Nikola
(Anagba)
14 Marzec 2007 12:27
#1
Witam, mój problem zaczął się od momentu zainstalowania programu TweakMaster. Oto komunikat Pandy:
Podejrzana operacja 24/02/07 18:39:37 Zablokowany Aplikacja: D:\TWEAKMASTER\TWMASTER.EXE
Operación: Modifications of Windows HOSTS file allow malware to redirect your web request (Ex: http://www.google.com ) to malware sites.
If you receive an alert, some application is trying to modify the host file.
Some legal applications need to modify it, but most of the time it’s a malware action. Odinstalowałam ten program.
Od tego czasu WWDC wyświetla komunikat: “Your system seems to be infected by a virus, your SVCHOST virtual memory usage 53928Ko is beyond usual values. It is strongly advised to check your system with an AntiVirus up to date and an AntiTrojans”. Dodam że ta liczba jest zmienna np. 57008Ko, 57360Ko.
Przeskanowałam kompa Ad-aware, Spybot’em i czysto. Wczoraj “ktoś” przejął kontrolę nad Pandą bo będąc na koncie admina nie miałam dostępu do ustawień programu. Odinstalowałam i zainstalowałam Pandę ponownie.
W podglądzie zdarzeń pojawił się wpis którego nie było: Typ zdarzenia: Informacje
> Źródło zdarzenia: UPHClean
> Kategoria zdarzenia: Brak
> Identyfikator zdarzenia: 1401
> Data: 2007-03-14
> Godzina: 11:23:14
> Użytkownik: X\X
> Komputer: X
> Opis:
> The following handles in user profile hive X\X
> (S-1-5-21-2000478354-1450960922-725345543-1004) have been remapped because
> they were preventing the profile from unloading successfully:
>svchos.exe (804)
>HKCU (0x35c)
Nie wiem jak to interpretować. Dołączam logi z hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 13:09:04, on 2007-03-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe D:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe D:\ hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE” /s O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 7809439921 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 2469207906 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe Proszę o pomoc.
adam9870
(adam9870)
14 Marzec 2007 14:29
#2
Log czysty.
Uruchom Konsolę odzyskiwania CD i wydaj następujące komendy:
Nikola
(Anagba)
14 Marzec 2007 14:59
#3
Serdeczne dzięki za pomoc