前一种方式是采用autorun.inf,利用磁盘自动运行功能。此类可以通过组策略禁用,或者直接删除autorun.inf即可,清除和还原比较方便,一般安全工具都可以清除(如360safe、arswp等),清除后重启或注销一般可恢复。
后一种方式是修改了注册表,在HKEY_CLASSES_ROOT/Drive/shell下添加open项(系统默认是没这个项的,默认使用了folder的打开方式),往往安全工具没有对这个进行清除,安全工具删除了木马/病毒文件后,注册表项未清除,导致双击盘符无法正常打开,删除HKEY_CLASSES_ROOT/Drive/shell下的open项即可恢复。
注册表文件如下,如果磁盘自动运行功能禁用不能解决问题请导入:
[-HKEY_CLASSES_ROOTDriveshellopen]
[-HKEY_CLASSES_ROOTDriveshellexplore]
另导出正常的文件夹打开方式的注册表,也有可能被利用,如下,:
[HKEY_CLASSES_ROOTFoldershellexplore]
"BrowserFlags"=dword:00000022
"ExplorerFlags"=dword:00000021
[HKEY_CLASSES_ROOTFoldershellexplorecommand]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,
00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,
65,00,20,00,2f,00,65,00,2c,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,
00,25,00,49,00,2c,00,25,00,4c,00,00,00
[HKEY_CLASSES_ROOTFoldershellexploreddeexec]
@="[ExploreFolder("%l", %I, %S)]"
"NoActivateHandler"=""
[HKEY_CLASSES_ROOTFoldershellexploreddeexecapplication]
@="Folders"
[HKEY_CLASSES_ROOTFoldershellexploreddeexecifexec]
@="[]"
[HKEY_CLASSES_ROOTFoldershellexploreddeexec opic]
@="AppProperties"
[HKEY_CLASSES_ROOTFoldershellopen]
"BrowserFlags"=dword:00000010
"ExplorerFlags"=dword:00000012
[HKEY_CLASSES_ROOTFoldershellopencommand]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,
00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,
65,00,20,00,2f,00,69,00,64,00,6c,00,69,00,73,00,74,00,2c,00,25,00,49,00,2c,
00,25,00,4c,00,00,00
[HKEY_CLASSES_ROOTFoldershellopenddeexec]
@="[ViewFolder("%l", %I, %S)]"
"NoActivateHandler"=""
[HKEY_CLASSES_ROOTFoldershellopenddeexecapplication]
@="Folders"
[HKEY_CLASSES_ROOTFoldershellopenddeexecifexec]
@="[]"
[HKEY_CLASSES_ROOTFoldershellopenddeexec opic]
@="AppProperties"