[中毒] 懷疑是電腦中毒

作者herbertccc (饅頭)

看板AntiVirus

標題[中毒] 懷疑是電腦中毒

時間Sun Dec 7 16:16:46 2008

1.問題描述：請在下面說明碰到的中毒情形，越詳細越好(可貼圖說明)：小的近日電腦借人插過隨身碟，今天插上自己隨身硬碟後發現，資料夾全部被隱藏起來，而且原本資料夾的名稱後面全部被冠上副檔名(.exe)，測試後資料夾還是可以開，但是多了RECYCLER.exe和System Volume Information.exe這兩個資料夾，懷疑是中毒，但是掃毒程式NOD32並沒有掃出任何毒。可以麻煩版上高手們幫我看看出什麼問題嗎?? 拜託了>"< 2.掃毒報告：請先使用掃毒軟體執行全機掃描後將掃毒結果傳到置底空間 NOD32沒有掃到任何病毒 4.報告連結：請將掃描報告(log)貼於下方 (上面的全要) EFix491： [CODE] EFIX 4.91 - Administrator 2008-12-07 16:08:13.90 - NTFS Microsoft Windows XP [版本 5.1.2600] - Service Pack 3 執行位置: C:\Documents and Settings\Administrator\桌面 ======================================================= EFix刪除的檔案列表: h:\autorun.inf.exe ======================================================= EFix刪除的登錄值列表: 沒有刪除任何登錄值. ======================================================= EFix刪除的檔案備份位置列表: h:\AUTORUN.INF.exe => C:\NEFix\backup\files\h\AUTORUN.INF.exe ======================================================= AUTORUN.INF: <資料夾> C:\AUTORUN.INF <資料夾> E:\AUTORUN.INF <資料夾> D:\AUTORUN.INF <資料夾> H:\AUTORUN.INF ======================================================= 各磁碟根目錄含有隱藏和系統屬性的檔案 : --sh--r 1,508,819 2008-12-07 07:58:11 H:\Notepad.exe ======================================================= Created 2008-11 -- 2008-12 Files: 2008-11-08 . 2008-11-13 03:29 d--hs---- C:\Config.Msi 2008-11-02 . 2008-11-02 11:38 d-------- C:\WINDOWS\Logs 2008-12-06 . 2008-12-06 19:43 d--h----- C:\WINDOWS\SYSTEM32\B61538 2008-12-06 . 2008-12-07 15:30 d--h----- C:\WINDOWS\SYSTEM32\7C07C1 2008-12-06 . 2008-12-07 15:30 d--h----- C:\WINDOWS\SYSTEM32\F498C7 2008-11-17 . 2008-11-17 13:20 d-------- C:\Program Files\pdf995 2008-11-23 . 2008-11-23 13:26 --ah----- 268 C:\sqmdata02.sqm 2008-11-08 . 2008-11-08 09:28 --ah----- 268 C:\sqmdata01.sqm 2008-12-03 . 2008-12-03 14:05 --a------ 194 C:\WINDOWS\SYSTEM32\imon1.dat 2008-11-17 . 1999-09-10 19:06 --a------ 45056 C:\WINDOWS\SYSTEM32\wnaspi32.dll 2008-11-17 . 2008-11-17 23:50 --a------ 203776 C:\WINDOWS\SYSTEM32\clrviddc.dll 2008-11-17 . 2008-11-17 14:00 --a------ 51716 C:\WINDOWS\SYSTEM32\pdf995mon.dll 2008-11-17 . 2008-11-17 14:00 --a------ 249856 C:\WINDOWS\SYSTEM32\pdfmona.dll 2008-11-02 . 2008-05-30 14:11 --a------ 467984 C:\WINDOWS\SYSTEM32\d3dx10_38.dll 2008-11-02 . 2008-05-30 14:11 --a------ 1491992 C:\WINDOWS\SYSTEM32\D3DCompiler_38.dll 2008-11-02 . 2008-05-30 14:11 --a------ 3850760 C:\WINDOWS\SYSTEM32\D3DX9_38.dll 2008-11-02 . 2007-07-19 18:14 --a------ 444776 C:\WINDOWS\SYSTEM32\d3dx10_35.dll 2008-11-02 . 2007-07-19 18:14 --a------ 1358192 C:\WINDOWS\SYSTEM32\D3DCompiler_35.dll 2008-11-17 . 1999-09-10 19:06 --a------ 25244 C:\WINDOWS\SYSTEM32\DRIVERS\aspi32.sys ======================================================= 執行中的程序: C:\Program Files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe <Christian Salmon> C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe <N/A> C:\Program Files\Drive Space Indicator\DrvSpace.exe <N/A> C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe <Sun Microsystems, Inc.> C:\WINDOWS\RTHDCPL.EXE <Realtek Semiconductor Corp.> C:\WINDOWS\SOUNDMAN.EXE <Realtek Semiconductor Corp.