瑞星卡卡安全论坛

刚才用新版的SREng2.0扫描系统时在“启动项目”里面的“服务”栏的“驱动程序”中发现两个可疑的驱动（标为蓝色）：

1.服务名:New0/New0；

  映象文件路径:c:\winnt\system32\New.sys

2.服务名:TrojanFindDriverNT/TrojanFindDriverNT；
 
  映象文件路径:c:\winnt\system32\NtDriver.sys

NtDriver.sys文件用搜索根本找不到，而New.sys虽然能搜索到，可是用瑞星查毒时，全部监控被关闭（图标变成了红色折起的雨伞），这两个文件是不是木马？该如何清除？


附件: 6971752006612185857.bmp

如图:

附件: 6971752006612190031.JPG

如图:

附件: 6971752006612190155.JPG

2006-06-12,18:35:21

System Repair Engineer 2.0.21.505 (2.0 RC 2)
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <Super Rabbit IEPro><C:\Program Files\Super Rabbit\MagicSet\SRIECLI.EXE /LOAD>  [Super Rabbit Soft]
    <internat.exe><Internat.exe>  [Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <Super Rabbit Desktop Set><C:\Program Files\Super Rabbit\MagicSet\DS.EXE /Load>  [Super Rabbit Software]
    <SystemTray><systray.exe>  [Microsoft Corporation]
    <IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [Microsoft Corporation]
    <Synchronization Manager><mobsync.exe /logon>  [Microsoft Corporation]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <RfwMain><"C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><EXPLORER.EXE>  [Microsoft Corporation]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  []

==================================
启动文件夹
[NaturalColorLoad]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\NaturalColorLoad.lnk><H>
[NaturalColorLoad]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\NaturalColorLoad.lnk><H>

==================================

一定是

【回复“sheep001”的帖子】
服务
[Adobe LM Service / Adobe LM Service]
  <><N/A>
[Logical Disk Manager Administrative Service / dmadmin]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[Macromedia Licensing Service / Macromedia Licensing Service]
  <><N/A>
[ASUS Driver Helper Service / NVSvc]
  <C:\WINNT\system32\nvsvc32.exe><NVIDIA Corporation>
[Office Source Engine / ose]
  <><N/A>
[Rising Proxy  Service / RfwProxySrv]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>

==================================
浏览器加载项
[超级兔子上网精灵]
  {7369D35A-5B70-4A5B-B789-B25FE09B4AF3} <C:\PROGRA~1\SUPERR~1\MAGICSET\haokanbar.dll, Xiang Feng Technology>
[@msdxmLC.dll,-1@2052,电台(&R)]
  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\WINNT\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[超级兔子上网精灵]
  {43869BB3-22FD-4F15-9B46-238106BA2F4E} <C:\PROGRA~1\SUPERR~1\MAGICSET\haokanbar.dll, Xiang Feng Technology>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINNT\system32\wuweb.dll, Microsoft Corporation>
[趋势科技在线扫毒程序]
  {74D05D43-3236-11D4-BDCD-00C04F9A3B61} <C:\WINNT\DOWNLO~1\xscan53.ocx, Trend Micro Inc.>
[KSHScan Control]
  {ACFE8232-03C5-4AEC-AF5E-42B806724096} <C:\WINNT\system32\kingsoft\ONLINE~1\KSHScan.ocx, kingsoft>
[MsnMessengerSetupDownloadControl Class]
  {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} <C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[Ravonline]
  {DA984A6D-508E-11D6-AA49-0050FF3C628D} <C:\WINNT\Downloaded Program Files\RsOnline.dll, Beijing Rising Tech. Co., Ltd.>
[Rising Web Scan Object]
  {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} <C:\WINNT\Downloaded Program Files\OL2005.dll, Beijing Rising Technology Co., Ltd.>
[使用网际快车下载]
  <C:\Program Files\FlashGet\jc_link.htm, N/A>
[使用网际快车下载全部链接]
  <C:\Program Files\FlashGet\jc_all.htm, N/A>
[添加到QQ自定义面板]
  <C:\Program Files\Tencent\qq\AddPanel.htm, N/A>
[添加到QQ表情]
  <C:\Program Files\Tencent\qq\AddEmotion.htm, N/A>

