Logfile of HijackThis v1.99.1 Scan saved at 15:01:27, on 28.5.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\NetLimiter\NetLimiter.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\AGEIA Technologies\TrayIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\r_server.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\xxxxxxxxxxxxxx\Työpöytä\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: LUMIX Simple Viewer.lnk = ? O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133719386500 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{78FBA75F-337A-45A5-BE1E-6D807C2D769F}: NameServer = 80.248.96.130,80.248.97.30 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, May 28, 2006 2:49:12 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 28/05/2006 Kaspersky Anti-Virus database records: 196820 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 102833 Number of viruses found: 12 Number of infected objects: 33 Number of suspicious objects: 0 Duration of the scan process: 00:55:29 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\xxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\EXVC5WJ6\wlzip32[1].exe Infected: Trojan-Downloader.Win32.Tiny.bw skipped C:\Documents and Settings\xxxxxxxxxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\GZZZACD9\wizp32[1].exe Infected: Trojan-Downloader.Win32.IstBar.ff skipped C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\Program Files\Save\ACM.dll Infected: not-a-virus:AdWare.Win32.SaveNow.cb skipped C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089558.tlb Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089567.exe Infected: Trojan-Downloader.Win32.Zlob.pn skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089568.exe Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089569.dll Infected: not-virus:Hoax.Win32.Renos.dd skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089571.exe Infected: Trojan-Downloader.Win32.Zlob.pw skipped C:\System Volume Information\_restore{C0EC103F-9E1E-4114-8DD2-4FA8D99ED082}\RP568\A0089572.tlb Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\WINDOWS\system32\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\WINDOWS\system32\winmmt32.dll Infected: Trojan.Win32.Agent.qt skipped D:\installit\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped D:\installit\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped D:\installit\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped D:\installit\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped D:\installit\RADMIN21.EXE Gentee: infected - 4 skipped D:\installit\RADMIN21.rar/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped D:\installit\RADMIN21.rar/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped D:\installit\RADMIN21.rar/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped D:\installit\RADMIN21.rar/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped D:\installit\RADMIN21.rar/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped D:\installit\RADMIN21.rar RAR: infected - 5 skipped Scan process completed. Kauhia määrä viruksii koneella minkähän takii ei toi nod32 huomaa mitää noista... ihan puhasta näyttää...
Ei ne ole kaikki viruksia, siinä on esim Radmin sekä mIRC. Fiksaa tämä vielä: O20 - Winlogon Notify: winmmt32 - winmmt32.dll (file missing) Muuten loki näyttää puhtaalta vai onko vielä jotain ongelmia? Tyhjennä vielä järjestelmän palautus: Käynnistä -> Suorita -> Ohjauspaneeli -> Järjestelmä -> Järjestelmän palauttaminen -> laita rasti ruutuun "Poista järjestelmän palauttaminen käytöstä" -> ok ja käynnistä tietokoneesi uudelleen Sen jälkeen tyhjennä IE:n väliaikaistiedostot