> C:\Program Files\Eset\nod32kui.exe <Eset> C:\WINDOWS\system32\oodtray.exe <O&O Software GmbH> C:\Program Files\Folder Lockbox\flockbox.exe <FSPro Labs> C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe <Ulead Systems, Inc.> C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe <Microsoft Corporation> C:\Program Files\Unlocker\UnlockerAssistant.exe <N/A> C:\Program Files\Common Files\Real\Update_OB\realsched.exe <RealNetworks, Inc.> C:\Program Files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe <YourWare Solutions (TM)> C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe <Microsoft Corporation> C:\Program Files\DAEMON Tools Lite\daemon.exe <DT Soft Ltd> C:\Program Files\ATnotes\ATnotes.exe <Thomas Ascher> C:\WINDOWS\system32\F498C7\BFC516.EXE <N/A> C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe <Autodesk> C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe <N/A> C:\Program Files\Eset\nod32krn.exe <Eset> C:\WINDOWS\system32\nvsvc32.exe <NVIDIA Corporation> C:\WINDOWS\system32\oodag.exe <O&O Software GmbH> C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe <Rocket Division Software> C:\Program Files\KKman\KKMAN.exe <N/A> C:\WINDOWS\system32\wbem\wmiprvse.exe <Microsoft Corporation> C:\WINDOWS\system32\cmd.exe <Microsoft Corporation> C:\NEFix\nircmd.efix <NirSoft> C:\WINDOWS\system32\cmd.exe <Microsoft Corporation> C:\WINDOWS\explorer.exe <Microsoft Corporation> 系統執行程序中沒有檔案資訊的動態連結檔: C:\WINDOWS\SYSTEM32\LSASS.EXE => C:\Program Files\Eset\pr_imon.dll 2008-10-09 09:01 39992 => C:\Program Files\NetLimiter\nl_lsp.dll 2004-03-31 23:24 81920 => C:\WINDOWS\system32\nl_msgc.dll 2004-03-31 04:47 65536 C:\WINDOWS\EXPLORER.EXE => C:\Program Files\Unlocker\UnlockerHook.dll 2008-05-02 12:15 4608 => C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WFHook.dll 2008-05-02 21:52 45056 ======================================================= HOSTS: Hosts Path: C:\WINDOWS\System32\drivers\etc\hosts 登錄值列表 *** 注意 : 部分正常值不會顯示 *** [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "APPINIT_DLLS"=wbsys.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 20:00 15360] "FreeRAM XP"="C:\Program Files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe" [2003-11-03 08:42 1353728] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:35 5724184] "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-14 21:18 482760] "AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 23:58 217544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Visual Tooltip"="C:\Program Files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe" [2007-04-25 09:45 956928] "WinFlip"="C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe" [2008-05-21 17:22 483328] "DriveSpace"="C:\Program Files\Drive Space Indicator\DrvSpace.exe" [2008-07-20 07:24 395716] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "RTHDCPL"=RTHDCPL.EXE [2008-07-23 16:51 16804864 C:\WINDOWS\RTHDCPL.EXE] "SoundMan"=SOUNDMAN.EXE [2008-06-18 18:01 77824 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"=ALCWZRD.EXE [2008-06-19 16:42 2808832 C:\WINDOWS\ALCWZRD.EXE] "Alcmtr"=ALCMTR.EXE [2008-06-19 16:20 57344 C:\WINDOWS\ALCMTR.