Logfile of HijackThis v1.99.1
Scan saved at 17:50:42, on 2006-7-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\Explorer.EXE
e:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
e:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Rising\Rav\RavTask.exe
E:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Rising\Rav\RavStub.exe
E:\Program Files\Rising\Rav\rav.exe
E:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
E:\ha_hijackthis_1991\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RavTask] "E:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "E:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [TkBellExe] ; "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - E:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - E:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - E:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - E:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - E:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - E:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: Ati Server (AtiServer) - Unknown owner - C:\WINDOWS\iun6003.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - e:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - E:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - E:\Program Files\Rising\Rav\Ravmond.exe

O23 - Service: Ati Server (AtiServer) - Unknown owner - C:\WINDOWS\iun6003.exe

1.开始-运行输入regedit,打开注册表编辑器，定位到HKEY_LOCAL_MACHINE\ SYSTEM \ CURRENTCONTROLSET \ SERVICES分支，删除左栏中的病毒服务名AtiServer
2.重启系统，在“文件夹选项”的“查看”面板中勾选“显示系统文件”、“显示所有的文件和文件夹”两项，点击“确定”按钮。然后在%windows%下寻找病毒文件名C:\WINDOWS\iun6003.exe,C:\WINDOWS\iun6003.dll,C:\WINDOWS\iun6003_Hook.dll,C:\WINDOWS\iun6003key.dll,能找到的都删除

O23 - Service: Ati Server (AtiServer) - Unknown owner - C:\WINDOWS\iun6003.exe
鸽子..安全模式...打开注册表编辑器，展开：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
搜索AtiServer删除..
删除
C:\WINDOWS\iun6003.exe