sniper54之<<完全清除autorun病毒>>
|
Quote:我郁闷,昨天用了一u盘.一插上去,我就双击了,结果马上操作操作系统变慢. 汗(Khan).感觉不对,因为原来中过,马上进入安全模式,杀! 用了令人讨厌的电脑木马杀客,用了mcafee,用了江民,kv,金山,瑞星杀毒软件(soft),通通不能杀. 也下了N个落雪专杀,魔波专杀.都米有发现病毒.汗(Khan)... Quote:我晕一个..实在无语,我用360安全卫士的时候清除BHO的时候有个BHO叫JAVA什么的,一看不对,想清理.结果失败了,晕了.. 逐渐有个思路了,马上下载Total Command,安装,设置TC. 如图: 
 然后打开U盘,找到里面的Recycler文件夹,复制里面的autorun.exe出来到电脑的桌面.然后彻底删除 Recycler和autorun.inf文件,U盘的病毒修复完毕. 把复制的autorun.exe上传到http://www.virustotal.com/en/indexf.html 这一个网站,打开网站.  点broswer,选择(Choose)刚才的autorun.exe,点send,然后等... 等检测结果.结果发现只有dr.web和卡巴报毒,其他的均不报.汗(Khan).. 因为dr.web我没有用过,所以直接或者间接去down了一个卡巴来安装.重新启动操作系统操作系统,升级病毒库,杀毒... 顺利杀出7个病毒.到此,病毒文件已经全部清除. 但是还有一个问题.就是您看不到受操作操作操作系统保护的操作操作系统文件了.如C盘根目录下面的boot.ini 您去掉勾后,无反应的,再设置的时候发现自动又勾上了.晕死.如图  我原以为这种小问题很简单.去网上找了个技术文档.按里面的找到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\showall把CheckedValue改成1刷新.重新启动操作系统操作系统....晕..还是一样..倒一个... 在baidu找了半天,找到n个注册表(Regedit)文件导入都失败了.修改组策略也一样.晕一个.. 后来自己研究了一下..对比了正常电脑的注册表(Regedit)文件,打开记事本,Editor如下 Copy codeWindows Registry Editor Version V.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "TaskbarSizeMove"=dword:00000000 "Start_ShowHelp"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder] "Type"="group" "Text"="@shell3II.dll,-30498" "Bitmap"=hexII.:25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\ 00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\ 48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\ 00 "HelpID"="shell.hlp#51140" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ClassicViewState] "Type"="checkbox" "Text"="@shell3II.dll,-30506" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="ClassicViewState" "CheckedValue"=dword:00000000 "UncheckedValue"=dword:00000001 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51076" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideMyComputerIcons" "Text"="@shell3II.dll,-30497" "Type"="checkbox" "ValueName"="{21EC2020-3AEA-1069-A2DD-08002B30309D}" "CheckedValue"=dword:00000000 "UncheckedValue"=dword:00000001 "DefaultValue"=dword:00000001 "HKeyRoot"=dword:80000001 "HelpID"="shell.hlp#51150" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess] "Type"="checkbox" "Text"="@shell3II.dll,-30507" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="SeparateProcess" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51079" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DesktopProcess\Policy\SeparateProcess] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\DisableThumbCache] "Type"="checkbox" "Text"="@shell3II.dll,-30517" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="DisableThumbnailCache" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51155" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip] "Type"="checkbox" "Text"="@shell3II.dll,-30514" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="FolderContentsInfoTip" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FriendlyTree] "Type"="checkbox" "Text"="@shell3II.dll,-30511" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="FriendlyTree" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "HelpID"="shell.hlp#51149" "DefaultValue"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden] "Text"="@shell3II.dll,-30499" "Type"="group" "Bitmap"=hexII.:25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\ 00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\ 48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\ 00 "HelpID"="shell.hlp#51131" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "Text"="@shell3II.dll,-30501" "Type"="radio" "CheckedValue"=dword:00000002 "ValueName"="Hidden" "DefaultValue"=dword:00000002 "HKeyRoot"=dword:80000001 "HelpID"="shell.hlp#51104" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "Text"="@shell3II.dll,-30500" "Type"="radio" "CheckedValue"=dword:00000001 "ValueName"="Hidden" "DefaultValue"=dword:00000002 "HKeyRoot"=dword:80000001 "HelpID"="shell.hlp#51105" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt] "Type"="checkbox" "Text"="@shell3II.dll,-30503" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="HideFileExt" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000001 "HelpID"="shell.hlp#51101" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler] "Type"="checkbox" "Text"="@shell3II.dll,-30509" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="NoNetCrawling" "CheckedValue"=dword:00000000 "UncheckedValue"=dword:00000001 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51147" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\NetCrawler\Policy\NoNetCrawling] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\PersistBrowsers] "Type"="checkbox" "Text"="@shell3II.dll,-30513" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="PersistBrowsers" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "HelpID"="shell.hlp#51152" "DefaultValue"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowCompColor] "Type"="checkbox" "Text"="@shell3II.dll,-30512" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="ShowCompColor" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000001 "HelpID"="shell.hlp#51130" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath] "Type"="checkbox" "Text"="@shell3II.dll,-30504" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState" "ValueName"="FullPath" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51100" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPathAddress] "Type"="checkbox" "Text"="@shell3II.dll,-30505" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState" "ValueName"="FullPathAddress" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000001 "HelpID"="shell.hlp#51107" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowInfoTip] "Type"="checkbox" "Text"="@shell3II.dll,-30502" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="ShowInfoTip" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "DefaultValue"=dword:00000001 "HelpID"="shell.hlp#51102" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SimpleSharing] "Type"="checkbox" "Text"="@shell3II.dll,-30518" "HKeyRoot"=dword:80000002 "RegPath"="System\\CurrentControlSet\\Control\\LSA" "ValueName"="ForceGuest" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "HelpID"="shell.hlp#51154" "DefaultValue"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] "Type"="checkbox" "Text"="@shell3II.dll,-30508" "WarningIfNotDefault"="@shell3II.dll,-28964" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="ShowSuperHidden" "CheckedValue"=dword:00000000 "UncheckedValue"=dword:00000001 "DefaultValue"=dword:00000000 "HelpID"="shell.hlp#51103" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden] @="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\WebViewBarricade] "Type"="checkbox" "Text"="@shell3II.dll,-30510" "HKeyRoot"=dword:80000001 "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" "ValueName"="WebViewBarricade" "CheckedValue"=dword:00000001 "UncheckedValue"=dword:00000000 "HelpID"="shell.hlp#51148" "DefaultValue"=dword:00000000 Quote: 然后保存为全部文件,文件名为a.reg,然后导入.... 哇.恢复正常了...哈哈!!爽了!!! 到此,全部清理完成. Quote:我总结的清理步骤如下 1,使用tc彻底删除掉各盘根目录下的autorun.inf和recycler文件夹. 2,使用360安全卫士清除可疑的BHO项和可疑的插件 3,使用dr.web或者是卡巴杀毒 4,使用上面给出的注册表(Regedit)文件导入 注意:文中所说软件(soft) tc,360安全卫士,卡巴,mcafee均可在http://www.clwind.com/index.asp下载 ------- 越来越熟练了,佩服 ------- 那个注册表(Regedit)文件很有用哈.之前碰到这种情况,偶绝大部分的都是帮人重装操作操作系统了...嘿嘿 ------- 哈哈 踏破铁鞋无觅处 得来全不费功夫 嘿嘿 收下了 正在为这一个问题想不到答案呢! ------- 这毒.是让那些以为重装操作操作系统就可以搞定一切的人一个警钟....毒又强了.哈. ------- 很不错哦..暂时用不上 留着以防万一吧 ------- 估计要是我的话就只能ghost了,向{$WebSiteName}的站长学习.. ------- 上次FF的兄弟提出在U盘里建个autorun.inf的文件夹....这样病毒的autorun.inf文件就根本没有办法创建,也就不能达到双击即运行他的目的了,就算是U盘中毒也无所谓了...这一个创意真的不错,个人感觉可以避免90%的U盘病毒.... ps:打开U盘的时候最好不要双击... ------- “但是还有一个问题.就是您看不到受操作操作操作系统保护的操作操作系统文件了.如C盘根目录下面的boot.ini 您去掉勾后,无反应的,再设置的时候发现自动又勾上了.晕死.我原以为这种小问题很简单.去网上找了个技术文档.按里面的找到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\showall把CheckedValue改成1刷新.重新启动操作系统操作系统....晕..还是一样..倒一个... “ 知道{$WebSiteName}的站长您为什么或者说怎么会改键值没有用吗,CheckedValue键值应该为1,但是他的确是1,但是这一个CheckedValue当然是个假的,真正的CheckedValue应该是REG_DWORD, http://blog.16III.com/jxph096/blog/这篇是我收集的手动去除的方法,大家可以看看. ------- 用户被禁言,该主题自动屏蔽! |
》热 点 关 注
》编 辑 推 荐
》相 关 图 文