瑞星卡卡安全论坛

受它困扰好几天了，看了很多地方都杀不掉。瑞星杀不掉它。请帮忙看看。你们网站上有这个病毒的说明。

正在运行的进程里taskmgr.exe

正在运行的进程
[PID: 404][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 468][\??\C:\WINDOWS\system32\csrss.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 492][\??\C:\WINDOWS\system32\winlogon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll]  <Stardock><1, 0, 0, 1>
[PID: 536][C:\WINDOWS\system32\services.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 548][C:\WINDOWS\system32\lsass.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 692][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 756][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 792][C:\Program Files\Rising\Rav\CCenter.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
[PID: 812][C:\WINDOWS\System32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\System32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 852][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 960][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 972][C:\Program Files\Rising\Rav\Ravmond.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 19>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RsLog.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
    [C:\Program Files\Rising\Rav\HOOKSYS.dll]  <Rising><18, 1, 0, 9>
    [C:\Program Files\Rising\Rav\Scanner.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 28>
    [C:\Program Files\Rising\Rav\libload.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\VirusLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\regmon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\HookWeb.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\MemMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 8>
    [C:\Program Files\Rising\Rav\expscan.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\mPorts.dll]  <Beijing Rising Technology Co., Ltd.><4, 0, 0, 3>
    [C:\Program Files\Rising\Rav\MailMon.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
    [C:\Program Files\Rising\Rav\SpamEng.dll]  <N/A><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\engine.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 26>
    [C:\Program Files\Rising\Rav\PostTrt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 9>
    [C:\Program Files\Rising\Rav\UnExe.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 9>
    [C:\Program Files\Rising\Rav\ScanExec.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\ScanEx.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 6>
    [C:\Program Files\Rising\Rav\NvFile.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\ScanMac.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 7>
    [C:\Program Files\Rising\Rav\ScanSct.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Rising\Rav\Unpacker.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\Program Files\Rising\Rav\RsStore.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\ExtOLE.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[PID: 1172][C:\WINDOWS\system32\spoolsv.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 1284][C:\Program Files\Rising\Rav\RavStub.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>

[PID: 1488][C:\WINDOWS\Explorer.EXE]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
    [C:\WINDOWS\system32\nvcpl.dll]  <NVIDIA Corporation><6.14.10.7184>
    [C:\WINDOWS\system32\NVRSZHC.DLL]  <NVIDIA Corporation><6.14.10.7184>
    [C:\WINDOWS\system32\nvshell.dll]  <NVIDIA Corporation><6.14.10.10035>
    [D:\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\WINDOWS\system32\msdmo.dll]  <N/A><N/A>
    [D:\Tencent\QQ\qdshm.dll]  <><1, 0, 1, 2>
    [d:\WinRAR\rarext.dll]  <N/A><N/A>
[PID: 1684][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 1700][C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe]  <InstallShield Software Corporation><3, 00, 100, 1161>
[PID: 1800][C:\Program Files\Rising\Rav\RavTask.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 22>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
[PID: 1824][C:\Program Files\Rising\Rav\Ravmon.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 17>
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 23>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 16>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[PID: 1852][D:\SKYNET\FIREWALL\PFW.exe]  <crsky[BCG][FCG]><2.6.1.168>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [C:\WINDOWS\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 13>
[PID: 1884][C:\WINDOWS\system32\ctfmon.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
[PID: 1928][D:\FinePixViewer\QuickDCF.exe]  <FUJI PHOTO FILM CO., LTD.><5, 0, 0, 2>
[PID: 176][C:\WINDOWS\system32\nvsvc32.exe]  <NVIDIA Corporation><6.14.10.7184>
    [C:\WINDOWS\system32\NVRSZHC.DLL]  <NVIDIA Corporation><6.14.10.7184>
[PID: 1500][C:\WINDOWS\System32\alg.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
[PID: 1096][C:\Documents and Settings\王亮\My Documents\Huawei\PortalServer\218.2.135.36\PortalClient.exe]  <Huawei Co. Ltd.><1.0.1.9>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
[PID: 464][E:\JxOnline2\SO2Game.exe]  <N/A><N/A>
    [E:\JxOnline2\Engine.dll]  <N/A><N/A>
    [E:\JxOnline2\LuaLibDll.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [E:\JxOnline2\Dump.dll]  <金山软件公司><2005, 5, 16, 4>
    [E:\JxOnline2\Represent3.dll]  <N/A><N/A>
    [E:\JxOnline2\Sound.dll]  <N/A><N/A>
    [C:\Downloads\jxjl1227\jxjl1227\jxdata.DLL]  <><1.0.0.1>
[PID: 3740][C:\WINDOWS\system32\svchost.exe]  <Microsoft Corporation><5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
[PID: 2544][C:\Downloads\jxjl1227\jxjl1227\jxjl.exe]  <精灵工作组><1.0.1.3>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [C:\Downloads\jxjl1227\jxjl1227\jxdata.DLL]  <><1.0.0.1>
[PID: 2612][E:\JxOnline2\SO2Game.exe]  <N/A><N/A>
    [E:\JxOnline2\Engine.dll]  <N/A><N/A>
    [E:\JxOnline2\LuaLibDll.dll]  <N/A><N/A>
    [C:\WINDOWS\system32\wbsys.dll]  <Stardock.Net, Inc><4, 0, 0, 0>
    [C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll]  <Stardock.Net, Inc><4.01>
    [E:\JxOnline2\Dump.dll]  <金山软件公司><2005, 5, 16, 4>
    [E:\JxOnline2\Represent3.dll]  <N/A><N/A>
    [E:\JxOnline2\Sound.dll]  <N/A><N/A>
    [C:\Downloads\jxjl1227\jxjl1227\jxdata.DLL]  <><1.0.0.1>
[PID: 3300][C:\Program Files\Internet Explorer\iexplore.exe]  <Microsoft Corporation><6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)>
    [C:\WINDOWS\system32\xunleibho_v4.dll]  <><4, 3, 2, 29>
    [C:\Program Files\CoolWebsite\QuickLink.dll]  <Fengcent><1, 0, 0, 2>
    [C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll]  <Yahoo!><2, 0, 3, 1023>
    [D:\Tencent\QQ\QQIEHelper.dll]  <深圳市腾讯计算机系统有限公司><1, 1, 0, 5>
    [D:\FLASHGET\jccatch.dll]  <Amaze Soft><1, 1, 4, 0>
    [c:\program files\google\googletoolbar2.dll]  <Google Inc.><3, 0, 131, 0>
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 3>
    [C:\WINDOWS\system32\Flash.ocx]  <Macromedia, Inc.><7,0,19,0>
[PID: 1320][C:\Downloads\sreng2\SREng.exe]  <Smallfrogs Studio><2.0.12.350>

