来源：C:\WINDOWS\system32\reg.exe
目标：HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\[Start Page]\[http://www.9281.net/?new]

很顽固地篡改了桌面IE图标和主页，瑞星报有木马病毒。用瑞星双IE病毒专杀根本不起作用。用瑞星查杀，发现不了病毒。删除了他的快捷方式指向的链接文件，一启动电脑，就又出现了。并且提示木马病毒正在篡改主页，写入注册表。

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

解决办法参考天月版主置顶帖：http://bbs.ikaka.com/showtopic-8685996.aspx

1188恶意网站专杀工具不起作用！

尝试其中所有的方法，如果仍不能解决使用System Repair Engineer扫描日志，将日志作为附件上传上来。
下载页面：http://www.kztechs.com/sreng/download.html
操作方法：
1、下载后解压缩，运行SREngPS.EXE；
2、如果无法打开尝试把SREngPS.EXE改名为123.com，并复制到c:\windows目录下运行；
3、依次点击【智能扫描】-【扫描】，耐心等待，扫描结束后点击【保存报告】；
4、选择保存路径，文件名保持默认，直接点击【保存】；
5、打开保存的日志文件SREngLOG.log，完整复制全部内容，新建一个文本文档，将日志中的全部内容粘贴到“新建文本文档.txt”中；
6、将“新建文本文档.txt”作为附件上传，同时务必详细描述问题现象，如果有查杀不净的病毒务必提供病毒名和路径。

********** 日志开始 **********

[键]HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\SHELL\打开主页(&H)\COMMAND
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys

[键]HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DFFFF}\SHELL\打开主页(&H)\COMMAND
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys

[键]HKEY_CLASSES_ROOT\CLSID\{0002DF01-0000-0000-C000-000000000046}\LOCALSERVER32
[值]@
[类型]REG_SZ
[内容]"c:\program files\internet explorer\iexplore.exe"

[键]HKEY_CLASSES_ROOT\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\DEFAULTICON
[值]@
[类型]REG_EXPAND_SZ
[内容]c:\program files\internet explorer\iexplore.exe,1

[键]HKEY_CLASSES_ROOT\CLSID\{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}\DEFAULTICON
[值]@
[类型]REG_EXPAND_SZ
[内容]c:\program files\internet explorer\iexplore.exe,1

[键]HKEY_CLASSES_ROOT\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\OLD ICON\HTMLFILE\DEFAULTICON
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe,1

[键]HKEY_CLASSES_ROOT\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\OLD ICON\MHTMLFILE\DEFAULTICON
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe,22

[键]HKEY_CLASSES_ROOT\CLSID\{65014010-9F62-11D1-A651-00600811D5CE}\DEFAULTICON
[值]@
[类型]REG_EXPAND_SZ
[内容]c:\program files\internet explorer\iexplore.exe,1

[键]HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL\OPENHOMEPAGE\COMMAND
[值]@
[类型]REG_EXPAND_SZ
[内容]%programfiles%\internet explorer\iexplore.exe

[键]HKEY_CLASSES_ROOT\CLSID\{AE24FDAE-03C6-11D1-8B76-0080C744F389}\TOOLBOXBITMAP32
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe,1

[键]HKEY_CLASSES_ROOT\CLSID\{FBF23B42-E3F0-101B-8488-00AA003E56F8}\DEFAULTICON
[值]@
[类型]REG_EXPAND_SZ
[内容]"%programfiles%\internet explorer\iexplore.exe",-32528

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}
[值]@
[类型]REG_SZ
[内容]computer search results folder

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{450D8FBA-AD25-11D0-98A8-0800361B1103}
[值]REMOVAL MESSAGE
[类型]REG_SZ
[内容]@mydocs.dll,-900

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
[值]@
[类型]REG_SZ
[内容]search results folder

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{871C5380-42A0-1069-A2EA-08002B30309D}.DEFAULT
[类型]REG_SZ
[内容]0

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{871C5380-42A0-1069-A2EA-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]@
[类型]REG_SZ
[内容]null

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{208D2C60-3AEA-1069-A2D7-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{20D04FE0-3AEA-1069-A2D8-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{450D8FBA-AD25-11D0-98A8-0800361B1103}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{20D04FE0-3AEA-1069-A2D8-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{450D8FBA-AD25-11D0-98A8-0800361B1103}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{208D2C60-3AEA-1069-A2D7-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{871C5380-42A0-1069-A2EA-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]@
[类型]REG_SZ
[内容]null

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{871C5380-42A0-1069-A2EA-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]@
[类型]REG_SZ
[内容]null

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{208D2C60-3AEA-1069-A2D7-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{20D04FE0-3AEA-1069-A2D8-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\CLASSICSTARTMENU
[值]{450D8FBA-AD25-11D0-98A8-0800361B1103}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{450D8FBA-AD25-11D0-98A8-0800361B1103}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{20D04FE0-3AEA-1069-A2D8-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{208D2C60-3AEA-1069-A2D7-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]{871C5380-42A0-1069-A2EA-08002B30309D}
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\HIDEDESKTOPICONS\NEWSTARTPANEL
[值]@
[类型]REG_SZ
[内容]null

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
[值]DISABLEREGISTRYTOOLS
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
[值]DISABLETASKMGR
[类型]REG_DWORD
[内容]0x00000000

[键]HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER
[值]PENDINGFILERENAMEOPERATIONS
[类型]REG_MULTI_SZ
[内容]\??\c:\program files\360\360safe\update\~9.tmp
     
      \??\c:\program files\360\360safe\update\~tm8.tmp
     
     
     

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{01443AEC-0FD1-40FD-9C87-E93D1494C233}
[值]@
[类型]REG_SZ
[内容]thunder atonce

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}
[值]@
[类型]REG_SZ
[内容]xlliteview browserhelper object

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}
[值]NOEXPLORER
[类型]REG_DWORD
[内容]0x00000001

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{889D2FEB-5411-4565-8998-1DD2C5261283}
[值]@
[类型]REG_SZ
[内容]thunderbho

[键]HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}
[值]NOEXPLORER
[类型]REG_DWORD
[内容]0x00000001

楼主请仔细看我四楼的回帖

日志上不是很清楚了？

[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys

[键]HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DFFFF}\SHELL\打开主页(&H)\COMMAND
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys

==================
http://www.9281.net/不是我的主页，是篡改的

楼主你要认识到，改主页的行为有很多种的情况，病毒不可能只改注册表的，你要想让我们帮你解决问题，只发注册表是没有用的，只发被篡改的网址也是没有用的！按照4楼做法上传系统日志，不然我们爱莫能助

将下面两个键值删除试试：
[键]HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DCCCC}\SHELL\打开主页(&H)\COMMAND
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys

[键]HKEY_CLASSES_ROOT\CLSID\{00000108-0000-0010-8000-00AA006DFFFF}\SHELL\打开主页(&H)\COMMAND
[值]@
[类型]REG_SZ
[内容]c:\program files\internet explorer\iexplore.exe  http://www.9281.net/?sys