扫描出病毒:Backdoor.Gpigeon.5.dq
但是进程多出一个NetMeeting Remote Manager 的,日志如下:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\RISING\RAV\Rav.exe
C:\Program Files\Maxthon\Maxthon.exe
f:\Temp\Rar$EX00.781\HijackThis1991zww.exe

R3 - 默认的URLSearchHook丢失。用HijackThis修复
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\FlashFXP\IEFlash.dll
O3 - IE工具栏增项: CyberArticle Express - {769A6A36-ED24-4376-BC7C-80225BF35698} - C:\Program Files\CyberArticle\CAExp.dll
O4 - 启动项HKLM\\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - 启动项HKLM\\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - 启动项HKLM\\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - 启动项HKLM\\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - 启动项HKLM\\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - 启动项HKLM\\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - 启动项HKLM\\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - 启动项HKLM\\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - 启动项HKLM\\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - 启动项HKLM\\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\getAllurl.htm
O8 - IE右键菜单中的新增项目: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - IE右键菜单中的新增项目: 保存: 完整网页... - c:\program files\cyberarticle\script\save.htm
O8 - IE右键菜单中的新增项目: 保存: 更多保存内容... - c:\program files\cyberarticle\script\saveauto.htm
O8 - IE右键菜单中的新增项目: 保存:选中的部分 - C:\Documents and Settings\bbym\Application Data\CyberArticle\Script\Save_7690328.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\system32\shdocvw.dll
O9 - 浏览器额外的按钮: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - 浏览器额外的“工具”菜单项: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4576/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C845611F-2DF6-4473-A365-8877BA95A282}: NameServer = 61.128.192.68,61.128.128.68
O23 - NT 服务: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - NT 服务: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - NT 服务: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - NT 服务: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - NT 服务: NetMeeting Remote Manager (NmRm) - Unknown owner - C:\Program Files\Internet Explorer\service.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - NT 服务: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe



开机无明显异常，需要打开瑞星主程序扫描才提示发现木马，并清除．重新启动后，问题依然．

怎么没有人回复啊！！很着急啊！！！麻烦大家一下！

【回复“benjaminy”的帖子】
请将C:\Program Files\Internet Explorer\service.exe打包，发到：baohelin@yahoo.com.cn

我在单位，是家里的机器故障了，晚上７：００我会给您邮件．

我是瑞星2005版的用户,并且每天都升级,但是我每次开机时,计算机都告诉我:发现木马,已被删除.并且每次运行瑞星杀毒软件后都能删除很多病毒,即使杀完病毒后立即关机,再次开机依然如此.好象病毒在我的计算机里不停的繁殖,为什么不能永久的杀灭呢?

扫个HJ日志（像楼主那样的）上来看看才知道你中的是什么病，才能告诉你怎么清除！

baohe版主,我已经按照你的要求,打包server.exe并email到你邮箱,等候你的消息.谢谢.