==================================

正在运行的进程
[PID: 132][\SystemRoot\System32\smss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 160][\??\C:\WINNT\system32\csrss.exe]  <Microsoft Corporation><5.00.2195.6601>
[PID: 180][\??\C:\WINNT\system32\winlogon.exe]  <Microsoft Corporation><5.00.2195.6997>
[PID: 208][C:\WINNT\system32\services.exe]  <Microsoft Corporation><5.00.2195.7035>
    [C:\WINNT\system32\dmserver.dll]  <VERITAS Software Corp.><2195.6605.297.3>
[PID: 220][C:\WINNT\system32\lsass.exe]  <Microsoft Corporation><5.00.2195.7011>
[PID: 360][C:\WINNT\system32\svchost.exe]  <Microsoft Corporation><5.00.2134.1>
[PID: 400][C:\WINNT\System32\WBEM\WinMgmt.exe]  <Microsoft Corporation><1.50.1085.0100>
[PID: 248][C:\WINNT\Explorer.EXE]  <Microsoft Corporation><5.00.3700.6690>
    [C:\Program Files\WinRAR\rarext.dll]  <N/A><N/A>
    [C:\WINNT\system32\RavExt.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 19>
    [C:\Herosoft\Hero Video Convert\VCvtShell.dll]  <N/A><N/A>
    [C:\Herosoft\Hero Video Convert\VCvtS936.dll]  <N/A><N/A>
    [C:\Program Files\Common Files\Adobe\Shell\AIIcon.dll]  <Adobe Systems Incorporated><11.0>
    [C:\Program Files\Common Files\Microsoft Shared\Web Folders\2052\nsextint.dll]  <N/A><N/A>
[PID: 488][C:\Program Files\Rising\Rav\RavMon.exe]  <Beijing Rising Technology Co., Ltd.><18, 0, 1, 19>
    [C:\Program Files\Rising\Rav\RsGuiLib.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 24>
    [C:\Program Files\Rising\Rav\BWList.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 18>
    [C:\Program Files\Rising\Rav\RSAPPMGR.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 2>
    [C:\Program Files\Rising\Rav\CfgDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 10>
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 4>
    [C:\Program Files\Rising\Rav\RsCommX.dll]  <rising><18, 0, 0, 1>
    [C:\Program Files\Rising\Rav\PngDll.dll]  <Beijing Rising Technology Co., Ltd.><18, 0, 0, 5>
[PID: 556][E:\SREng2\SREng.exe]  <Smallfrogs Studio><2.0.21.505>

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者

顶起~版主在吗？？

c:\winnt\system32\New.sys是个Rootkit，用SREng删除那项，重启后删除这个文件。

至于另一个，楼主是否装过TroyanFindInfo这个软件？

小聪老大您老可进来了~感动中~

TroyanFindInfo是啥子？我貌似没装过的说~

路径c:\winnt\system32\NtDriver.sys的文件根本用搜索找不到

c:\winnt\system32\New.sys文件需要在安全模式下删除吗？

顶~

【回复“轩辕小聪”的帖子】

c:\winnt\system32\New.sys不能用SREng删除，只能屏蔽掉，硬盘里的New.sys文件已经删了，这样应该就没问题了吗？

现在还有一个问题就是每次启动时瑞星的图标总是灰色的，要手动把所有监控打开小雨伞才会变绿，这是咋回事？

参考http://forum.ikaka.com/topic.asp?board=28&artid=7866296修复一下瑞星的注册表项。

【回复“轩辕小聪”的帖子】

我用SREng把New0/New0；和TrojanFindDriverNT/TrojanFindDriverNT两项服务全屏蔽掉了，这样系统会不会出问题？