瑞星卡卡安全论坛

我最近中了灰鸽子病毒，机器上装有瑞星的网络版杀毒软件，每次开机总是告诉有Backdoor.Gpigeon.uql,文件是c:\program files\internet explorer\iexplore.exe,而且每次都告诉清除成功，可是再重启还是有。
后来看了论坛上baohe的几篇文章，利用HijackThis1.99.1来扫描，没有找到病毒文件，日志如下，请专家帮看看，哪个是灰鸽子程序，怎么杀掉啊？拜托了！！！


HijackThis_815汉化版扫描日志 V1.99.1
保存于      22:16:09, 日期 2006-3-6
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\soft\1\HijackThis1991汉化版\HijackThis1991zww.exe

R3 - 默认的URLSearchHook丢失。用HijackThis修复
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - d:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - IE工具栏增项: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [RavTray] C:\Program Files\Rising\Rav\RavTray.exe
O4 - 启动项HKLM\\Run: [RavTimer] C:\Program Files\Rising\Rav\RavTimer.exe
O4 - 启动项HKLM\\Run: [RavMon] C:\Program Files\Rising\Rav\RavMon.exe -system
O4 - 启动项HKLM\\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - 启动项HKLM\\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - 启动项HKLM\\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1678508D-983F-46E7-8726-F98CF95E825C} (LoisCertCtrl Control) - http://172.31.216.8:7777/CA/LoisCertCtrl.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140083952420
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140085429270
O16 - DPF: {9F96D39A-372E-46FE-AEE7-2A6BFE8F6483} (OStarOCX) - http://172.31.216.8:7777/editcontrol/download/OStarOCX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - 列举现有的协议: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - NT 服务: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - NT 服务: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - NT 服务: RavService - Unknown owner - C:\Program Files\Rising\Rav\RavService.exe" /service (file missing)
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: VMware Authorizatio - Unknown owner - C:\WINDOWS\winini.exe

使用HijackThis1.99.1扫描的当前运行进程

Process list saved on 22:58:11, 日期 2006-3-6
操作系统：  Windows XP SP2 (WinNT 5.01.2600)

[pid]    [full path to filename]        [file version]    [company name]
700    C:\WINDOWS\System32\smss.exe        5.1.2600.2180    Microsoft Corporation
804    C:\WINDOWS\system32\winlogon.exe        5.1.2600.2180    Microsoft Corporation
848    C:\WINDOWS\system32\services.exe        5.1.2600.2180    Microsoft Corporation
860    C:\WINDOWS\system32\lsass.exe        5.1.2600.2180    Microsoft Corporation
1004    C:\WINDOWS\system32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1120    C:\WINDOWS\System32\svchost.exe        5.1.2600.2180    Microsoft Corporation
1268    C:\PROGRAM FILES\RISING\RAV\Ravmond.exe        17.0.1.58    Beijing Rising Technology Co., Ltd.
1560    C:\PROGRAM FILES\RISING\RAV\RavStub.exe        17.0.0.27    Beijing Rising Technology Co., Ltd.
1616    C:\WINDOWS\Explorer.EXE        6.0.2900.2180    Microsoft Corporation
1696    C:\WINDOWS\system32\spoolsv.exe        5.1.2600.2696    Microsoft Corporation
1848    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE        7.0.9466.0    Microsoft Corporation
1928    C:\Program Files\Rising\Rav\RavService.exe        17.0.0.73    Beijing Rising Technology Co., Ltd.
2004    C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE        17.0.0.6    Beijing Rising Technology Co., Ltd.
288    C:\Program Files\Rising\Rav\RavTray.exe        17.0.0.32    Rising
296    C:\Program Files\Rising\Rav\RavTimer.exe        17.0.0.36    Beijing Rising Technology Co., Ltd.
304    C:\Program Files\Rising\Rav\RavMon.exe        17.0.1.39    Beijing Rising Technology Co., Ltd.
320    C:\Program Files\Common Files\Real\Update_OB\realsched.exe        0.1.0.3510    RealNetworks, Inc.
332    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe        7.0.7.142    Adobe Systems Inc.
340    C:\WINDOWS\system32\ctfmon.exe        5.1.2600.2180    Microsoft Corporation
348    C:\Program Files\Messenger\msmsgs.exe        4.7.0.3001    Microsoft Corporation
2416    C:\Program Files\Internet Explorer\IEXPLORE.EXE        6.0.2900.2180    Microsoft Corporation
3552    E:\soft\1\HijackThis1991汉化版\HijackThis1991zww.exe        1.99.0.1    Soeperman Enterprises Ltd.

【回复“robinsean”的帖子】
这项是鸽子:O23 - NT 服务: VMware Authorizatio - Unknown owner - C:\WINDOWS\winini.exe

处理方法:开始--控制面版--管理工具--服务--找到O23 - NT 服务: VMware Authorizatio属性--改为已禁用

显示隐藏文件,找到以下删除:(如果有的话)
C:\WINDOWS\winini.exe
C:\WINDOWS\winini.dll
C:\WINDOWS\wininikey.dll
C:\WINDOWS\winini_hook.dll

谢谢！我找到winini.exe删除掉了，但是其他几个文件没有找到，重新启动后，瑞星没有再报告有病毒，应该算是杀掉了！
太好了！
再次感谢！
看来以后还真的注意，一些小软件不能乱下，吃一堑长一智。