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088] "nwiz"=nwiz.exe [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-10-09 09:01 949376] "OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2008-09-04 06:01 2524416] "flockbox"="C:\Program Files\Folder Lockbox\flockbox.exe" [2007-02-18 15:28 1069424] "Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43 90112] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648] "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 12:15 15872] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 01:04 39792] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-11-17 23:48 185872] "BFC516"="C:\WINDOWS\system32\F498C7\BFC516.EXE" [2008-12-07 15:30 1508819] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-15 20:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" => 2006-10-18 21:47 133632 C:\WINDOWS\system32\WPDShServiceObj.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] . 2006-10-22 23:08 62080 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] . 2008-11-17 23:48 304736 C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] . 2007-08-24 07:01 2212224 C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] "DllName"="C:\Program Files\Green Software\WindowBlinds\WBSrv.dll" 2008-08-27 20:24 210168 C:\Program Files\Green Software\WindowBlinds\wbsrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}] RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register [HKEY_CURRENT_USER\control panel\desktop] "SCRNSAVE.EXE"="C:\WINDOWS\Install.scr" MD5: 51a410b26d822f0a8003f29bc7d6f73a 2008-04-15 20:00 1680384 C:\WINDOWS\explorer.exe MD5: f7a2245d8bd832d1e7a01c26d5e6efd0 2008-04-15 20:00 978432 C:\WINDOWS\VIPv3\backup\explorer.exe MD5: 613d7c29c9e3e2375971da7e42e4e330 2008-04-15 20:00 25088 C:\WINDOWS\system32\userinit.exe MD5: 613d7c29c9e3e2375971da7e42e4e330 2008-04-15 20:00 25088 C:\WINDOWS\system32\dllcache\userinit.exe MD5: 82fe81c7f30172a315ad70327b868436 2008-04-15 20:00 108544 C:\WINDOWS\system32\services.exe MD5: 82fe81c7f30172a315ad70327b868436 2008-04-15 20:00 108544 C:\WINDOWS\system32\dllcache\services.exe 沒有數位簽章的系統檔案 MD5: 51a410b26d822f0a8003f29bc7d6f73a 2008-04-15 20:00 1680384 C:\WINDOWS\EXPLORER.EXE <Microsoft Corporation> MD5: a9bdfbf69934912dd847632b2995a191 2008-06-20 19:51 361600 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS <Microsoft Corporation> C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動\ ATnotes.lnk - C:\Program Files\ATnotes\ATnotes.exe [2003-03-03 10:46:32 1015808] Windows Sidebar.lnk - C:\Program Files\Windows Sidebar\sidebar.exe [2008-07-06 04:34:30 1228800] ﹛﹛﹛.lnk - C:\WINDOWS\system32\F498C7\BFC516.EXE [2008-12-07 15:30:43 1508819] 服務 \ 驅動列表: 顯示方式 : 啟動狀態服務名稱;顯示名稱;檔案名稱啟動狀態 : S0 = Boot Start S1 = System Start S2 = Auto Start S3 = Manual Start S4 = Disable S9 = Unknow S0 amdagp8p;AMD NB AGP Bus Filter;"C:\WINDOWS\SYSTEM32\DRIVERS\amdagp8p.sys" [2006-02-26 23:02 27648] S2 