U盘病毒CMD32.exe分析手动解决_电脑软硬件应用网_国内最受关注的计算机应用解决中心

首页·电脑学院·电脑故障·操作系统·硬件教程·局域网技术·QQ技巧·网络安全·办公软件· 数据库

导航·设计学院·图像处理·网页设计·软件教程·服务器技术·笔记本·专家装机·网络编程·在线问答

当前位置：电脑软硬件应用网 > 电脑学院 > 网络安全 > 正文

U盘病毒CMD32.exe分析手动解决

U盘病毒CMD32.exe分析手动解决

2007-7-18 8:25:12　　文/mopery 　　出处:计算机安全资讯　　

详细资料:

文件变化:

释放文件
%Windows%\CMD32.exe
%System%\voice.cpl
%System%\timedate.cpl

各分区根目录释放

X:\autorun.inf

autorun.inf 内容

[autorun]
Open=EvilDay.exe
shellexecute=EvilDay.exe
shell\打开(&O)\command=EvilDay.exe
shell=打开(&O)
shell\2\=浏览(&B)
shell\2\Command=EvilDay.exe
shell\3\=资源管理器(&X)
shell\3\Command=EvilDay.exe

修改注册表:
病毒创建启动项

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOTEPAD"="%Windows%\CMD32.exe"

修改自动播放禁用设置

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:0000005b

禁用"显示所有文件和文件夹"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000

禁用"注册表编辑器"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

其他行为:
使用命令启动自动播放服务
net start ShellHWDetection

删除hips软件 GhostSecuritySuite 主程序
%ProgramFiles%\GhostSecuritySuite\gss.exe

修改系统时间
1937-07-07
12:00
创建 Image File Execution Options 劫持安全相关程序,当被劫持程序运行,实际运行的是病毒主程序.

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SNATask.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysWarn.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sloemnit.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gss.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RvaMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rva.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMain.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]

结束安全软件相关进程,以及VMware tools

SysWarn.exe
snatry.exe
sloemnit.exe
SNATask.exe
VMwareUser.exe
snaregmn.exe
vmsrvc.exe
vmusrvc.exe
FilMsg.exe
Twister.exe
gss.exe
KAVStart.EXE
KWatch.EXE

清除方法:
1.结束进程

%Windows%\CMD32.exe

2.删除病毒文件
%Windows%\CMD32.exe

%System%\voice.cpl

%System%\timedate.cpl

X:\autorun.inf

3. 修改回系统时间

4. 重启计算机

下载SREng(该软件可到down.45its.com下载)

打开sreng-系统修复-windows shell/ie-全选-修复-

5.删除病毒创建的注册表

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NOTEPAD"

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"

6.修改注册表,修复被禁用的"自动播放"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

7.删除 Image File Execution Options 映像劫持项

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SNATask.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysWarn.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sloemnit.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gss.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.EXE]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RvaMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rva.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMain.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]

上一篇文章：木马下载者wniapsvr.exe的手动解决

下一篇文章： msvcrt.dll Relive.dll msvcrt.bak病毒变种解决方案

最新热点		最新推荐		相关文章
				删不掉的"淘宝图标"来侵教你删"淘宝… 微软高危漏洞"快捷方式自动执行"手工… acad.vlx删除方法 360se.exe病毒清除解决方案 regedit32.exe 病毒清除解决方案 3874jr98.exe,long.exe等病毒清除解… RG8.tmp病毒清除解决方案 139ujf939.exe,2.exe等病毒清除解决… EntSoQn.exe病毒清除解决方案 360safess.net.exe等病毒清除解决方…