今天电脑启动后发现金山毒霸把关闭了，使用瑞星免费再现查询得知中了Trojan.PSW.Lmir.irg病毒，我安装了瑞星后瑞星启动不了，也是病毒关闭了！狂晕~!病毒进程是在services.exe里面，可是这个进程又不能关闭！请大虾们帮帮我啊！

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038第14楼

在安全模式下杀
先用瑞星 在用卡吧 在用诺顿 在用江民 .....
绝对能杀了

【回复“BlackStone”的帖子】
HijackThis@Qoo的扫描日志  V1.97.7
Scan saved at 10:59:37, on 2005-11-9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\services.exe
C:\DOCUME~1\dii\LOCALS~1\Temp\Rar$EX02.391\HijackThis.exe

R3 - URLSearchHook:
O2 - BHO: (no name) - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v4.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5EB7CB50-E375-4718-B4C0-9AD12EFA2F84} - C:\WINDOWS\System32\aclayer.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SciFinder Scholar Bar - {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\services.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ddddddd.h
O4 - Startup: gsview32.ini
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Startup: TmpBakup.Reg
O4 - Startup: tt.dsp
O4 - Startup: tt.dsw
O4 - Startup: tt.h
O4 - Startup: tt.ncb
O4 - Startup: tt.opt
O4 - Startup: tt.plg
O4 - Startup: vgalusr1.vr
O8 - Extra context menu item: &使用暴风下载器下载 - C:\Program Files\Ringz Studio\Storm Downloader\geturl.htm
O8 - Extra context menu item: 使用Kugoo下载 - C:\PROGRA~1\KuGoo2\KugooDownX.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 导出当前页到超星阅览器(&A) - C:\Program Files\SSREADER36\ss_all.htm
O8 - Extra context menu item: 导出选中部分到超星阅览器(&S) - C:\Program Files\SSREADER36\ss_select.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: QQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [!CNS] 
O12 - Plugin for .cdx: C:\Program Files\Internet Explorer\PLUGINS\Npcdp32.dll
O12 - Plugin for .chm: C:\Program Files\Internet Explorer\PLUGINS\NPCDP32.DLL
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://mallcam.uta.edu/kxhcm10.ocx
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {C214F4D6-A561-40A6-95CD-42FE193D6B69} (RecordClient Class) - http://eol.nju.edu.cn/soft/EasiComponent.cab
O16 - DPF: {F138084D-84D7-48CD-BEA8-04772457516E} (VqqSpeedDlProxy Class) - http://218.85.138.27/vqqsdl1009.cab

【回复“BlackStone”的帖子】

删除了启动项目后也没有用！重启又生成！

引用:

【林sir的贴子】【回复“BlackStone”的帖子】 删除了启动项目后也没有用！重启又生成！ ...........................

是不是没删干净啊

【回复“BlackStone”的帖子】

删除干净启动项目！但是重启后马上又有了！
我删除了这两项
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\services.exe
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\services.exe

按你说的日志：

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ 1File not found: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ RavMonRavMon Rising realtime monitor Beijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmon.exe

+ RavTimerRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtimer.exe

+ Torjan Program222c:\windows\services.exe

HKLM\System\CurrentControlSet\Services

+ RsCCenterCCenterrisingc:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMonBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ AlcoholShellExAXShlEx.dllAlcohol Soft Development Teamc:\program files\alcohol soft\alcohol 120\axshlex.dll

+ Autoplay for SlideShow\

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ Shell extensions for file compression\

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.c:\program files\media player classic\rpshell.dll

+ WinRAR shell extensionc:\program files\winrar\rarext.dll

+ 加密上下文菜单\

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ 金山毒霸File not found: C:\KAV6\KAVEXT.DLL

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell ExtensionPDF Shell ExtensionAdobe Systems, Inc.c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj ClassAdobe Acrobat IE Helper Version 7.0 for ActiveXAdobe Systems Incorporatedc:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll

+ FlashFXP Helper for Internet ExplorerIniCom Networks, Inc.c:\program files\flashfxp\ieflash.dll

+ IeCatch2 Classjccatch ModuleAmaze Softc:\program files\flashget\jccatch.dll

+ ThunderIEHelper Classxunleibho Modulec:\windows\system32\xunleibho_v4.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ coolbar\

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ FlashGet BarFlashGet IE BarAmaze Softc:\program files\flashget\fgiebar.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ &FlashGetFlashGetAmaze Softc:\program files\flashget\flashget.exe

+ Yahoo 1G电邮File not found: http://cn.mail.yahoo.com/promo/rd1

+ 清理上网记录File not found: http://assistant.3721.com/clean1.htm?fb=Cns

+ 情景聊天File not found: http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/

+ 上网助手File not found: http://assistant.3721.com/index.htm?fb=Cns

+ 手机短信File not found: http://sms.3721.com/ie/index.htm

+ 腾讯QQQQTENCENTc:\program files\tencent\qq\qq.exe

+ 修复浏览器File not found: http://assistant.3721.com/security1.htm?fb=Cns

+ 寻宝乐趣多File not found: http://hot.3721.com/rd/shop_btn.htm

+ 易趣购物File not found: http://click2.ad4all.net/url2/urlmanage/url.asp****5

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ KM Language MonitorKM language monitorKYOCERA MITA Corporationc:\windows\system32\kmpjlmn.dll

C:\WINDOWS\services.exe源文件没删除
结束进程，再删掉隐藏文件services.exe

【回复“可怜稻草人”的帖子】
文件删除不了！晕死！着文件删除后系统还能启动吗？

受保护操作系统不要隐藏，用自动搜索