每次开机或重启动瑞星都会查杀到多个Backdoor.Gpigeon.up(或spm),该病毒反复自动复制，安全模式下也不行，瑞星防火墙也自动查到Backdoor.Gpigeon.uz(或spm.ssg)木马。

用HijackThis V1.99.1扫描日志如下：
Logfile of HijackThis v1.99.1
Scan saved at 0:51:42, on 2005-11-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rising\Rfw\RfwMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
E:\暴风影音５．０７\暴风影音文件\Storm Downloader\StormDownloader.exe
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\迅雷\安装文件\Thunder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ADSL拨号王\HNMainUI.exe
E:\HijackThis1.99.1  扫描工具\文件\HijackThis.exe

R3 - URLSearchHook: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v8.dll
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - d:\Program Files\Tencent\QQ\QQIEHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: MMSAssist - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O2 - BHO: (no name) - {A9930D97-9CF0-42A0-A10D-4F28836579D5} - E:\kugoo(MP3)\安装文件\KuGoo3\KuGoo3DownXControl.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 金山快译(&K) - {6C3797D2-3FEF-4cd4-B654-D3AE55B4128C} - E:\金鹕山娇快靱~1\金鹕山娇快靱~1\IEBand.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] rem C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] rem C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] rem C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMSCMig] rem C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [RavMon] C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM
O4 - HKLM\..\Run: [dla] rem C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MINI_BFYY] E:\暴风影音５．０７\暴风影音文件\Storm Downloader\StormDownloader.exe
O4 - HKLM\..\Run: [Thunder] "E:\迅雷\安装文件\ThunderShell.exe" /s
O4 - HKLM\..\Run: [YLive.exe] C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
O4 - HKLM\..\Run: [yassistse] "C:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item:  >> 彩信发送 << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: !搜一搜 - res://C:\WINDOWS\downlo~1\CnsMinEx.dll/1003
O8 - Extra context menu item: &使用暴风下载器下载 - E:\暴风影音５．０７\暴风影音文件\Storm Downloader\geturl.htm
O8 - Extra context menu item: &使用迅雷下载 - E:\迅雷\安装文件\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - E:\迅雷\安装文件\getAllurl.htm
O8 - Extra context menu item: Google 搜索(&G) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: 使用KuGoo3下载(&K) - E:\kugoo(MP3)\安装文件\KuGoo3\KuGoo3DownX.htm
O8 - Extra context menu item: 反向链接 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 用比特精灵下载(&B) - E:\比特精灵\BitSpirit\bsurl.htm
O8 - Extra context menu item: 类似网页 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: 缓存的网页快照 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: 翻译英文字词(&T) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll/246
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\游戏\下载游戏\浩方\浩方对战平台\GameClient.exe (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://adtaobao.allyes.com/main/adfclick?db=adtaobao&bid=138,140,18&cid=816,8,1&sid=5042&show=ignore&url=?allyesPara=816 (file missing)
O9 - Extra button: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/?source=Cns (file missing)
O9 - Extra button: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra 'Tools' menuitem: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\Mmsass~1.dll
O9 - Extra button: 易趣购物 - {DE607145-AC19-425e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra 'Tools' menuitem: 易趣购物 - {DE607145-AC19-425e-865A-5D70ABDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=5 (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O11 - Options group: [!CNS]  网络实名
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\Server2.0.exe
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: Remote Access Sever (Service) - Unknown owner - C:\WINDOWS\svchost.exe

防火墙查杀结果：
详细内容2005-11-18 09:25:45, IEXPLORE.EXE>>C:\Program Files\Internet Explorer\IEXPLORE.EXE ->Backdoor.GPigeon.uz
详细内容2005-11-18 00:40:41, IEXPLORE.EXE>>C:\WINDOWS\svchost.DLL ->Backdoor.Gpigeon.ssg
详细内容2005-11-18 00:40:38, RavStub.exe>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:40:37, Ravmond.exe>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:40:33, CCENTER.EXE>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:40:31, RAVMON.EXE>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:40:29, RAVTIMER.EXE>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:40:24, Explorer.EXE>>C:\WINDOWS\Explorer.EXE ->Worm.Mail.Fanbot
详细内容2005-11-18 00:20:55, CCENTER.EXE>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:20:44, lsass.exe>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm
详细内容2005-11-18 00:13:17, csrss.exe>>C:\WINDOWS\svchost_HOOk.DLL ->Backdoor.Gpigeon.spm

【回复“蓝色陨石”的帖子】
高手们，请回答一下，谢了

O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\Server2.0.exe
O23 - Service: Remote Access Sever (Service) - Unknown owner - C:\WINDOWS\svchost.exe
两只鸽子
手工查杀办法参考Baohe斑竹的：关于查杀“灰鸽子2005”的一点建议
http://forum.ikaka.com/topic.asp?board=28&artid=6202404

瑞星好象出专杀了，找找看。

http://it.rising.com.cn/service/technology/Ravgpk_Download.htm
试专杀，详细看一下使用方法。还有手动处理的方法

O23 - Service: Gray_Pigeon_Server2.0 (GrayPigeonServer2.0) - Unknown owner - C:\WINDOWS\Server2.0.exe
O23 - Service: Remote Access Sever (Service) - Unknown owner - C:\WINDOWS\svchost.exe
这两个鸽子.
重启进安全模式,清空IE临时文件夹,打开注册表,定位到HKEY_LOCAL_MACHINE\ SYSTEM \ CURRENTCONTROLSET \ SERVICES删除注册表左面菜单下的Gray_Pigeon_Server2.0 /  GrayPigeonServer2.0  / Remote Access Sever  / Service这四个服务项,不一定全有,有几个删几个,整个删除.显示系统和隐藏文件,在WINDOWS文件夹下搜索Server2.0.exe、Server2.0.dll、Server2.0_hook.dll以及Server2.0Key.dll
svchost.exe、svchost.dll、svchost_hook.dll以及svchostKey.dll
这八个文件,不一定能全找到,全部删除.重启到正常模式下,再扫个日志上来看看

瑞星灰鸽子专杀试过了。没用。
谢谢各位!我还不会用注册表，找个朋友按照你们的方法删除一下，再谢各位！