修复恶意网站修改的桌面IE

现在流行的桌面两个IE或者说是双IE的原理差不多出来了，

那病毒先在：HKEY_CLASSES_ROOTCLSID创建一个注册项

然后再到这里：HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace

创建一个对应的项，改变权限，使得用户只有读取的权限，没有控制的权限。

完了之后，将正常的IE图标隐藏。

知道原理之后，解决的步骤应该是：

展开这里

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace

找到除了正常项以外的项，然后检查他们创建的注册表项的权限，将权限修改为完全控制，然后删除掉他们的项（删除之前，先导出备份一份），然后再回到这里：HKEY_CLASSES_ROOTCLSID搜索他们创建的类项：
找到之后删除掉，基本上桌面的虚假IE就可以删除或者是变成怪物了。

下面提供一些正常的系统注册表项，和测试的病毒创建的注册表项，供大家参考对比，找出虚假的项。

桌面正常IE注册表导出:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerHideDesktopIcons]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerHideDesktopIconsClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default"="0"
"{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerHideDesktopIconsNewStartPanel]
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000001
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"=dword:00000001
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"=dword:00000001
"{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000


正常的IE桌面图标导出:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktop]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
@="Computer Search Results Folder"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{450D8FBA-AD25-11D0-98A8-0800361B1103}]
@=""
"Removal Message"="@mydocs.dll,-900"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
@="Search Results Folder"



关联一下吧:https://hi.baidu.com/znhygsd/blog/item/48cab600fa8b338de850cd12.html



IE6.0:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}]
"InfoTip"=hex(2):40,00,73,00,68,00,64,00,6f,00,63,00,6c,00,63,00,2e,00,64,00,
6c,00,6c,00,2c,00,2d,00,38,00,38,00,31,00,00,00
"LocalizedString"=hex(2):40,00,73,00,68,00,64,00,6f,00,63,00,6c,00,63,00,2e,00,
64,00,6c,00,6c,00,2c,00,2d,00,38,00,38,00,30,00,00,00

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}DefaultIcon]
@=hex(2):73,00,68,00,64,00,6f,00,63,00,6c,00,63,00,2e,00,64,00,6c,00,6c,00,2c,
00,2d,00,31,00,39,00,30,00,00,00

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,
64,00,6f,00,63,00,76,00,77,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shell]
@="OpenHomePage"

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePage]
@="打开主页(&H)"
"MUIVerb"="@shdoclc.dll,-10241"

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}shellOpenHomePageCommand]
@=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,
00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,
65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,69,
00,65,00,78,00,70,00,6c,00,6f,00,72,00,65,00,2e,00,65,00,78,00,65,00,22,00,
00,00

[HKEY_CLASSES_ROOTCLSID{871C5380-42A0-1069-A2EA-08002B30309D}ShellFolder]
"Attributes"=dword:00000024
"HideFolderVerbs"=""
"WantsParseDisplayName"=""
"HideOnDesktopPerUser"=""

explorer:

https://down.qiannao.com/space/file/znhygsd/-4e0a-4f20-5206-4eab/Explorer..reg.zip/.page




病毒创建的:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktop]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{11016101-E366-4D22-BC06-4ADA335C892B}]
@="IE History and Feeds Shell Data Source for Windows Search"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
@="Computer Search Results Folder"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{450D8FBA-AD25-11D0-98A8-0800361B1103}]
@=""
"Removal Message"="@mydocs.dll,-900"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{B1D521BD-BD50-D123-3576-72D12B55633D}]
@="Microsoft Office Excel 2003"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
@="Search Results Folder"


病毒创建的:


Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOTCLSID{11016101-E366-4D22-BC06-4ADA335C892B}]
@="IE History and Feeds Shell Data Source for Windows Search"

[HKEY_CLASSES_ROOTCLSID{11016101-E366-4D22-BC06-4ADA335C892B}InProcServer32]
@="C:WINDOWSsystem32ieframe.dll"
"ThreadingModel"="Both"

[HKEY_CLASSES_ROOTCLSID{11016101-E366-4D22-BC06-4ADA335C892B}ShellFolder]
"Attributes"=dword:20180000


病毒创建的:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}]
@="Internet Explorer"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}DefaultIcon]
@="C:Program FilesInternet Exploreriexplore.exe,-32528"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}Shell]
@=""

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}ShellD]
@="删除(&D)"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}ShellDCommand]
@="Rundll32.exe"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}ShellOpen]
@="打开主页(&H)"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}ShellOpenCommand]
@="C:Program FilesInternet Exploreriexplore.exe %1 h%t%t%p%:%/%/%w%w%w%.%18%f%f%.%n%e%t%/%?%12%16%?%15%16"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}Shell属性(&R)]
@=""

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}Shell属性(&R)Command]
@="Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"

[HKEY_CLASSES_ROOTCLSID{B1D521BD-BD50-D123-3576-72D12B55633D}ShellFolder]
@=""
"Attributes"=dword:00000010

转载结束。


机修办公室电脑中毒后的注册表：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace]

[HKEY_LOCAL_MACHINESOFTWAREMicro softWindowsCurrentVersionExplorerDesktopNameSpace{11016101-E366-4D22-BC06-4ADA335C892B}]
@="IE History and Feeds Shell Data Source for Windows Search"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
@="Computer Search Results Folder"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{450D8FBA-AD25-11D0-98A8-0800361B1103}]
@=""
"Removal Message"="@mydocs.dll,-900"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{46D946C3-CB48-7449-B47C-0D25C509DE46}]
@="Internet Explorer"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{909C6148-56B0-1A41-BED8-DB1D3ED0726D}]
@="Internet Explorer"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerDesktopNameSpace{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
@="Search Results Folder"


以上绿色部分为病毒添加的，依照红色部分可以大概判断此注册项为病毒所添加的，将这两部分删除，即可删除桌面的病毒图标，到此还没完，清除病毒残余，利用{46D946C3-CB48-7449-B47C-0D25C509DE46}为关键字在注册表中搜索，也可以手动查找，在HKEY_CLASSES_ROOTCLSID这个子项下，此病毒创建的注册表项为：

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}]
@="绿色上网主页"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}DefaultIcon]
@="C:WINDOWS520.Ico"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}Shell]

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellOpen(&O)]

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellOpen(&O)Command]
@="C:Program FilesInternet Exploreriexplore.exe %1 htt%p://%w%w%w.%19%11%11g.c%n"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellOpenMain]
@="打开主页(&H)"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellZ]
@="删除(&D)"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellZCommand]
@="Rundll32.exe"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}Shell属性(&R)]

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}Shell属性(&R)Command]
@="Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"

[HKEY_CLASSES_ROOTCLSID{46D946C3-CB48-7449-B47C-0D25C509DE46}ShellFolder]
"Attributes"=dword:0010000a

以上红色部分为病毒所劫持的上网网址，将{46D946C3-CB48-7449-B47C-0D25C509DE46}此注册表项整个删除。

另外一个病毒注册表项，被我删除后没有保存，寻找方法同上，也是在注册表中查找{909C6148-56B0-1A41-BED8-DB1D3ED0726D}。