poller.exe virus/troijalainen + HiJackThis ohjelma

Viestiketju Virukset ja haittaohjelmat -osiossa. Ketjun avasi uskis 11.09.2005.

  1. uskis

    uskis Regular member

    Liittynyt:
    11.09.2005
    Viestejä:
    130
    Kiitokset:
    1
    Pisteet:
    28
    Kun windows käynnistyy niin F-Secure älähtää ja tulee viesti virus poller.exe havaittu haluatko poistaa. Vaikka poistamisen hyväksyy miten monta kertaa niin sama poller.exe ilmestyy sinne edelleen.
    Olen täältä lukenut, että HiJackThis ohjelmalla sen sais pois tms, mutta mitään ei saa tehdä ennen kuin joku siitä tietävä lukee ohjelman tuottaman lokin.
    Nyt sitten mitä nöyrimmin pyydän, että joku lukee mun lokini läpi ja kertto mitä mun pitää poistaa että saan ongelman poistettua.
    Jos jotain muutakin löytyy niin kertokaa sekin.

    Logfile of HijackThis v1.99.1
    Scan saved at 17:23:27, on 11.9.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Opera\Opera.exe
    C:\HijackThis.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [Nero DriveSpeed] C:\DOCUME~1\Marko\LOCALS~1\Temp\ARCD9\DRIVES~1.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [kheykn] C:\WINDOWS\system32\yayuva.exe r
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://213.250.97.74/program/SonySncRz25View.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {D6E2C70F-C694-4FDB-9283-459FC77FEFE0} (Softers.efOrderX) - https://www.efoto.fi/efOrderX.CAB
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
     
  2.  
  3. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Toi on aika hankala poistettava, mutta yritetään :(


    Hae ewido täältä -> http://www.ewido.net/en/download

    päivitä ewido, mut älä skannaa vielä

    imuroi
    CleanUp täältä -> http://www.stevengould.org/software/cleanup/download.html
    asenna se, käytetään sitä myöhemmin

    Hae nailfix täältä -> http://www.noidea.us/easyfile/file.php?download=20050515010747824
    Pura se työpöydälle

    imuroi
    APT täältä -> http://www.diamondcs.com.au/index.php?page=apt
    pura zippi omaan kansioonsa työpöydälle
    avaa se kansio ja tuplaklikkaa apt.exe:ä
    apt: ikkunassa eti C:\WINDOWS\system32\yayuva.exe

    Laita piilotiedostot näkyviin, ohje -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Mene resurssienhallinnassa hakemistoon C:\Windows\system32
    ja eti C:\WINDOWS\system32\yayuva.exe
    älä tee sille vielä mitään mutta jätä kansio auki et kohta löydät sen helposti ja nopeasti

    mee takas APT:hen ja valitse C:\WINDOWS\system32\yayuva.exe
    klikkaa nappia KILL 3

    sitten heti poista tuo tiedosto C:\WINDOWS\system32\==>yayuva.exe<==

    Käynnistä kone vikasietotilaan (F8 käynnistyksen yhteydessä)

    Aja nailfix (eli tuplaklikkaa sitä nailfix.cmd:ia)

    Skannaa ewidolla
    Anna poistaa, mitä löytyy
    Tallenna raportti

    Mene käynnistä-valikko -> suorita -> kirjoita services.msc -> ok -> etsi listalta System Startup Service (SvcProc) -> tuplaklikkaa sitä -> valitse käynnistymistavaksi "Ei käytössä"

    Avaa hijackthis, klikkaa do a system scan only, laita rasti näiden kohdalle ja klikkaa fix checked:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [kheykn] C:\WINDOWS\system32\yayuva.exe r
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


    aja cleanup

    * paina nappia Options
    * siirrä nuoli kohtaan Custom CleanUp!
    * laita rastit seuraaviin kohtiin
    o Delete Cookies
    o Empty Recycle Bins
    o Delete Prefetch files
    o Cleanup! All Users

    * klikkaa OK
    * sitten klikkaa CleanUp-nappia. kestää jonkin aikaa, anna sen tehdä hommansa
    * kun se kysyy uudelleenkäynnistystä vastaa No
    * sulje CleanUp

    Käynnistä kone uudestaan ja laita uusi hijackthis-loki ja se ewidon raportti.
     
    Viimeksi muokattu: 11.09.2005
  4. uskis

    uskis Regular member

    Liittynyt:
    11.09.2005
    Viestejä:
    130
    Kiitokset:
    1
    Pisteet:
    28
    Sitä yuyuwa.exe ei sieltä enää löytyny, mutta jatkoin kuitenkin eteenpäin.
    Miltä lokit näyttää?

