,删除HKEY_CLASSES_ROOT/Drive/shell下的open项即可恢复。
注册表文件如下,如果磁盘自动运行功能禁用不能解决问题请导入:
Windows Registry Editor Version
5.00
[
-HKEY_CLASSES_ROOTDriveshellopen
]
[
-HKEY_CLASSES_ROOTDriveshellexplore
]
另导出正常的文件夹打开方式的注册表,也有可能被利用,如下,:
Windows Registry Editor Version 5.00
[
HKEY_CLASSES_ROOTFoldershellexplore
]
"
BrowserFlags
"
=
dword:
00000022
"
ExplorerFlags
"
=
dword:
00000021
[
HKEY_CLASSES_ROOTFoldershellexplorecommand
]
@
=
hex(
2
):
25
,
00
,
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
52
,
00
,
6f
,
00
,
6f
,
00
,
74
,
00
,
25
,
00
,
5c
,
00
,
45
,
00
,
78
,
00
,
70
,
00
,
6c
,
00
,
6f
,
00
,
72
,
00
,
65
,
00
,
72
,
00
,
2e
,
00
,
65
,
00
,
78
,
00
,
65
,
00
,
20
,
00
,
2f
,
00
,
65
,
00
,
2c
,
00
,
2f
,
00
,
69
,
00
,
64
,
00
,
6c
,
00
,
69
,
00
,
73
,
00
,
74
,
00
,
2c
,
00
,
25
,
00
,
49
,
00
,
2c
,
00
,
25
,
00
,
4c
,
00
,
00
,
00
[
HKEY_CLASSES_ROOTFoldershellexploreddeexec
]
@
=
"
[ExploreFolder(
"
%l
"
, %I, %S)]
"
"
NoActivateHandler
"
=
""
[
HKEY_CLASSES_ROOTFoldershellexploreddeexecapplication
]
@
=
"
Folders
"
[
HKEY_CLASSES_ROOTFoldershellexploreddeexecifexec
]
@
=
"
[]
"
[
HKEY_CLASSES_ROOTFoldershellexploreddeexec opic
]
@
=
"
AppProperties
"
[
HKEY_CLASSES_ROOTFoldershellopen
]
"
BrowserFlags
"
=
dword:
00000010
"
ExplorerFlags
"
=
dword:
00000012
[
HKEY_CLASSES_ROOTFoldershellopencommand
]
@
=
hex(
2
):
25
,
00
,
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
52
,
00
,
6f
,
00
,
6f
,
00
,
74
,
00
,
25
,
00
,
5c
,
00
,
45
,
00
,
78
,
00
,
70
,
00
,
6c
,
00
,
6f
,
00
,
72
,
00
,
65
,
00
,
72
,
00
,
2e
,
00
,
65
,
00
,
78
,
00
,
65
,
00
,
20
,
00
,
2f
,
00
,
69
,
00
,
64
,
00
,
6c
,
00
,
69
,
00
,
73
,
00
,
74
,
00
,
2c
,
00
,
25
,
00
,
49
,
00
,
2c
,
00
,
25
,
00
,
4c
,
00
,
00
,
00
[
HKEY_CLASSES_ROOTFoldershellopenddeexec
]
@
=
"
[ViewFolder(
"
%l
"
, %I, %S)]
"
"
NoActivateHandler
"
=
""
[
HKEY_CLASSES_ROOTFoldershellopenddeexecapplication
]
@
=
"
Folders
"
[
HKEY_CLASSES_ROOTFoldershellopenddeexecifexec
]
@
=
"
[]
"
[
HKEY_CLASSES_ROOTFoldershellopenddeexec opic
]
@
=
"
AppProperties
"
前一种方式是采用autorun.inf,利用磁盘自动运行功能。此类可以通过组策略禁用,或者直接删除autorun.inf即可,清除和还原比较方便,一般安全工具都可以清除(如360safe、arswp等),清除后重启或注销一般可恢复。
