Kun windows käynnistyy niin F-Secure älähtää ja tulee viesti virus poller.exe havaittu haluatko poistaa. Vaikka poistamisen hyväksyy miten monta kertaa niin sama poller.exe ilmestyy sinne edelleen. Olen täältä lukenut, että HiJackThis ohjelmalla sen sais pois tms, mutta mitään ei saa tehdä ennen kuin joku siitä tietävä lukee ohjelman tuottaman lokin. Nyt sitten mitä nöyrimmin pyydän, että joku lukee mun lokini läpi ja kertto mitä mun pitää poistaa että saan ongelman poistettua. Jos jotain muutakin löytyy niin kertokaa sekin. Logfile of HijackThis v1.99.1 Scan saved at 17:23:27, on 11.9.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\F-Secure\Common\FSM32.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\BackWeb\7681197\Program\F-Secure Automatic Update.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE C:\Program Files\F-Secure\Common\FSMB32.EXE C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\Program Files\F-Secure\Anti-Virus\fsrw.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure\Common\FIH32.EXE C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\Program Files\Opera\Opera.exe C:\HijackThis.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Nero DriveSpeed] C:\DOCUME~1\Marko\LOCALS~1\Temp\ARCD9\DRIVES~1.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [kheykn] C:\WINDOWS\system32\yayuva.exe r O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://213.250.97.74/program/SonySncRz25View.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {D6E2C70F-C694-4FDB-9283-459FC77FEFE0} (Softers.efOrderX) - https://www.efoto.fi/efOrderX.CAB O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Toi on aika hankala poistettava, mutta yritetään Hae ewido täältä -> http://www.ewido.net/en/download päivitä ewido, mut älä skannaa vielä imuroi CleanUp täältä -> http://www.stevengould.org/software/cleanup/download.html asenna se, käytetään sitä myöhemmin Hae nailfix täältä -> http://www.noidea.us/easyfile/file.php?download=20050515010747824 Pura se työpöydälle imuroi APT täältä -> http://www.diamondcs.com.au/index.php?page=apt pura zippi omaan kansioonsa työpöydälle avaa se kansio ja tuplaklikkaa apt.exe:ä apt: ikkunassa eti C:\WINDOWS\system32\yayuva.exe Laita piilotiedostot näkyviin, ohje -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html Mene resurssienhallinnassa hakemistoon C:\Windows\system32 ja eti C:\WINDOWS\system32\yayuva.exe älä tee sille vielä mitään mutta jätä kansio auki et kohta löydät sen helposti ja nopeasti mee takas APT:hen ja valitse C:\WINDOWS\system32\yayuva.exe klikkaa nappia KILL 3 sitten heti poista tuo tiedosto C:\WINDOWS\system32\==>yayuva.exe<== Käynnistä kone vikasietotilaan (F8 käynnistyksen yhteydessä) Aja nailfix (eli tuplaklikkaa sitä nailfix.cmd:ia) Skannaa ewidolla Anna poistaa, mitä löytyy Tallenna raportti Mene käynnistä-valikko -> suorita -> kirjoita services.msc -> ok -> etsi listalta System Startup Service (SvcProc) -> tuplaklikkaa sitä -> valitse käynnistymistavaksi "Ei käytössä" Avaa hijackthis, klikkaa do a system scan only, laita rasti näiden kohdalle ja klikkaa fix checked: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O4 - HKLM\..\Run: [kheykn] C:\WINDOWS\system32\yayuva.exe r O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) aja cleanup * paina nappia Options * siirrä nuoli kohtaan Custom CleanUp! * laita rastit seuraaviin kohtiin o Delete Cookies o Empty Recycle Bins o Delete Prefetch files o Cleanup! All Users * klikkaa OK * sitten klikkaa CleanUp-nappia. kestää jonkin aikaa, anna sen tehdä hommansa * kun se kysyy uudelleenkäynnistystä vastaa No * sulje CleanUp Käynnistä kone uudestaan ja laita uusi hijackthis-loki ja se ewidon raportti.
