近日机器中查出有灰鸽子及变种，每次开机时瑞星防火墙就报已成功清除该木马，但每次重新启动后，仍然有此病毒，现在该如何解决？
[img][/img]

HELP~！~！
各位大大，，帮帮小弟吧。。。
先谢过了。。

用hijackthis导出报告
在电脑里搜索_hook.dll

要扫描个日志出来啊!!!!

【回复“宇辰辰风”的帖子】
典型的灰鸽子2005～用泡泡那个帖子10楼的附件就能搞掂～～
http://forum.ikaka.com/topic.asp?board=28&artid=6979213

以下是用hijackthis导出的报告，请帮我分析分析，谢谢：

当前运行的进程：         
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\WINDOW~1\Server\nspmon.exe
C:\WINNT\System32\WINDOW~1\Server\nscm.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\WINDOW~1\Server\nspm.exe
C:\WINNT\System32\WINDOW~1\Server\nsum.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\rising\Rav\RavMon.exe
C:\WINNT\system32\conime.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\Documents and Settings\Administrator.WW-EFC4D3400B12\桌面\4842302005817230232\HijackThis1991zww.exe

O4 - 启动项HKLM\\Run: [bacstray] BacsTray.exe
O4 - 启动项HKLM\\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - 启动项HKLM\\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - 启动项HKLM\\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - 启动项HKLM\\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - 启动项HKLM\\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - 启动项HKLM\\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - 启动项HKLM\\Run: [MS-4011 Memory Patch] F:\wlzy\查杀病毒\震荡波\振荡波工具\振荡波工具\RavSasser.exe -Patch
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [RegNetPass] C:\WINNT\system32\regcsp.exe
O4 - 启动项HKLM\\Run: [gemstrmw] C:\WINNT\system32\gemstrmw.exe /r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: 快捷方式 www.lnk = ?
O4 - Global Startup: 瑞星监控中心.lnk = C:\Program Files\rising\Rav\RavMon.exe
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的“工具”菜单项: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - 浏览器额外的按钮: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的“工具”菜单项: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - 浏览器额外的按钮: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - 浏览器额外的“工具”菜单项: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {48FE89A0-486C-48DF-9DEC-BED22BDC6057} (XIsOro Control) - http://www.sinago.com/download/OroCheck.cab
O16 - DPF: {62B938C4-4190-4F37-8CF0-A92B0A91CC77} (InfoSecNetSign Class) - https://mybank.icbc.com.cn/icbc/NetSign.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125458864296
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {F381FC65-D92D-4410-B865-E4E9713994E8} (Cytd Encipherment Memory) - http://61.55.138.4/sso/ccitpay.CAB
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - NT 服务: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - NT 服务: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - NT 服务: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\iVasion\WinPoET\WrOS.EXE
O23 - NT 服务: Telnet Acan (系统重要服务) - Unknown owner - C:\WINNT\lsass.exe

【回复“宇辰辰风”的帖子】
O23 - NT 服务: Telnet Acan (系统重要服务) - Unknown owner - C:\WINNT\lsass.exe

http://forum.ikaka.com/topic.asp?board=28&artid=6979213这个帖子10楼的附件可以搞掂～～

【回复“liusi123”的帖子】
OK,,,试一下先，，小弟先谢过了~~~