AMON;AMON;"C:\WINDOWS\system32\drivers\amon.sys" [2008-10-09 09:01 512096] S0 dontgo;Promise Removable Disk Control Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\DontGo.sys" [2004-06-29 20:25 7680] S3 GarenaPEngine;GarenaPEngine;"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GPE3F04.tmp" [2008-11-19 00:54 4992] S0 hptpro;hptpro;"C:\WINDOWS\SYSTEM32\DRIVERS\hptpro.sys" [2002-12-10 11:54 9809] S0 MPRIFL;MPRIFL;"C:\WINDOWS\SYSTEM32\DRIVERS\MPRIFL.SYS" [2007-02-18 13:39 17264] S3 napagent;Network Access Protection Agent;"C:\WINDOWS\System32\qagentrt.dll" [2008-04-15 20:00 282112] S0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);"C:\WINDOWS\SYSTEM32\drivers\sfdrv01a.sys" [2006-07-05 20:46 63352] S0 tmagp;Transmeta TM 8000 AGP Filter Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\tmagp.sys" [2004-10-18 17:12 27648] S0 ULiAGP;ULi AGP Controller Bus Filter Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\ULiAGP.sys" [2005-03-29 00:12 33408] S0 uliagpkx;ULi AGP Bus Filter Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\agpkx.sys" [2006-02-26 23:03 45056] S3 vmx_svga;vmx_svga;"C:\WINDOWS\SYSTEM32\DRIVERS\vmx_svga.sys" [2008-05-07 00:24 63536] S0 xfilt;VIA SATA IDE Hot-plug Driver;"C:\WINDOWS\SYSTEM32\DRIVERS\xfilt.sys" [2006-10-19 00:39 17920] 可能被修改數值的系統服務 \ 驅動數值 (參考用) : S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework;"C:\WINDOWS\System32\WUDFSvc.dll" [2006-09-28 18:56 55808] S4 HidServ;Human Interface Device Access;"C:\WINDOWS\C:\WINDOWS\System32\svchost.exe -k netsvcs" [X] S0 perc2hib;perc2hib;"C:\WINDOWS\SYSTEM32\DRIVERS\perc2hib.sys" [2001-08-17 14:07 5504] ======================================================= WINSOCK FILE LIST: 010 : c:\program files\netlimiter\nl_lsp.dll --a------ 2004-03-31 23:24 81920 010 : c:\windows\system32\imon.dll --a------ 2008-10-09 09:01 298104 ======================================================= catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net SCANNING HIDDEN FILES ... SCANNING HIDDEN PROCESSES ... SCANNING HIDDEN AUTOSTART ENTRIES ... . ======================================================= 4.91 2008-11-16 18:34:09.718 C:\NEFIX\BACKUP\LOG1.TXT 4.91 2008-12-06 19:46:04.375 C:\NEFIX\BACKUP\LOG2.TXT ======================================================= 磁碟空間 C: - 23,408,640,000 位元組可用磁碟空間 E: - 45,283,233,792 位元組可用磁碟空間 D: - 23,346,864,128 位元組可用磁碟空間 H: - 187,600,519,168 位元組可用掃描結束時間: 2008-12-07 16:09:19.01 [/CODE] -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 122.121.96.101 ※ 編輯: herbertccc 來自: 122.121.96.101 (12/07 17:06) ※ 編輯: herbertccc 來自: 122.121.96.101 (12/07 17:07)

推 saysth:我也是這樣不知道怎麼辦...掃都掃不完...>"< 12/07 19:20

→ saysth:而且每個槽都會出現那兩個檔名... 12/07 19:21

推 bestpika:換別的線上掃毒掃掃看吧 12/07 19:23

推 s109612044:Notepad.exe.......... 12/07 19:52

→ s109612044:"BFC516"="C:\WINDOWS\system32\F498C7\BFC516.EXE" 12/07 19:53

→ s109612044:以上的檔案好像有問題... 12/07 19:54

推 s109612044:第一個是指在隨身碟上的...硬碟中的是筆記本... 12/07 19:57

→ herbertccc:請問有什麼解決辦法嗎?? 12/07 20:49

推 junorn:跑EFix4.95版...好像不少人習慣用舊版？ 12/07 20:54

→ herbertccc:跑完後連Windows Sidebar 都被砍掉了= =" 12/09 00:21