(Now the popular desktop two IE may be said to be the principle of double IE almost came out,
The virus is first in: HKEY_CLASSES_ROOT\CLSID\Create a registry entry
And here again: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
Create a corresponding item and change the permissions so that the user only has the permission to read, but not the permission to control.
After that, hide the normal IE icons.
After understanding the principle, the management process should be:
open here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
Find the items other than the normal ones, then look at the permissions of the registry keys they created, change the permissions to full control, then delete their entries (export a backup before deleting), then come back here: HKEY_CLASSES_ROOT\CLSID\ to search for class items they created: Example:
After finding it, delete it. Basically, the fake IE on the desktop can be deleted or become a monster.
The following provides some normal system registry entries, and registry entries created by the tested virus, for your reference and comparison, to find out false entries.
Desktop normal IE registry export:
WindowsRegistryEditorVersion5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
{871C5380-42A0-1069-A2EA-08002B30309D}.default=0
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
{20D04FE0-3AEA-1069-A2D8-08002B30309D}=dword:00000001
{450D8FBA-AD25-11D0-98A8-0800361B1103}=dword:00000001
{208D2C60-3AEA-1069-A2D7-08002B30309D}=dword:00000001
{871C5380-42A0-1069-A2EA-08002B30309D}=dword:00000000)