Taas Poller.exe

Ainakin Poller.exe ja Snail.exe (ilmeisesti samaa sarjaa?) riehumassa, joten apua kaivaittaisiin. Kiitos.
Hijackthis:in logi:

Logfile of HijackThis v1.99.1
Scan saved at 19:11:44, on 20.5.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\FSecure\backweb\4476822\Program\SERVIC~1.EXE
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoguard.exe
C:\FSecure\Anti-Virus\fsgk32st.exe
C:\WINDOWS\Explorer.exe
C:\FSecure\Anti-Virus\FSGK32.EXE
C:\FSecure\backweb\4476822\program\fsbwsys.exe
C:\FSecure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\FSecure\Common\FSMA32.EXE
C:\FSecure\Common\FSMB32.EXE
C:\FSecure\Common\FCH32.EXE
C:\FSecure\Anti-Virus\fsav32.exe
C:\FSecure\Common\FAMEH32.EXE
C:\FSecure\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\FSecure\Common\FSM32.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Daemon Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Winamp 5.03\Winamp\winampa.exe
C:\FSecure\DFW\Program\fsdfwd.exe
C:\Documents and Settings\All Users\Tiedostot\Adobe\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\JYRKIR~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tuomas\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O1 - Hosts: 213.159.117.217 www.0190-dialer.com
O1 - Hosts: 213.159.117.217 www.22469.com
O1 - Hosts: 213.159.117.217 www.3wisp.com
O1 - Hosts: 213.159.117.217 www.adult-cinema.org
O1 - Hosts: 213.159.117.217 www.adultfreehosting.com
O1 - Hosts: 213.159.117.217 www.adulthosting.com
O1 - Hosts: 213.159.117.217 www.adultlinks1.com
O1 - Hosts: 213.159.117.217 www.adultmegamovies.com
O1 - Hosts: 213.159.117.217 www.adultsexmovie.net
O1 - Hosts: 213.159.117.217 www.adultwall.com
O1 - Hosts: 213.159.117.217 www.afro-sex.com
O1 - Hosts: 213.159.117.217 www.agreathost.net
O1 - Hosts: 213.159.117.217 www.alehina.com
O1 - Hosts: 213.159.117.217 www.allnichestgp.com
O1 - Hosts: 213.159.117.217 www.allowednet.com
O1 - Hosts: 213.159.117.217 www.amateurlips.com
O1 - Hosts: 213.159.117.217 www.amateurnudephoto.com
O1 - Hosts: 213.159.117.217 www.amateursgonebad.com
O1 - Hosts: 213.159.117.217 www.ambersamateurhardcore.com
O1 - Hosts: 213.159.117.217 www.anyamateur.com
O1 - Hosts: 213.159.117.217 www.apornhost.com
O1 - Hosts: 213.159.117.217 www.findmodels.com
O1 - Hosts: 213.159.117.217 www.asianscum.com
O1 - Hosts: 213.159.117.217 www.awethumbs.com
O1 - Hosts: 213.159.117.217 www.badassxxx.com
O1 - Hosts: 213.159.117.217 www.badbimbo.com
O1 - Hosts: 213.159.117.217 www.beautifulbondage.com
O1 - Hosts: 213.159.117.217 www.bestpornhost.com
O1 - Hosts: 213.159.117.217 www.biggestdickinporn.net
O1 - Hosts: 213.159.117.217 www1.3wisp.com
O1 - Hosts: 213.159.117.217 www1.kinghost.com
O1 - Hosts: 213.159.117.217 www1.ndhosting.com
O1 - Hosts: 213.159.117.217 www1.sexls.com
O1 - Hosts: 213.159.117.217 www1.smutserver.com
O1 - Hosts: 213.159.117.217 www1.toptgphost.com
O1 - Hosts: 213.159.117.217 www1.xfreehosting.com
O1 - Hosts: 213.159.117.217 www10.kinghost.com
O1 - Hosts: 213.159.117.217 www10.smutserver.com
O1 - Hosts: 213.159.117.217 www11.kinghost.com
O1 - Hosts: 213.159.117.217 www11.smutserver.com
O1 - Hosts: 213.159.117.217 www12.kinghost.com
O1 - Hosts: 213.159.117.217 www12.smutserver.com
O1 - Hosts: 213.159.117.217 www13.smutserver.com
O1 - Hosts: 213.159.117.217 www14.smutserver.com
O1 - Hosts: 213.159.117.217 www15.smutserver.com
O1 - Hosts: 213.159.117.217 www16.smutserver.com
O1 - Hosts: 213.159.117.217 www17.smutserver.com
O1 - Hosts: 213.159.117.217 www18.smutserver.com
O1 - Hosts: 213.159.117.217 www19.smutserver.com
O1 - Hosts: 213.159.117.217 www2.3wisp.com
O1 - Hosts: 213.159.117.217 www2.kinghost.com
O1 - Hosts: 213.159.117.217 www2.ndhosting.com
O1 - Hosts: 213.159.117.217 www2.smutserver.com
O1 - Hosts: 213.159.117.217 www2.toptgphost.com
O1 - Hosts: 213.159.117.217 www2.xfreehosting.com
O1 - Hosts: 213.159.117.217 www2.zpornstars.com