后一种方式是修改了注册表,在HKEY_CLASSES_ROOT/Drive/shell下添加open项(系统默认是没这个项的,默认使用了folder的打开方式),往往安全工具没有对这个进行清除,安全工具删除了木马/病毒文件后,注册表项未清除,导致双击盘符无法正常打开,删除HKEY_CLASSES_ROOT/Drive/shell下的open项即可恢复。
注册表文件如下,如果磁盘自动运行功能禁用不能解决问题请导入:
Windows Registry Editor Version
5.00
[
-HKEY_CLASSES_ROOTDriveshellopen
]
[
-HKEY_CLASSES_ROOTDriveshellexplore
]
另导出正常的文件夹打开方式的注册表,也有可能被利用,如下,:
Windows Registry Editor Version 5.00
[
HKEY_CLASSES_ROOTFoldershellexplore
]
"
BrowserFlags
"
=
dword:
00000022
"
ExplorerFlags
"
=
dword:
00000021
[
HKEY_CLASSES_ROOTFoldershellexplorecommand
]
@
=
hex(
2
):
25
,
00
,
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
52
,
00
,
6f
,
00
,
6f
,
00
,
74
,
00
,
25
,
00
,
5c
,
00
,
45
,
00
,
78
,
00
,
70
,
00
,
6c
,
00
,
6f
,
00
,
72
,
00
,
65
,
00
,
72
,
00
,
2e
,
00
,
65
,
00
,
78
,
00
,
65
,
00
,
20
,
00
,
2f
,
00
,
65
,
00
,
2c
,
00
,
2f
,
00
,
69
,
00
,
64
,
00
,
6c
,
00
,
69
,
00
,
73
,
00
,
74
,
00
,
2c
,
00
,
25
,
00
,
49
,
00
,
2c
,
00
,
25
,
00
,
4c
,
00
,
00
,
00
[
HKEY_CLASSES_ROOTFoldershellexploreddeexec
]
@
=
"
[ExploreFolder(
"
%l
"
, %I, %S)]
"
"
NoActivateHandler
"
=
""
[
HKEY_CLASSES_ROOTFoldershellexploreddeexecapplication
]
@
=
"
Folders
"
[
HKEY_CLASSES_ROOTFoldershellexploreddeexecifexec
]
@
=
"
[]
"
[
HKEY_CLASSES_ROOTFoldershellexploreddeexec opic
]
@
=
"
AppProperties
"
[
HKEY_CLASSES_ROOTFoldershellopen
]
"
BrowserFlags
"
=
dword:
00000010
"
ExplorerFlags
"
=
dword:
00000012
[
HKEY_CLASSES_ROOTFoldershellopencommand
]
@
=
hex(
2
):
25
,
00
,
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
52
,
00
,
6f
,
00
,
6f
,
00
,
74
,
00
,
25
,
00
,
5c
,
00
,
45
,
00
,
78
,
00
,
70
,
00
,
6c
,
00
,
6f
,
00
,
72
,
00
,
65
,
00
,
72
,
00
,
2e
,
00
,
65
,
00
,
78
,
00
,
65
,
00
,
20
,
00
,
2f
,
00
,
69
,
00
,
64
,
00
,
6c
,
00
,
69
,
00
,
73
,
00
,
74
,
00
,
2c
,
00
,
25
,
00
,
49
,
00
,
2c
,
00
,
25
,
00
,
4c
,
00
,
00
,
00
[
HKEY_CLASSES_ROOTFoldershellopenddeexec
]
@
=
"
[ViewFolder(
"
%l
"
, %I, %S)]
"
"
NoActivateHandler
"
=
""
[
HKEY_CLASSES_ROOTFoldershellopenddeexecapplication
]
@
=
"
Folders
"
[
HKEY_CLASSES_ROOTFoldershellopenddeexecifexec
]
@
=
"
[]
"
[
HKEY_CLASSES_ROOTFoldershellopenddeexec opic
]
@
=
"
AppProperties
"
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
