现在使用磁盘"自动运行"或"打开方式"进行运行的木马非常盛行,一般会被称为u盘病毒(因为会利用u盘传播)。
前一种方式是采用autorun.inf,利用磁盘自动运行功能。此类可以通过组策略禁用,或者直接删除autorun.inf即可,清除和还原比较方便,一般安全工具都可以清除(如360safe、arswp等),清除后重启或注销一般可恢复。
后一种方式是修改了注册表,在HKEY_CLASSES_ROOT/Drive/shell下添加open项(系统默认是没这个项的,默认使用了folder的打开方式),往往安全工具没有对这个进行清除,安全工具删除了木马/病毒文件后,注册表项未清除,导致双击盘符无法正常打开,删除HKEY_CLASSES_ROOT/Drive/shell下的open项即可恢复。
注册表文件如下,如果磁盘自动运行功能禁用不能解决问题请导入:
另导出正常的文件夹打开方式的注册表,也有可能被利用,如下,:
前一种方式是采用autorun.inf,利用磁盘自动运行功能。此类可以通过组策略禁用,或者直接删除autorun.inf即可,清除和还原比较方便,一般安全工具都可以清除(如360safe、arswp等),清除后重启或注销一般可恢复。
后一种方式是修改了注册表,在HKEY_CLASSES_ROOT/Drive/shell下添加open项(系统默认是没这个项的,默认使用了folder的打开方式),往往安全工具没有对这个进行清除,安全工具删除了木马/病毒文件后,注册表项未清除,导致双击盘符无法正常打开,删除HKEY_CLASSES_ROOT/Drive/shell下的open项即可恢复。
注册表文件如下,如果磁盘自动运行功能禁用不能解决问题请导入:
Windows Registry Editor Version
5.00
[ -HKEY_CLASSES_ROOTDriveshellopen ]
[ -HKEY_CLASSES_ROOTDriveshellexplore ]
[ -HKEY_CLASSES_ROOTDriveshellopen ]
[ -HKEY_CLASSES_ROOTDriveshellexplore ]
另导出正常的文件夹打开方式的注册表,也有可能被利用,如下,:
Windows Registry Editor Version 5.00
[ HKEY_CLASSES_ROOTFoldershellexplore ]
" BrowserFlags " = dword: 00000022
" ExplorerFlags " = dword: 00000021
[ HKEY_CLASSES_ROOTFoldershellexplorecommand ]
@ = hex( 2 ): 25 , 00 , 53 , 00 , 79 , 00 , 73 , 00 , 74 , 00 , 65 , 00 , 6d , 00 , 52 , 00 , 6f , 00 , 6f , 00 , 74 , 00 , 25 ,
00 , 5c , 00 , 45 , 00 , 78 , 00 , 70 , 00 , 6c , 00 , 6f , 00 , 72 , 00 , 65 , 00 , 72 , 00 , 2e , 00 , 65 , 00 , 78 , 00 ,
65 , 00 , 20 , 00 , 2f , 00 , 65 , 00 , 2c , 00 , 2f , 00 , 69 , 00 , 64 , 00 , 6c , 00 , 69 , 00 , 73 , 00 , 74 , 00 , 2c ,
00 , 25 , 00 , 49 , 00 , 2c , 00 , 25 , 00 , 4c , 00 , 00 , 00
[ HKEY_CLASSES_ROOTFoldershellexploreddeexec ]
@ = " [ExploreFolder( " %l " , %I, %S)] "
" NoActivateHandler " = ""
[ HKEY_CLASSES_ROOTFoldershellexploreddeexecapplication ]
@ = " Folders "
[ HKEY_CLASSES_ROOTFoldershellexploreddeexecifexec ]
@ = " [] "
[ HKEY_CLASSES_ROOTFoldershellexploreddeexec opic ]
@ = " AppProperties "
[ HKEY_CLASSES_ROOTFoldershellopen ]
" BrowserFlags " = dword: 00000010
" ExplorerFlags " = dword: 00000012
[ HKEY_CLASSES_ROOTFoldershellopencommand ]
@ = hex( 2 ): 25 , 00 , 53 , 00 , 79 , 00 , 73 , 00 , 74 , 00 , 65 , 00 , 6d , 00 , 52 , 00 , 6f , 00 , 6f , 00 , 74 , 00 , 25 ,
00 , 5c , 00 , 45 , 00 , 78 , 00 , 70 , 00 , 6c , 00 , 6f , 00 , 72 , 00 , 65 , 00 , 72 , 00 , 2e , 00 , 65 , 00 , 78 , 00 ,