O1 - Hosts: 213.159.117.217 www20.smutserver.com
O1 - Hosts: 213.159.117.217 www21.smutserver.com
O1 - Hosts: 213.159.117.217 www22.smutserver.com
O1 - Hosts: 213.159.117.217 www23.smutserver.com
O1 - Hosts: 213.159.117.217 www24.smutserver.com
O1 - Hosts: 213.159.117.217 www25.smutserver.com
O1 - Hosts: 213.159.117.217 www26.smutserver.com
O1 - Hosts: 213.159.117.217 www27.smutserver.com
O1 - Hosts: 213.159.117.217 www28.smutserver.com
O1 - Hosts: 213.159.117.217 www29.smutserver.com
O1 - Hosts: 213.159.117.217 www3.kinghost.com
O1 - Hosts: 213.159.117.217 www3.ndhosting.com
O1 - Hosts: 213.159.117.217 www3.smutserver.com
O1 - Hosts: 213.159.117.217 www3.xfreehosting.com
O1 - Hosts: 213.159.117.217 www3.zpornstars.com
O1 - Hosts: 213.159.117.217 www30.smutserver.com
O1 - Hosts: 213.159.117.217 www31.smutserver.com
O1 - Hosts: 213.159.117.217 www32.smutserver.com
O1 - Hosts: 213.159.117.217 www4.kinghost.com
O1 - Hosts: 213.159.117.217 www4.smutserver.com
O1 - Hosts: 213.159.117.217 www4.xfreehosting.com
O1 - Hosts: 213.159.117.217 www4.zpornstars.com
O1 - Hosts: 213.159.117.217 www5.kinghost.com
O1 - Hosts: 213.159.117.217 www5.smutserver.com
O1 - Hosts: 213.159.117.217 www6.kinghost.com
O1 - Hosts: 213.159.117.217 www6.smutserver.com
O1 - Hosts: 213.159.117.217 www7.kinghost.com
O1 - Hosts: 213.159.117.217 www7.smutserver.com
O1 - Hosts: 213.159.117.217 www8.kinghost.com
O1 - Hosts: 213.159.117.217 www8.smutserver.com
O1 - Hosts: 213.159.117.217 www9.kinghost.com
O1 - Hosts: 213.159.117.217 www9.smutserver.com
O1 - Hosts: 213.159.117.217 www.bigmovies.com
O1 - Hosts: 213.159.117.217 www.bigpornvideos.com
O1 - Hosts: 213.159.117.217 www.big-xxx-movies.com
O1 - Hosts: 213.159.117.217 www.samplehosting.com
O1 - Hosts: 213.159.117.217 www.blinghosting.com
O1 - Hosts: 213.159.117.217 www.blitz-hosting.com
O1 - Hosts: 213.159.117.217 www.boyanxxx.com
O1 - Hosts: 213.159.117.217 www.bustyx.com
O1 - Hosts: 213.159.117.217 www.cleanadulthost.com
O1 - Hosts: 213.159.117.217 www.cleanpornhost.com
O1 - Hosts: 213.159.117.217 www.cyberxxxhost.com
O1 - Hosts: 213.159.117.217 www.dialcom.com
O1 - Hosts: 213.159.117.217 www.eldererotica.tv
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\All Users\Tiedostot\Adobe\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\FSecure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\FSecure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Winamp 5.03\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\System32\QuickTime\QuickTimeUpdateHelper.exe" -uninstallwithapps -destfullpath "C:\DOCUMENTS AND SETTINGS\TUOMAS\OMAT TIEDOSTOT\TUOMAS\MUUT OHJELMAT\QuickTimeUpdater.exe" -sourcefullpath "C:\DOCUMENTS AND SETTINGS\TUOMAS\OMAT TIEDOSTOT\TUOMAS\MUUT OHJELMAT\TempUpdater.exe" -atboottime "QuickTime Update Completion 0"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Documents and Settings\All Users\Tiedostot\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Kalenterin muistutukset.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093163066640
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: F-Secure Internet Security (BackWeb Client - 4476822) - Unknown owner - C:\FSecure\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\FSecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - Unknown owner - C:\FSecure\Common\FSAA.EXE (file missing)
O23 - Service: fsbwsys - F-Secure Corp. - C:\FSecure\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\FSecure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\FSecure\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\FSecure\fswsclds.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Siirrä HjT omaan kansioonsa tuonne C:\HjT\HijackThis.exe

Hae tuo työkalu ja aja se
http://www.mypctuneup.com/evaluate.php

Merkkaa nuo HjT:ssä, sulje selain ja muut ikkunat, klikkaa Fix
Kaikki > O1 - Hosts: 213.159.117.217
O4 - Startup: PowerReg Scheduler V3.exe

Boottaa kone, auttoiko?

