用瑞星查出来Backdoor.GPigeon病毒显示出来的 　
处理结果    发现日期    扫描方式    路径    文件    病毒来源
清除失败    05-09-29 13:13    实时监控    C:\DOCUME~1\lenovo\LOCALS~1\Temp    mc23E.tmp    本机
请教一下高手怎么杀掉

同病相怜啊朋友。。呵呵。。

同病相怜啊朋友!

自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SoundMan = SOUNDMAN.EXE
RavTimer = D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
RavMon = D:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
assistse = "C:\Program Files\3721\assistse.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll = "C:\Program Files\Messenger\msmsgs.exe" /background
C:\WINDOWS\DOWNLO~1\CnsHook.dll= "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\System32\webcheck.dll
SysTray = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\System32\browseui.dll= Browseui 预加载程序
%SystemRoot%\System32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe
SYSTEM.INI BOOT SCRNSAVE.EXE C:\WINDOWS\System32\logon.scr


其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\internet explorer\search searchassistant ----> http://seek.3721.com/srchasst.htm
HKEY_LOCAL_MACHINE Software\Microsoft\internet explorer\search CustomizeSearch ----> http://seek.3721.com/srchcust.htm
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> lenovo
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> lenovo
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,
HKEY_USERS .Default\Software\Microsoft\Internet Explorer\Main start page ----> http://www.lenovo.com


Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host



进程列表

[System Process]
System
C:\WINDOWS\System32\Ati2evxx.exe (Made by ATI Technologies Inc.)
C:\WINDOWS\SOUNDMAN.EXE (Made by Realtek Semiconductor Corp.)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
D:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
D:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\Program Files\3721\assistse.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Rising\Rfw\RfwMain.exe
D:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
D:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\lenovo\桌面\不常用的文件\RavDetect.exe

进程详细信息


这是瑞星听诊专家提取的扫描报告,请高手看一下,谢谢了

【回复“晓月舞”的帖子】
在安全模式下，清空C:\DOCUME~1\lenovo\LOCALS~1\Temp文件夹。

已经把C:\DOCUME~1\lenovo\LOCALS~1\Temp 文件夹在安全模式下清空了~
但是瑞星在显示杀毒失败以后,我在安全模式下再杀一次就显示没有病毒了~
请教下斑竹~怎么样确定Backdoor.GPigeon病毒已经被清除了呢?
呵呵,是女生,不太懂这个,谢谢baohe版主了~

Temp下不是病毒体,只是运行时的临时文件.这种情况是这个灰鸽子还没有列入病毒库,升级下再查杀看.如果还杀不到,只能手动了,用HijackThis扫描下服务,发上来分析,再确认删除的东西.

引用:

【晓月舞的贴子】已经把C:\DOCUME~1\lenovo\LOCALS~1\Temp 文件夹在安全模式下清空了~ 但是瑞星在显示杀毒失败以后,我在安全模式下再杀一次就显示没有病毒了~ 请教下斑竹~怎么样确定Backdoor.GPigeon病毒已经被清除了呢? 呵呵,是女生,不太懂这个,谢谢baohe版主了~ ...........................

如果瑞星不再报毒，就没事了。

引用:

【baohe的贴子】 如果瑞星不再报毒，就没事了。 ...........................

不要误导人,最新的灰鸽子是这样,会产生运行前临时文件,很快就消失了,所以删除会失败,这个可以查到病毒,病毒体就不一定了,因为灰鸽子变种快,即使是最新版本,也许还是杀不到他.

引用:

【loveme167的贴子】 不要误导人,最新的灰鸽子是这样,会产生运行前临时文件,很快就消失了,所以删除会失败,这个可以查到病毒,病毒体就不一定了,因为灰鸽子变种快,即使是最新版本,也许还是杀不到他. ...........................

呵呵。我今天尽碰到高手了。