Sitä yuyuwa.exe ei sieltä enää löytyny, mutta jatkoin kuitenkin eteenpäin. Miltä lokit näyttää? HiJackThis loki: Logfile of HijackThis v1.99.1 Scan saved at 20:41:15, on 11.9.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe C:\Program Files\F-Secure\Common\FSMA32.EXE C:\Program Files\F-Secure\Anti-Virus\fssm32.exe C:\Program Files\F-Secure\Common\FSMB32.EXE C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe C:\Program Files\F-Secure\Common\FCH32.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\F-Secure\Common\FAMEH32.EXE C:\Program Files\F-Secure\Anti-Virus\fsqh.exe C:\Program Files\F-Secure\Anti-Virus\fsrw.exe C:\Program Files\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\Program Files\F-Secure\Common\FNRB32.EXE C:\Program Files\F-Secure\Common\FSM32.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\F-Secure\Anti-Virus\fsav32.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\F-Secure\Common\FIH32.EXE C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\F-Secure\FSGUI\fsguidll.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Nero DriveSpeed] C:\DOCUME~1\Marko\LOCALS~1\Temp\ARCD9\DRIVES~1.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} (Sony SNC-RZ25 Control) - http://213.250.97.74/program/SonySncRz25View.cab O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/player/Install3.0/Installer.exe O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {D6E2C70F-C694-4FDB-9283-459FC77FEFE0} (Softers.efOrderX) - https://www.efoto.fi/efOrderX.CAB O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\GHOSTS~2.EXE O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe Ja Ewidon raportti: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 20:24:35, 11.9.2005 + Report-Checksum: ECB6982C + Scan result: HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1iDesc -> Dialer.Generic : Cleaned with backup HKU\S-1-5-21-1645522239-1614895754-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup C:\Documents and Settings\Marko\Cookies\marko@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\03RNU0DH\RDGFR1735[1].0XE -> Dialer.Generic : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\0TK1Y3WX\RDGFR1735[1].0XE -> Dialer.Generic : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\AVUFQZGB\DRPMON[1].0LL -> Adware.BetterInternet : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\AVUFQZGB\POLLER[1].0XE -> Adware.BetterInternet : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\DEVILTEEN[1].0XE -> Dialer.Generic : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\PROMPT[1].0TM -> TrojanDownloader.IstBar.j : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\SRQ905G3\SVCPROC[1].0XE -> Adware.BetterInternet : Cleaned with backup C:\Documents and Settings\Marko\Local Settings\Temporary Internet Files\Content.IE5\WTYZGHUV\POLLER[1].0XE -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\afpqgivtayp.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\iifdwsn.exe -> Adware.BetterInternet : Cleaned with backup C:\WINDOWS\system32\POLLER.1XE -> Trojan.Agent.ay : Cleaned with backup ::Report End
Poller näyttäis olevan lähtenyt vai valittaako vielä F-secure? Tuon rivin voi vielä poistaa hijackthisillä: O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
Poller.exe is Aurora Spyware/Trojan/Backdoor. Poller.exe spreads via loadcash.biz or of crackz.ws. Related files: Bolger.dll, Poller.exe, Poller.exe, Poller.exe, uacupg.exe, Nail.exe, DrPMon.dll, thnall1ac.html. Nail.exe generates "exe" files in the System32 folder with random names. Go to the Windows Safe mode. Kill the process Poller.exe and remove Poller.exe from Windows startup. Kill other Poller's components
F-secure ei valita enää poller:exe :stä ja poistin tuon kohdan minkä mainitsit. Suuret kiitoksia kemistille ongelman ratkaisemisesta. Tepsu9: Ei löytynyt muitakaan mainitsemiasi tiedostoja. Kiitos kuitenkin
niin kuin näkyy, väliaikaisessa internet-kansiossa on paljon viruksia. IE:n työkalut, internet-asetukset ja lisäasetukset voi rastittaa kohdan "tyhjennä väliaikaiset internet kansiot selaimen sulkemisen jälkeen", näin automaattisesti noista viruksista pääsee eroon ennen kuin ne aktivoituu.
Traks Eraser Pro on kanssa hyväksi todettu ohjelma missä on ihan kiitettävästi säätömahdollisuuksia kaikenlaisen ylimääräisen poistamiseen.
@Tepsu9: Toi sun ohje ei olis auttanut, kun uskiksen koneessa oli epolvy-troijalainen pollerin lisäksi. Pelkkään polleriin tuo olisi kyllä varmaan auttanut (itse asiassa toi ewido+nailfix vikasietotilassa olisi riittänyt polleriin).