Mites tuo MessengerPlus?? suosittelisin poistoa, tosin ei tuolla näy mesen örkkejä.

 

Logfile of HijackThis v1.99.1
Scan saved at 20:07:36, on 20.5.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\FSecure\backweb\4476822\Program\SERVIC~1.EXE
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoguard.exe
C:\FSecure\Anti-Virus\fsgk32st.exe
C:\FSecure\backweb\4476822\program\fsbwsys.exe
C:\FSecure\Anti-Virus\FSGK32.EXE
C:\FSecure\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\FSecure\Common\FSMA32.EXE
C:\FSecure\Common\FSMB32.EXE
C:\FSecure\Common\FCH32.EXE
C:\FSecure\Anti-Virus\fsav32.exe
C:\FSecure\Common\FAMEH32.EXE
C:\FSecure\backweb\4476822\Program\BackWeb-4476822.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\FSecure\DFW\Program\fsdfwd.exe
C:\FSecure\Common\FSM32.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Daemon Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Winamp 5.03\Winamp\winampa.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\JYRKIR~1\MOZILL~1\FIREFOX.EXE
C:\HjT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\All Users\Tiedostot\Adobe\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] c:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\FSecure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\FSecure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Winamp 5.03\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\WINDOWS\System32\QuickTime\QuickTimeUpdateHelper.exe" -uninstallwithapps -destfullpath "C:\DOCUMENTS AND SETTINGS\TUOMAS\OMAT TIEDOSTOT\TUOMAS\MUUT OHJELMAT\QuickTimeUpdater.exe" -sourcefullpath "C:\DOCUMENTS AND SETTINGS\TUOMAS\OMAT TIEDOSTOT\TUOMAS\MUUT OHJELMAT\TempUpdater.exe" -atboottime "QuickTime Update Completion 0"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Documents and Settings\All Users\Tiedostot\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Kalenterin muistutukset.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093163066640
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: F-Secure Internet Security (BackWeb Client - 4476822) - Unknown owner - C:\FSecure\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\FSecure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - Unknown owner - C:\FSecure\Common\FSAA.EXE (file missing)
O23 - Service: fsbwsys - F-Secure Corp. - C:\FSecure\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\FSecure\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\FSecure\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\FSecure\fswsclds.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Tuollaiselta siis näyttää uusi logi.

Ad-Aware löytää vieläkin "aurora" spywareja. Auroorat löytyvät rekisteristä mutta kun niitä yrittää poistaa, niin ne tulevat samantien takaisin. Snail.exeä ei Windows - kansiosta enään löydy.
Ongelmia silti on, heti alkuun tulee F-securen varoitus, jossa lukee, että Documents.exe yrittää päästä nettiin. Koneella oli myöskin Buddy.exe (ilmeisesti pollerin kanssa samaa sarjaa), joka on jollain fkjdsjfdlsk.exe - tyyppisellä nimellä. Tarvitaan varmaan järeämpiä aseita?

P.S. Kone käy todella hitaalla :/

 

Fixaa vielä tuo HjT:llä
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

Tyhjennä nuo kansiot
Nuo alemmat kaikissa käyttäjätileissä
C:\Temp
C:\Windows\Prefetch
C:\Documents and Settings\Käyttäjä nimi\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Käyttäjä nimi\Local Settings\Temp

Hae eScan, lue ohjeet, päivitä ja putsaa sillä, laita alalaatikon löydöslista tänne
http://koti.mbnet.fi/pattaya1/escanmwav.htm

 

File C:\WINDOWS\gbyxkfr.exe tagged as not-a-virus:AdWare.BetterInternet.c. No Action Taken.
File C:\WINDOWS\ovmbkzvorl.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\WINDOWS\vupti.exe tagged as not-a-virusorn-Dialer.Win32.Generic. No Action Taken.
File C:\Documents and Settings\Tuomas\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-143f3441.zip infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Qoole\Qoole99v099.exe tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken.
File C:\Documents and Settings\Tuomas\Omat tiedostot\Tavara\Apps\Worldcraft\wc16shar.exe tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken.
File C:\Program Files\Java\jdk1.5.0_01\demo\applets\BarChart\BarChart.class tagged as not-a-virus:Garbage.Java.Chart. No Action Taken.
File C:\Program Files\Java\jdk1.5.0_01\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:Garbage.Java.Chart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\gsda.dll tagged as not-a-virus:RiskWare.Downloader.SpyGame. No Action Taken.
File C:\WINDOWS\gbyxkfr.exe tagged as not-a-virus:AdWare.BetterInternet.c. No Action Taken.
File C:\WINDOWS\ovmbkzvorl.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\WINDOWS\vupti.exe tagged as not-a-virusorn-Dialer.Win32.Generic. No Action Taken.

