瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 如何杀死Backdoor.Gpigeon.shg病毒?
上帝88 - 2005-8-4 23:21:00
我的电脑中了Backdoor.Gpigeon.shg病毒!!我认为可能是灰鸽子的变种!!但是我用了正版的瑞星杀除后,为什么杀除后再次重起病毒又再次出现了!!而且还在同一个文件,而且内存中都保存着一个!!我在安全模式下查毒却查不到这个病毒了!!这是为什么!!我应该如何去杀死他?快快回答!!我都已经心急如焚了!!
天天泡泡 - 2005-8-4 23:23:00
先扫HijackThis日志上来
超飚风速 - 2005-8-4 23:25:00
这个问题好多人发问啊,建议斑竹发个完全的置顶解决方案(白痴都能看明白的)
上帝88 - 2005-8-4 23:26:00
HijackThis日志?????????
超飚风速 - 2005-8-4 23:27:00
HijackThis扫描文件,我发上来了,你下载使用

附件: 539160200584232745.zip
上帝88 - 2005-8-4 23:28:00
怎么扫描这种日志?
天天泡泡 - 2005-8-4 23:28:00
灰鸽子2005早有解决方案帖,看这个:
http://forum.ikaka.com/topic.asp?board=28&artid=5666824

http://forum.ikaka.com/topic.asp?board=28&artid=6202404
超飚风速 - 2005-8-4 23:29:00
下载使用,发贴在4楼了
上帝88 - 2005-8-4 23:30:00
Logfile of HijackThis v1.99.1
Scan saved at 23:29:40 泽宇, on 2005-8-4
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\RISING\RAV\Ravmond.exe
D:\RISING\RAV\RavStub.exe
d:\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
d:\rising\rfw\RfwMain.exe
D:\RISING\RAV\RAVTIMER.EXE
D:\RISING\RAV\RAVMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\RISING\RAV\CCENTER.EXE
C:\WINDOWS\system32\svchost.exe
D:\RISING\RAV\RsAgent.exe
D:\Thunder\Thunder.exe
d:\Thunder\MediaIssue\Issue.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
d:\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.719\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v5.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F57} - C:\WINDOWS\system32\ThunderBHO_v07.dll (file missing)
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\system32\NaviHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - d:\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - d:\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\qylhelper.dll
O4 - HKLM\..\Run: [RavTimer] D:\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getAllurl.htm
O8 - Extra context menu item: 使用影音传送带下载 - D:\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - D:\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 导入当前页到超星阅览器(&A) - D:\SSREADER36\ss_all.htm
O8 - Extra context menu item: 导入选中部分到超星阅览器(&S) - D:\SSREADER36\ss_select.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - D:\BitSpirit\bsurl.htm
O9 - Extra button: 迅雷 - {1FBA04EE-3024-11D2-8F1F-000019796948}} - d:\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 迅雷 - {1FBA04EE-3024-11D2-8F1F-000019796948}} - d:\Thunder\Thunder.exe
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {165D83D3-359C-4783-9BF0-6FA6DC42A3F1} (XDownload Class) - http://tpath.ssreader.com/ssreader/exe/ssdownload.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {62561858-71D1-11D4-B2EC-00105A8340B5} (VITEGPlayerCtrl Class) - http://www.chinaedu.com/formaluser/longteng/control/VTPlayer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121249388484
O16 - DPF: {F4B47EEA-5D5D-4055-A6B5-ED59CC3C5BB3} (Upgrade Class) - http://update.qyule.com/client.cab
O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\Yhajsz.exe

超飚风速 - 2005-8-4 23:30:00
O23 - Service: Gray_Pigeon_Server (GrayPigeonServer) - Unknown owner - C:\WINDOWS\G_Server.exe问题在这里
超飚风速 - 2005-8-4 23:33:00
记下病毒名称C:\WINDOWS\G_Server.exe在开始的运行那里输入regedit打开注册表,找到文件夹HKEY_LOCAL_MACHINE\ SYSTEM\ CURRENT CONTROLSET\
把C:\WINDOWS\G_Server.exe删除,就OK了,记得清空回收站。^-^