帮忙看下啊 谢谢

日志前面的部分呢（智能扫描的四项都应选中）？另外说清楚病毒文件名和具体路径。
另外，从日志上看来，个人认为Stardock.Net, Inc的C:\WINDOWS\system32\wbsys.dll行为非常恶劣，如果报毒的是这个，我丝毫不感到奇怪，当一个非操作系统文件连C:\WINDOWS\system32\winlogon.exe都能插入，那它还有什么事做不出来？

那么我怎么办呢？

C:\WINDOWS\system32\wbsys.dll此文件确实很可疑。看上去就是由C:\Program Files\Stardock\这里引起的。建议你用Autoruns扫一个日志上来，注意隐藏微软进程。

【补充“天天泡泡”的帖子】
Autoruns在http://forum.ikaka.com/topic.asp?board=28&artid=6979213第11楼下载，“隐藏微软进程”（汗，好多新手不懂这句话的意思，结果一发就把全部发上来了）即为选Options-Hide Microsoft Entries。

ProcessPIDCPUDescriptionCompany Name
System Idle Process093.85
Interruptsn/aHardware Interrupts
DPCsn/a1.54Deferred Procedure Calls
System4
  SMSS.EXE404Windows NT Session ManagerMicrosoft Corporation
  CSRSS.EXE468Client Server Runtime ProcessMicrosoft Corporation
  WINLOGON.EXE492Windows NT Logon ApplicationMicrosoft Corporation
    SERVICES.EXE536Services and Controller appMicrosoft Corporation
    SVCHOST.EXE692Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE756Generic Host Process for Win32 ServicesMicrosoft Corporation
    CCenter.exe792CCenterBeijing Rising Technology Co., Ltd.
    SVCHOST.EXE812Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE852Generic Host Process for Win32 ServicesMicrosoft Corporation
    SVCHOST.EXE912Generic Host Process for Win32 ServicesMicrosoft Corporation
    RavMonD.exe940RavMondBeijing Rising Technology Co., Ltd.
      RavStub.exe1280Rising RavStubBeijing Rising Technology Co., Ltd.
    SPOOLSV.EXE1172Spooler SubSystem AppMicrosoft Corporation
    alg.exe1412Application Layer Gateway ServiceMicrosoft Corporation
    LSASS.EXE548LSA Shell (Export Version)Microsoft Corporation
    taskmgr.exe1944Windows TaskManagerMicrosoft Corporation
EXPLORER.EXE1484Windows ExplorerMicrosoft Corporation
ISSCH.EXE1688InstallShield Update Service SchedulerInstallShield Software Corporation
PFW.exe1776天网防火墙个人版crsky[BCG][FCG]
CTFMON.EXE1808CTF LoaderMicrosoft Corporation
QuickDCF.exe1852Exif LauncherFUJI PHOTO FILM CO., LTD.
BitComet.exe16323.08BitComet - a BitTorrent Clientwww.BitComet.com
RavMon.exe732RavMonBeijing Rising Technology Co., Ltd.
IEXPLORE.EXE616Internet ExplorerMicrosoft Corporation
procexp.exe19601.54Sysinternals Process ExplorerSysinternals
IEXPLORE.EXE1684Internet ExplorerMicrosoft Corporation
PortalClient.exe1676iTellin AAA PortalClientHuawei Co. Ltd.

taskmgr.exe1944Windows TaskManagerMicrosoft Corporation 它最可疑 关不掉

？？？9楼那些是什么玩意？？
至于10楼，我狂晕，taskmgr.exe就是任务管理器本身，你想用任务管理器来结束任务管理器进程，这怎么可能成功呢？！！！

不懂才来问啊！

唉，先按7楼和8楼说的，导出Autoruns日志再说吧。关于Autoruns的使用请参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038