CMD32.exe U盤病毒詳細介紹

中毒表現：

釋放文件
%Windows%CMD32.exe
%System%voice.cpl
%System%timedate.cpl

各分區根目錄釋放
X:autorun.inf
autorun.inf 內容
[autorun]
Open=EvilDay.exe
shellexecute=EvilDay.exe
shell打開(&O)command=EvilDay.exe
shell=打開(&O)
shell2=瀏覽(&B)
shell2Command=EvilDay.exe
shell3=資源管理器(&X)
shell3Command=EvilDay.exe

#p#副標題#e#

修改注冊表：
病毒創建啟動項
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOTEPAD"="%Windows%CMD32.exe"
修改自動播放禁用設置
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoDriveTypeAutoRun"=dword:0000005b
禁用“顯示所有文件和文件夾”
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue"=dword:00000000
禁用“注冊表編輯器”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=dword:00000001

清除方法：

1.結束進程
%Windows%CMD32.exe

2.刪除病毒文件
%Windows%CMD32.exe
%System%voice.cpl
%System%timedate.cpl
X:autorun.inf

3.修改回系統時間

4.重啟計算機
下載SREng
打開sreng-系統修復-windows shell/ie-全選-修復-

5.刪除病毒創建的注冊表
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"NOTEPAD"
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue"

6.修改注冊表，修復被禁用的“自動播放”
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoDriveTypeAutoRun"=dword:00000091

7.刪除 Image File Execution Options 映像劫持項
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsTwister.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSNATask.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysWarn.exe][HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssloemnit.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsFilMsg.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsgss.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.EXE]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.EXE]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRvaMon.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsrva.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMain.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMon.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC1.exe]
[HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC2.exe]

清除完成！