病毒名称会自动变化,不要死搬,参考帖子http://forum.ikaka.com/topic.asp?board=28&artid=5666824
上帝88 - 2005-8-4 23:33:00
那怎么办?如何杀他?
超飚风速 - 2005-8-4 23:38:00
修改一下自己的注册表,10楼不是告诉你方法了吗?
上帝88 - 2005-8-4 23:38:00
呵呵!!谢谢!!可能行了!
超飚风速 - 2005-8-4 23:42:00
行了就好,我当初情况也和你一样着急死了,居然中了灰鸽子!
上帝88 - 2005-8-4 23:57:00
呵呵!!但还是不行!!
上帝88 - 2005-8-4 23:58:00
内存中的那个是删除了!!但是Trojan.Rootkit.l还是没有删除掉!
超飚风速 - 2005-8-4 23:59:00
再发个扫描来看看
上帝88 - 2005-8-4 23:59:00
大家快帮帮我吧!!明天还要用这台电脑比赛!
上帝88 - 2005-8-5 0:01:00
Logfile of HijackThis v1.99.1
Scan saved at 00:01:06 泽宇, on 2005-8-5
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\RISING\RAV\Ravmond.exe
D:\RISING\RAV\RavStub.exe
d:\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
d:\rising\rfw\RfwMain.exe
D:\RISING\RAV\RAVTIMER.EXE
D:\RISING\RAV\RAVMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\RISING\RAV\CCENTER.EXE
C:\WINDOWS\system32\svchost.exe
D:\RISING\RAV\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
d:\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.969\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v5.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F57} - C:\WINDOWS\system32\ThunderBHO_v07.dll (file missing)
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\system32\NaviHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - d:\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - d:\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\qylhelper.dll
O4 - HKLM\..\Run: [RavTimer] D:\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] D:\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - D:\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Thunder\getAllurl.htm
O8 - Extra context menu item: 使用影音传送带下载 - D:\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - D:\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: 导入当前页到超星阅览器(&A) - D:\SSREADER36\ss_all.htm
O8 - Extra context menu item: 导入选中部分到超星阅览器(&S) - D:\SSREADER36\ss_select.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - D:\BitSpirit\bsurl.htm
O9 - Extra button: 迅雷 - {1FBA04EE-3024-11D2-8F1F-000019796948}} - d:\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 迅雷 - {1FBA04EE-3024-11D2-8F1F-000019796948}} - d:\Thunder\Thunder.exe
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {165D83D3-359C-4783-9BF0-6FA6DC42A3F1} (XDownload Class) - http://tpath.ssreader.com/ssreader/exe/ssdownload.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {62561858-71D1-11D4-B2EC-00105A8340B5} (VITEGPlayerCtrl Class) - http://www.chinaedu.com/formaluser/longteng/control/VTPlayer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121249388484
O16 - DPF: {F4B47EEA-5D5D-4055-A6B5-ED59CC3C5BB3} (Upgrade Class) - http://update.qyule.com/client.cab
O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - C:\WINDOWS\system32\mbprot.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\RISING\RAV\Ravmond.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\Yhajsz.exe

上帝88 - 2005-8-5 0:02:00
怎么这么有名的高级病毒我也会碰上?
超飚风速 - 2005-8-5 0:03:00
用刚才的方法把这个解决掉看看O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\Yhajsz.exe
超飚风速 - 2005-8-5 0:04:00
或者在安全模式下杀毒
上帝88 - 2005-8-5 0:13:00
可能杀掉了!!
超飚风速 - 2005-8-5 0:15:00
重启看看,搞定就去睡
上帝88 - 2005-8-5 0:20:00
谢谢了!!我去睡觉了!!以后我要当黑色宝贝简称黑贝(怎么想像狗的名字?)管他勒黑贝白贝会作黑软就是好贝,我们伟大毛主席的话!之所以叫黑贝不叫黑客!是因为我作的黑软都是为了杀病毒用的!!比如灰鸽子!我就要做个白鸽子,专门和它对着干!他不好杀!!我也不好杀!!它变型我也变形!!
超飚风速 - 2005-8-5 0:34:00
哈哈有志气
1
查看完整版本: 如何杀死Backdoor.Gpigeon.shg病毒?
© 2000 - 2026 Rising Corp. Ltd.