这些天瑞星查出一个病毒，Backdoor.Gpigeon.5.ef ， 在program files\ieplorer.exe文件中找到的。只要每次启动之后一查毒，肯定就有。大家请帮帮我吧！！


HijackThis_zww汉化版扫描日志 V1.99.1
保存于      10:16:55, 日期 2005-12-22
操作系统：  Windows 2000 SP4 (WinNT 5.00.2195)
浏览器：    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：         
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINNT\system32\svchost.exe
C:\LDClient\LOCALSCH.EXE
C:\WINNT\system32\cba\pds.exe
C:\LDClient\QIPCLNT.EXE
C:\LDClient\tmcsvc.exe
C:\Program Files\Rising\Rav\RavService.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\LDCLIENT\SDISTHK.EXE
C:\LDClient\SOFTMON.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Rising\Rav\RavTimer.exe
C:\Program Files\Rising\Rav\RavTray.exe
C:\Program Files\Rising\Rav\RavMon.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\MyIEGB_PConline\MyIE.exe
C:\Documents and Settings\mym\桌面\新建文件夹\HijackThis1991zww.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe,,C:\LDCLIENT\SDISTHK.EXE,C:\LDClient\SOFTMON.EXE
O1 - Hosts: 60.0.191.4 gx_srv4
O1 - Hosts: 60.0.191.1 gx_srv1
O1 - Hosts: 60.0.191.108 PDS_SRV_GX01
O2 - BHO: DragSearch BHO - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\assist\YDRAGS~1.DLL (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - 启动项HKLM\\Run: [RavTimer] C:\Program Files\Rising\Rav\RavTimer.exe
O4 - 启动项HKLM\\Run: [RavTray] C:\Program Files\Rising\Rav\RavTray.exe
O4 - 启动项HKLM\\Run: [RavMon] C:\Program Files\Rising\Rav\RavMon.exe -system
O4 - 启动项HKLM\\Run: [FinePrint 分配器 v5] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - 启动项HKLM\\Run: [IntelAPMClient] C:\LDClient\amclient.exe /apm /s
O4 - 启动项HKLM\\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: ISATRAY.lnk = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: 清单扫描.LNK = C:\LDClient\LDISCN32.EXE
O4 - Global Startup: 自定义数据表单.LNK = C:\LDClient\LDCstm32.exe
O4 - Global Startup: 应用程序策略管理.LNK = C:\LDClient\AMCLIENT.EXE
O4 - Global Startup: 任务完成.LNK = C:\LDClient\AMCLIENT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: 使用影音传送带下载 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - IE右键菜单中的新增项目: 使用影音传送带下载全部链接 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O14 - IERESET.INF: START_PAGE_URL=about:blank
O14 - IERESET.INF: MS_START_PAGE_URL=about:blank
O15 - 添加的受信任的 IP 地址范围: http://60.0.191.4
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://60.0.191.4/TanSun/ocx/COMCTL32.OCX
O16 - DPF: {074106C0-5E71-4151-9CE8-9B024485B58F} (iMsgClient Control) - http://60.0.191.4/TanSun/ocx/iWebClient2000.ocx
O16 - DPF: {3C4F3BE3-47EB-101B-A3C9-08002B2F49FB} (Common Dialog Font Property Page Object) - http://60.0.191.4/TanSun/ocx/COMDLG32.OCX
O16 - DPF: {44F270D1-4F63-4795-9B7E-87C0A413661A} (工程1.UserControl1) - http://60.0.191.4/TanSun/ocx/WebTreeMenuV2.ocx
O16 - DPF: {48E59293-9880-11CF-9754-00AA00C00908} (Microsoft Internet Transfer Control, version 6.0) - http://60.0.191.4/TanSun/ocx/MSINET.OCX
O16 - DPF: {817C90B5-1688-42BE-9044-58422DB088B2} (PortalCom R01) - http://61.172.97.52/PortalAX.cab
O23 - NT 服务: LANDesk(R) Management Agent (CBA8) - LANDesk(R) Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\LDClient\LOCALSCH.EXE
O23 - NT 服务: Intel PDS - Intel? Corporation - C:\WINNT\system32\cba\pds.exe
O23 - NT 服务: Intel QIP Client Service - LANDesk Software Ltd. - C:\LDClient\QIPCLNT.EXE
O23 - NT 服务: Intel Targeted Multicast - LANDesk Software Ltd. - C:\LDClient\tmcsvc.exe
O23 - NT 服务: Logical System Manage (llsserver) - Unknown owner - C:\Program Files\Common Files\llserv.exe
O23 - NT 服务: RavService - Unknown owner - C:\Program Files\Rising\Rav\RavService.exe" /service (file missing)
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

修复
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O23 - NT 服务: Logical System Manage (llsserver) - Unknown owner - C:\Program Files\Common Files\llserv.exe

删除C:\Program Files\Common Files\llserv.exe

搜索再搜索llserv.dll和llserv_hook.dll和llservkey.dll
找到后也删除

谢谢，试试看。需要改注册表吗？

当然了，你要把灰鸽子有关的注册表项删除

是所有包含“llserv”字样的吗？

另外：“修复
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present”
这句话是什么意思？

可以在注册表中搜索llserv.exe