找回密码
 立即注册
the0800230309dword | 家庭/个人应用 2022-09-08 54 0star收藏 版权: . 保留作者信息 . 禁止商业使用 . 禁止修改作品
现在流行的桌面两个IE或许说是双IE的原理差不多出来了,
那病毒先在:HKEY_CLASSES_ROOT\CLSID\创建一个注册项
然后再到这儿:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
创建一个对应的项,改动权限,使得用户只要读取的权限,没有控制的权限。
完了以后,将正常的IE图标躲藏。
认识原理以后,管理的过程应该是:
打开这儿
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
找到除了正常项以外的项,然后查看他们创建的注册表项的权限,将权限修改为完全控制,然后删去掉他们的项(删去之前,先导出备份一份),然后再回到这儿:HKEY_CLASSES_ROOT\CLSID\搜索他们创建的类项:示例:
找到以后删去掉,基本上桌面的虚伪IE就可以删去或许是成为怪物了。
下面提供一些正常的系统注册表项,和测试的病毒创建的注册表项,供大家参考比照,找出虚伪的项。
桌面正常IE注册表导出:
WindowsRegistryEditorVersion5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
{871C5380-42A0-1069-A2EA-08002B30309D}.default=0
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
{20D04FE0-3AEA-1069-A2D8-08002B30309D}=dword:00000001
{450D8FBA-AD25-11D0-98A8-0800361B1103}=dword:00000001
{208D2C60-3AEA-1069-A2D7-08002B30309D}=dword:00000001
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000

(Now the popular desktop two IE may be said to be the principle of double IE almost came out,
The virus is first in: HKEY_CLASSES_ROOT\CLSID\Create a registry entry
And here again: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
Create a corresponding item and change the permissions so that the user only has the permission to read, but not the permission to control.
After that, hide the normal IE icons.
After understanding the principle, the management process should be:
open here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
Find the items other than the normal ones, then look at the permissions of the registry keys they created, change the permissions to full control, then delete their entries (export a backup before deleting), then come back here: HKEY_CLASSES_ROOT\CLSID\ to search for class items they created: Example:
After finding it, delete it. Basically, the fake IE on the desktop can be deleted or become a monster.
The following provides some normal system registry entries, and registry entries created by the tested virus, for your reference and comparison, to find out false entries.
Desktop normal IE registry export:
WindowsRegistryEditorVersion5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
{871C5380-42A0-1069-A2EA-08002B30309D}.default=0
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
{20D04FE0-3AEA-1069-A2D8-08002B30309D}=dword:00000001
{450D8FBA-AD25-11D0-98A8-0800361B1103}=dword:00000001
{208D2C60-3AEA-1069-A2D7-08002B30309D}=dword:00000001
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000)

[下载]11002110219.rar




上一篇:DOS新手命令
下一篇:JUNIPER安全方案