高手帮忙啊，又是灰鸽子，瑞星启动杀了，重启又有了。 bbs.ikaka.com

蚊腿 - 2005-11-8 1:01:00

O23 - Service: exp1orer (Microsoft Explorer) - Unknown owner - E:\WINDOWS\exp1orer.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\Windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe
O23 - Service: WinHTTP Web Proxy Discove - Unknown owner - E:\WINDOWS\Explore.exe (file missing)
O23 - Service: winser - Unknown owner - E:\Windows\system32\winsersec.exe

黑子805 - 2005-11-8 1:08:00

我的也是这样啊！杀了后重起就又有了！！！

蚊腿 - 2005-11-8 12:30:00

高手帮忙看看分析一下，感谢了！

O23 - Service: exp1orer (Microsoft Explorer) - Unknown owner - E:\WINDOWS\exp1orer.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\Windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe
O23 - Service: WinHTTP Web Proxy Discove - Unknown owner - E:\WINDOWS\Explore.exe (file missing)
O23 - Service: winser - Unknown owner - E:\Windows\system32\winsersec.exe

神无 - 2005-11-8 12:33:00

【回复“蚊腿”的帖子】O23 - Service: exp1orer (Microsoft Explorer) - Unknown owner - E:\WINDOWS\exp1orer.exe (file missing)
O23 - Service: WinHTTP Web Proxy Discove - Unknown owner - E:\WINDOWS\Explore.exe (file missing)
修复这两项，

神无 - 2005-11-8 12:34:00

引用:

【蚊腿的贴子】高手帮忙看看分析一下，感谢了！

O23 - Service: exp1orer (Microsoft Explorer) - Unknown owner - E:\WINDOWS\exp1orer.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\Windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe
O23 - Service: WinHTTP Web Proxy Discove - Unknown owner - E:\WINDOWS\Explore.exe (file missing)
O23 - Service: winser - Unknown owner - E:\Windows\system32\winsersec.exe

...........................

O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe
还有一个鸽子，看看手工查杀的帖子，试试自己手工查杀。

神无 - 2005-11-8 12:37:00

O23 - Service: winser - Unknown owner - E:\Windows\system32\winsersec.exe
这个不知道是不是木马，说不好。

蚊腿 - 2005-11-8 12:39:00

谢谢了，我会试一试。谢谢。

蚊腿 - 2005-11-8 12:52:00

对了，原来还有灰鸽子的，我试着用瑞星及手工清了一下，有病毒记录参考。
？？？怎贴不了图呢？？？

贴个记录吧：

病毒名称处理结果扫描方式路径文件病毒来源

Backdoor.GPigeon.xb 实时监控 E:\WINDOWS KING_HOOK.DLL\本机
Backdoor.GPigeon 清除成功手动扫描 csrss.exe>>E:\Windows\King_HOOk.DLL\本机
Backdoor.GPigeon 清除成功手动扫描 lsass.exe>>E:\Windows\King_HOOk.DLL\本机
Backdoor.GPigeon 清除成功手动扫描 IEXPLORE.EXE>>E:\Windows\King.DLL\本机
Backdoor.GPigeon 清除成功手动扫描 CCENTER.EXE>>E:\Windows\King_HOOk.DLL\本机
Worm.Mail.Fanbot 清除成功手动扫描 Explorer.EXE>>E:\Windows\Explorer.EXE\本机
Backdoor.GPigeon 删除成功手动扫描 E:\WINDOWS King.DLL\本机
Backdoor.GPigeon.xb 删除成功手动扫描 E:\WINDOWS King_HOOk.DLL\本机
Backdoor.GPigeon 删除成功实时监控 E:\Windows King.DLL\本机
Hack.PswCracker 删除成功手动扫描
Backdoor.GPigeon.xb 删除成功实时监控 E:\Windows King_HOOk.DLL\本机
Backdoor.GPigeon 忽略实时监控 E:\WINDOWS King.DLL\本机
Backdoor.GPigeon 忽略实时监控 E:\WINDOWS King.DLL\本机

蚊腿 - 2005-11-9 0:04:00

感谢给予帮助的朋友！
安全模式下--已清除以下项
O23 - Service: exp1orer (Microsoft Explorer) - Unknown owner - E:\WINDOWS\exp1orer.exe (file missing)
O23 - Service: WinHTTP Web Proxy Discove - Unknown owner - E:\WINDOWS\Explore.exe (file missing)
O23 - Service: winser - Unknown owner - E:\Windows\system32\winsersec.exe
修复这两项，删除了关联文件，重启瑞星不再报有木马，但：O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe清除后重启后又再出现，但winngmt.exe已删除，该项是否木马？？值得探讨。
附清除病毒后扫描日记，
Logfile of HijackThis v1.99.1
Scan saved at 23:55:50, on 2005-11-8
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\Windows\system32\nvsvc32.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - d:\program files\rising\rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: winngmt (Windows Management Instrumenta) - Unknown owner - E:\Windows\winngmt.exe (file missing)

无尽的时光 - 2005-11-9 0:07:00

今天机器感染的鸽子，RAV杀掉以后，开机又出现。而且按照精华帖里的方式找不到鸽子的文件。本来想重装系统了，后来又试了试，下载了金山的可疑文件扫描工具结果在C:\WINDOWS\ 下扫描出了鸽子的EXE文件，用exescope打开对比*_hook.dll后确定是鸽子，名字是RSVPE.EXE 和 SVCHOST.EXE 大家要注意呀。

瑞星卡卡安全论坛