版主你好,我还是上次的哪个问题,病毒是清除了,C:\windows\SOUNDMAN.exe是病毒,但是开机还是需要用原来的办法,进入系统后点击C:\windows\explorer.exe,提示是被某软件的策略禁止了,版主有没有解决的好办法?这几天头疼死了~!

HijackThis_zww汉化版扫描日志 V1.99.1
保存于      9:13:54, 日期 2005-12-9
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\rising\Rav\Ravmond.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\rising\Rav\RavStub.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\rising\Rav\RavTask.exe
C:\Program Files\rising\Rav\Ravmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Tencent\qq\QQ.exe
F:\Program Files\Tencent\qq\TIMPlatform.exe
f:\Documents and Settings\user\My Documents\下载文件\HijackThis\HB_HijackThis1991zww\HijackThis1991汉化版\HijackThis1991_zww.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O3 - IE工具栏增项: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - C:\Program Files\FastAIT\IEBand.dll
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - 启动项HKLM\\Run: [RavTask] "C:\Program Files\rising\Rav\RavTask.exe" -system
O4 - 启动项HKCU\\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - IE右键菜单中的新增项目： &使用迅雷下载 - f:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目： &使用迅雷下载全部链接 - f:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目： 解霸实时播放 - d:\HEROSOFT\Hero3000\MPURLGET.HTM
O9 - 浏览器额外的按钮： 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\WINDOWS\System32\shdocvw.dll
O9 - 浏览器额外的“工具”菜单项： 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\WINDOWS\System32\shdocvw.dll
O9 - 浏览器额外的按钮： 解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - d:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - 浏览器额外的“工具”菜单项： 解霸 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - d:\HEROSOFT\Hero3000\MPLAYER.EXE
O9 - 浏览器额外的按钮： kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的“工具”菜单项： kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
O9 - 浏览器额外的按钮： QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\Program Files\Tencent\qq\QQ.EXE
O9 - 浏览器额外的“工具”菜单项： QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\Program Files\Tencent\qq\QQ.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E504F9B-3C6F-4F2B-B6DC-9D0B34AE4780}: NameServer = 202.100.64.68,202.100.64.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{9E504F9B-3C6F-4F2B-B6DC-9D0B34AE4780}: NameServer = 202.100.64.68,202.100.64.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{9E504F9B-3C6F-4F2B-B6DC-9D0B34AE4780}: NameServer = 202.100.64.68,202.100.64.66
O17 - HKLM\System\CS3\Services\Tcpip\..\{9E504F9B-3C6F-4F2B-B6DC-9D0B34AE4780}: NameServer = 202.100.64.68,202.100.64.66
O23 - NT 服务: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - NT 服务: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\Program Files\rising\Rav\Ravmond.exe
O23 - NT 服务: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

【回复“吸血吻1977”的帖子】那天已经告诉你了——把“灰鸽子免疫器”添加的那几个注册表项删除就行了。

版主,我挺菜的,你发的那个我没怎么看懂

rem 添加禁止Windows目录执行程序的限制策略：
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v ItemData /t REG_SZ /d "%SystemRoot%\*.exe" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v Description /t REG_SZ /d "" /f>nul 2>nul
这几项,我在注册表里没找见"HKLM\"这个开头的具体是那一个,里边好几个都是这个开头的

rem 添加禁止Windows目录执行程序的限制策略：
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v ItemData /t REG_SZ /d "%SystemRoot%\*.exe" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v Description /t REG_SZ /d "" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v SaferFlags /t REG_DWORD /d "00000000" /f>nul 2>nul
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a29e74d3-68cd-43f4-80ab-022331b49a6b}" /v LastModified /t REG_BINARY /d "c086ab8c87e0e502" /f>nul 2>nul
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E515547B-34A9-47E3-991B-FE1C19E5BFF0}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{9e85b2da-fe36-41ec-9b26-f1acbf7f895d}" /v SaferFlags /t REG_BINARY /d "9091122623e0c501" /f>nul 2>nul
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E515547B-34A9-47E3-991B-FE1C19E5BFF0}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{9e85b2da-fe36-41ec-9b26-f1acbf7f895d}" /v Description /t REG_SZ /d "" /f>nul 2>nul
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E515547B-34A9-47E3-991B-FE1C19E5BFF0}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{9e85b2da-fe36-41ec-9b26-f1acbf7f895d}" /v SaferFlags /t REG_DWORD /d "00000000" /f>nul 2>nul
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E515547B-34A9-47E3-991B-FE1C19E5BFF0}Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{9e85b2da-fe36-41ec-9b26-f1acbf7f895d}" /v LastModified /t REG_BINARY /d "c086ab8c87e0e502" /f>nul 2>nul
gpupdate /force>nul
版主,是把这些项目删除?注册表我还真不敢动

【回复“吸血吻1977”的帖子】
你先改一个注册表键值：
展开：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
找到右栏中的shell，右击它，点击“change”，输入explorer.exe，点“OK”。

HKLM- HKEY_LOCAL_MACHINE

把Add项都删除

【回复“BlackStone”的帖子】
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell不能删。删了，就麻烦了。

引用:

【baohe的贴子】【回复“BlackStone”的帖子】 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell不能删。删了，就麻烦了。 ...........................

我是说把那个什么灰鸽子免疫添加的项删除。