有些木马把自己的属性设置成隐藏、系统属性,并且把注册表中“文件夹选项中的隐藏受保护的操作系统文件”项和“显示所有文件和文件夹”选项删除,致使通过procexp可以在进程中看到,但去文件所在目录又找不到源文件,无法进行删除.
针对这种情况可以把下面内容存储成ShowALl.reg文件,双击该文件导入注册表即可.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE"SOFTWARE"Microsoft"Windows"CurrentVersion"Explorer
"Advanced"Folder"Hidden"NOHIDDEN]
“RegPath”=”Software""Microsoft""Windows""CurrentVersion""Explorer""Advanced”
“Type”=”radio”
“CheckedValue”=dword:00000002
“ValueName”=”Hidden”
“DefaultValue”=dword:00000002
“HKeyRoot”=dword:80000001
“HelpID”=”shell.hlp#51104″
[HKEY_LOCAL_MACHINE"SOFTWARE"Microsoft"Windows"CurrentVersion"Explorer
"Advanced"Folder"Hidden"SHOWALL]
“RegPath”=”Software""Microsoft""Windows""CurrentVersion""Explorer""Advanced”
“Type”=”radio”
“CheckedValue”=dword:00000001
“ValueName”=”Hidden”
“DefaultValue”=dword:00000002
“HKeyRoot”=dword:80000001
“HelpID”=”shell.hlp#51105″
[HKEY_LOCAL_MACHINE"SOFTWARE"Microsoft"Windows"CurrentVersion"Explorer
"Advanced"Folder"SuperHidden]
“Type”=”checkbox”
“HKeyRoot”=dword:80000001
“RegPath”=”Software""Microsoft""Windows""CurrentVersion""Explorer""Advanced”
“ValueName”=”ShowSuperHidden”
“CheckedValue”=dword:00000000
“UncheckedValue”=dword:00000001
“DefaultValue”=dword:00000000
“HelpID”=”shell.hlp#51103″
[HKEY_LOCAL_MACHINE"SOFTWARE"Microsoft"Windows"CurrentVersion"Explorer
"Advanced"Folder"SuperHidden"Policy]
[HKEY_LOCAL_MACHINE"SOFTWARE"Microsoft"Windows"CurrentVersion"Explorer
"Advanced"Folder"SuperHidden"Policy"DontShowSuperHidden]
@=”"
具体操作方法:
1)记事本新建一个文件
2)将以上内容复制到新建的记事本文件中
3)文件菜单另存为showall.reg
4)双击存储的showall.reg文件,点击弹出的对话框是按钮即可。
阅读(671) | 评论(0) | 转发(0) |