    HiJackThis loki:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:41:15, on 11.9.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\F-Secure\Anti-Virus\fsrw.exe
    C:\Program Files\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Opera\Opera.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [Nero DriveSpeed] C:\DOCUME~1\Marko\LOCALS~1\Temp\ARCD9\DRIVES~1.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe
    O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://213.250.97.74/program/SonySncRz25View.cab
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {D6E2C70F-C694-4FDB-9283-459FC77FEFE0} (Softers.efOrderX) - https://www.efoto.fi/efOrderX.CAB
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

    Ja Ewidon raportti:
    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 20:24:35, 11.9.2005
    + Report-Checksum: ECB6982C

    + Scan result:

    HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1iDesc -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-1645522239-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
    C:\Documents and Settings\Marko\Cookies\marko@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\03RNU0DH\RDGFR1735[1].0XE -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\0TK1Y3WX\RDGFR1735[1].0XE -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\AVUFQZGB\DRPMON[1].0LL -> Adware.BetterInternet : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\AVUFQZGB\POLLER[1].0XE -> Adware.BetterInternet : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\DEVILTEEN[1].0XE -> Dialer.Generic : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\PROMPT[1].0TM -> TrojanDownloader.IstBar.j : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\SVCPROC[1].0XE -> Adware.BetterInternet : Cleaned with backup
    C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\WTYZGHUV\POLLER[1].0XE -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\afpqgivtayp.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\iifdwsn.exe -> Adware.BetterInternet : Cleaned with backup
    C:\WINDOWS\system32\POLLER.1XE -> Trojan.Agent.ay : Cleaned with backup


    ::Report End
     
  5. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    Poller näyttäis olevan lähtenyt vai valittaako vielä F-secure?
    Tuon rivin voi vielä poistaa hijackthisillä:

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

     
  6. Tepsu9

    Tepsu9 Active member

    Liittynyt:
    11.10.2004
    Viestejä:
    2,214
    Kiitokset:
    130
    Pisteet:
    93
    Poller.exe is Aurora Spyware/Trojan/Backdoor.
    Poller.exe spreads via loadcash.biz or of crackz.ws.
    Related files:
    Bolger.dll, Poller.exe, Poller.exe, Poller.exe, uacupg.exe, Nail.exe, DrPMon.dll, thnall1ac.html.
    Nail.exe generates "exe" files in the System32 folder with random names.
    Go to the Windows Safe mode.
    Kill the process Poller.exe and remove Poller.exe from Windows startup.
    Kill other Poller's components
     
  7. uskis

    uskis Regular member

    Liittynyt:
    11.09.2005
    Viestejä:
    130
    Kiitokset:
    1
    Pisteet:
    28
    F-secure ei valita enää poller:exe :stä ja poistin tuon kohdan minkä mainitsit.
    Suuret kiitoksia kemistille ongelman ratkaisemisesta. :)

    Tepsu9: Ei löytynyt muitakaan mainitsemiasi tiedostoja. Kiitos kuitenkin
     
  8. heikki71

    heikki71 Regular member

    Liittynyt:
    07.05.2005
    Viestejä:
    658
    Kiitokset:
    0
    Pisteet:
    26
    niin kuin näkyy, väliaikaisessa internet-kansiossa on paljon viruksia. IE:n työkalut, internet-asetukset ja lisäasetukset voi rastittaa kohdan "tyhjennä väliaikaiset internet kansiot selaimen sulkemisen jälkeen", näin automaattisesti noista viruksista pääsee eroon ennen kuin ne aktivoituu.
     
  9. Tepsu9

    Tepsu9 Active member

    Liittynyt:
    11.10.2004
    Viestejä:
    2,214
    Kiitokset:
    130
    Pisteet:
    93
    Traks Eraser Pro on kanssa hyväksi todettu ohjelma missä on ihan kiitettävästi säätömahdollisuuksia kaikenlaisen ylimääräisen poistamiseen.
     
  10. -kemisti-

    -kemisti- Active member

    Liittynyt:
    06.06.2005
    Viestejä:
    6,305
    Kiitokset:
    0
    Pisteet:
    96
    @Tepsu9: Toi sun ohje ei olis auttanut, kun uskiksen koneessa oli epolvy-troijalainen pollerin lisäksi. Pelkkään polleriin tuo olisi kyllä varmaan auttanut (itse asiassa toi ewido+nailfix vikasietotilassa olisi riittänyt polleriin).
     

Jaa tämä sivu