Tuollaiset löyty eScanilla.
Noita sitten pitäisi poistella, miten?
Neuvomasi kansiot poistin, paitsi että kansio C:\Documents and Settings\Tuomas\Local Settings\Temp ei suostunut poistumaan, vaan se herjaa: "Ei voi poistaa IadHide4.dll: käyttö estetty. Varmista, että levy ei ole täynnä..." Sieläkin jotain pöpöä?
F-Secure laittaa edelleen 5-30min välein viestiä, että Documents.exe yrittää päästä nettiin. F-secure väittää että ko. tiedosto löytyy C:\\Windows\ - kansiosta, muttei se siellä ole.

 

Tupla

 

Kokeilitko vikasietotilassa sen tempin tyhjentää.

Ja nuo ainakin omalta koneelta poistelisin aika vihaseen

File C:\WINDOWS\gbyxkfr.exe tagged as not-a-virus:AdWare.BetterInternet.c. No Action Taken.
File C:\WINDOWS\ovmbkzvorl.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\WINDOWS\vupti.exe tagged as not-a-virusorn-Dialer.Win32.Generic. No Action Taken.
File C:\WINDOWS\gbyxkfr.exe tagged as not-a-virus:AdWare.BetterInternet.c. No Action Taken.
File C:\WINDOWS\ovmbkzvorl.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\WINDOWS\vupti.exe tagged as not-a-virusorn-Dialer.Win32.Generic. No Action Taken.

 

Niinpä tietysti, vikasietotilassahan se sitten lähti.

Mitenkäs noi poistan turvallisesti? Ihan Shift + Delete?

 

Ne lähtivät.

Edelleen Documents.exe niminen tiedosto yrittää päästä nettiin, vielä se pitäisi poistaa. F-Secure sanoo sen olevan C:\WINDOWS - kansiossa mutta ei siellä semmosta ole.

 

Anteeks nyt kauheasti kun en malta olla vinoilematta... mutta jos nyt vaikka pienenä neuvona tän ottaisitte, eli tyhjentäkää ihmeessä selaimen historia ja tempit ja cookiet ennen tuon hjt login ottamista, ettei kaikki pokesivujen osotteet loista niin silmäänpistävästi noissa logeissa :-D

 

Hehehe Katoppas sitä vupti.exeä ja päättele, mistä ne on tullu

 

Pillu.com:it ja Porn dialerit piristää aina kummasti logia

 

Näköjään
Kun oikeen alkoi scannaileen eri ohjelmilla, niin sieltä löytyi mm. gsda.dll ja conime.exe - nimiset örkit. Sain ne poistettua vikasietotilassa.

Jos joku vielä osaisi auttaa tuon documents.exen kanssa, kun se vielä häiritsee.

 

Kokeileppa tuota Trendmicron Online scanneria.

(http://fi.trendmicro-europe.com/consumer/products/housecall_launch.php)

 

Laita piilotiedostot näkyviin, jos se documents.exe sitten löytyis
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

IadHide4.dll = F-Securen backweb

Poista BetterInternet Lisää/Poista sovelluksesta

 

Tuo Trendmicro ei löytänyt mitään.
Kävin nuohoomassa kunnolla noita temppikansioita ja sieltä löytyi vanhat tutut: nail.exe, poller.exe, drpmon.dll ja aurora.exe.

Piilotetut kansiot ja tiedostot oli jo päällä. Hmm, mikäköhän ihme tuo Documents.exe sitten voisi olla? Tuskin mikään hyväntahtoinen ohjelma.
Jos on vielä jotain vinkkejä sen poistoon liittyen, niin antaa tulla.
Kone tuntuisi olevan puhdas tuota Documents.exe:ä lukuunottamatta.
Kiitokset siis kaikille threadiin vastanneille ja erityisesti Toymaatille ja V-kosille

 

Hae killBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Avaa se ja pistä rasti ruutuun
Delete on Reboot

Kopioi tähän kohtaan > Full Path of File to Delete <
tuo rivi > C:\WINDOWS\Documents.exe <

Klikkaa punaista nappulaa jossa on X, vastaa Yes. Kone käynnistyy uudelleen, jokohan läks?

 

Killbox pistää errori-ikkunan Yes - napin painalluksen jälkeen, eikä kone lähde boottaan. Erorri-ikkunassa lukee: "PendingfileRenameOperations Registry Data has been Removed by External Process."

 

Koitas toimiiko jos boottaat koneen itse.