65 , 00 , 20 , 00 , 2f , 00 , 69 , 00 , 64 , 00 , 6c , 00 , 69 , 00 , 73 , 00 , 74 , 00 , 2c , 00 , 25 , 00 , 49 , 00 , 2c ,
00 , 25 , 00 , 4c , 00 , 00 , 00
[ HKEY_CLASSES_ROOTFoldershellopenddeexec ]
@ = " [ViewFolder( " %l " , %I, %S)] "
" NoActivateHandler " = ""
[ HKEY_CLASSES_ROOTFoldershellopenddeexecapplication ]
@ = " Folders "
[ HKEY_CLASSES_ROOTFoldershellopenddeexecifexec ]
@ = " [] "
[ HKEY_CLASSES_ROOTFoldershellopenddeexec opic ]
@ = " AppProperties "
[ HKEY_CLASSES_ROOTFoldershellexplore ]
" BrowserFlags " = dword: 00000022
" ExplorerFlags " = dword: 00000021
[ HKEY_CLASSES_ROOTFoldershellexplorecommand ]
@ = hex( 2 ): 25 , 00 , 53 , 00 , 79 , 00 , 73 , 00 , 74 , 00 , 65 , 00 , 6d , 00 , 52 , 00 , 6f , 00 , 6f , 00 , 74 , 00 , 25 ,
00 , 5c , 00 , 45 , 00 , 78 , 00 , 70 , 00 , 6c , 00 , 6f , 00 , 72 , 00 , 65 , 00 , 72 , 00 , 2e , 00 , 65 , 00 , 78 , 00 ,
65 , 00 , 20 , 00 , 2f , 00 , 65 , 00 , 2c , 00 , 2f , 00 , 69 , 00 , 64 , 00 , 6c , 00 , 69 , 00 , 73 , 00 , 74 , 00 , 2c ,
00 , 25 , 00 , 49 , 00 , 2c , 00 , 25 , 00 , 4c , 00 , 00 , 00
[ HKEY_CLASSES_ROOTFoldershellexploreddeexec ]
@ = " [ExploreFolder( " %l " , %I, %S)] "
" NoActivateHandler " = ""
[ HKEY_CLASSES_ROOTFoldershellexploreddeexecapplication ]
@ = " Folders "
[ HKEY_CLASSES_ROOTFoldershellexploreddeexecifexec ]
@ = " [] "
[ HKEY_CLASSES_ROOTFoldershellexploreddeexec opic ]
@ = " AppProperties "
[ HKEY_CLASSES_ROOTFoldershellopen ]
" BrowserFlags " = dword: 00000010
" ExplorerFlags " = dword: 00000012
[ HKEY_CLASSES_ROOTFoldershellopencommand ]
@ = hex( 2 ): 25 , 00 , 53 , 00 , 79 , 00 , 73 , 00 , 74 , 00 , 65 , 00 , 6d , 00 , 52 , 00 , 6f , 00 , 6f , 00 , 74 , 00 , 25 ,
00 , 5c , 00 , 45 , 00 , 78 , 00 , 70 , 00 , 6c , 00 , 6f , 00 , 72 , 00 , 65 , 00 , 72 , 00 , 2e , 00 , 65 , 00 , 78 , 00 ,
65 , 00 , 20 , 00 , 2f , 00 , 69 , 00 , 64 , 00 , 6c , 00 , 69 , 00 , 73 , 00 , 74 , 00 , 2c , 00 , 25 , 00 , 49 , 00 , 2c ,
00 , 25 , 00 , 4c , 00 , 00 , 00
[ HKEY_CLASSES_ROOTFoldershellopenddeexec ]
@ = " [ViewFolder( " %l " , %I, %S)] "
" NoActivateHandler " = ""
[ HKEY_CLASSES_ROOTFoldershellopenddeexecapplication ]
@ = " Folders "
[ HKEY_CLASSES_ROOTFoldershellopenddeexecifexec ]
@ = " [] "
[ HKEY_CLASSES_ROOTFoldershellopenddeexec opic ]
@ = " AppProperties "