[mash]

Tekib selline fail otse C kettale.
Sai vahetatud op. süs. (Win XP Pro), aga endiselt jamab.
Mis asi see üldse on ja kuidas sellest vabaneda ?
Googlest midagi tarka ei leidnud aga otsin edasi.


Sisaldab see fail sellist infot:


<SCRIPT language="javascript" src="http://lads.yousendit.com/mirror/YSImirrortracking.js"></SCRIPT>

<center>
<html> <script src="/__utm.js" type="text/javascript"></script> <head> <meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>YouSendIt: The Leader in File Delivery.</title>

<link href="site.css" rel="STYLESHEET" type="text/css">

<script LANGUAGE="JavaScript">
<!-- Begin
image1 = new Image();
image1.src = "images/b_services1.jpg";
image2 = new Image();
image2.src = "images/b_solutions1.jpg";
image3 = new Image();
image3.src = "images/b_support1.jpg";
image4 = new Image();
image4.src = "images/b_company1.jpg";
// End -->
</script>

<script type="text/javascript">
var randnum = Math.random();
var inum = 11;
// Change this number to the number of images you are using.
var rand1 = Math.round(randnum * (inum-1)) + 1;
images = new Array
images[1] = "images/top1.jpg"
images[2] = "images/top2.jpg"
images[3] = "images/top3.jpg"
images[4] = "images/top4.jpg"
images[5] = "images/top5.jpg"
images[6] = "images/top6.jpg"
images[7] = "images/top7.jpg"
images[8] = "images/top8.jpg"
images[9] = "images/top9.jpg"
images[10] = "images/top10.jpg"
images[11] = "images/top11.jpg"
// Ensure you have an array item for every image you are using.
var image = images[rand1]
</script>

</head>


<BODY bgcolor="#ffffff" id="body1" scroll="yes">


<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td rowspan="32" align="top" width="210"><a href="http://www.yousendit.com"><img src="images/ysi_logo_frontpage.jpg" border="0"></a></td>
<td width="518" colspan="2">
<script language="javascript">
<!--
document.write('<img src="'+image+'">')
-->
</script>
</td>
</tr>
<tr>
<td class="smallGrey" align="right">Delivering over 43,973,865,717,760 bytes per day | <strong>What are you sending?</strong></td>
<td><img src="images/dot.gif" width="8" height="8"></td>
</tr>
</table>
</td>
</tr>
<tr><td height="7"></td></tr> <!-- space between "transferring" and blue nav bar -->
</table>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td width="728" height="19" bgcolor="#3366cc" align="right" class="content"><a class="white" href="community.aspx"> &nbsp;&nbsp; YSI Community &nbsp;&nbsp;</a><a class="white" href="solutions.aspx">|&nbsp;&nbsp; Business Solutions &nbsp;&nbsp;</a><a class="white" href="advertise.aspx">|&nbsp;&nbsp; Advertise &nbsp; &nbsp;</a></td>
</tr>
<tr>
<td colspan="2" height="3"></td> <!-- space between blue nav bar and content of page -->
</tr>
</table>

<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<iframe src="dart/expired 728x90.aspx" width="728" height="90" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>


<table cellpadding="0" cellspacing="0" width="728" height="300" bgcolor="#ffffff" border="0">
<tr>
<td class="content" align="left" width="167">
<table width="100%" height="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td width="20"></td>
<td width="*" align="left" valign="top">
<a href="howdoesitwork.aspx" class="currentpage"><br><br><br>
<img src="images/arrow_sm.jpg" border="0">How does it work?</a><br>
<a href="whyyousendit.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Why YouSendIt?</a><br>
<a href="abuse.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Report Abuse</a><br>
<a href="community.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Get Involved!</a><br><br>
</td>
<!-- <td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td> -->
</tr>
</table>
</td>
<td class="content" width="561" valign="top"><br>
<table cellpadding="0" cellspacing="0" height="250" border="0">
<tr>
<td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td>
<td width="205" class="content_bigger" valign="top">
<font class="subtitle">Your file has expired.</font><br><br>
Unfortunately, your file has expired. A link is valid
for 7 days or a limited number of downloads, whichever occurs first.<br><br>
Once the link expires, the file is deleted and
cannot be recovered.
</td>
<td width="10"></td>
<td width="336" valign="top">


<center>
<font size="-2">ADVERTISEMENT - Clicking will not affect download.</font><br>
<iframe src="dart/expired 300x250.aspx" width="300" height="250" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>

</center>
</td>
</tr>
</table>
</td>
</tr>
</table>
<br>

<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<!-- Begin BidClix Code -->
<script language="javascript" type="text/javascript">
<!--
document.write('<s'+'cript src="http://ads.bidclix.com/code/64469/?cb='+
(new Function
("var d=new Date();var u=Date.UTC(d.getUTCFul"
+"lYear(),d.getUTCMonth(),d.getUTCDay(),d.get"
+"UTCHours(),d.getUTCMinutes(),d.getUTCSecond"
+"s(),d.getUTCMilliseconds());return u+'-'+Ma"
+"th.random();"
))()
+'"><'+'/script>');
// -->
</script>
<noscript>
<iframe src="http://ads.bidclix.com/serve-page/?id=64469" width="740" height="125" scrolling="no" frameBorder="0">
<a href="http://ads.bidclix.com/serve-link/?id=64469" target="_blank"><img src="http://ads.bidclix.com/serve-image/?id=64469" width="740" height="125" border="0" alt="" /></a>
</iframe>
</noscript>
<!-- End BidClix Code -->

<table cellpadding="2" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr align="center">
<td colspan="2" align="center">

<hr noshade color="#CCCCCC" size="1">

</td>
</tr>
<tr height="19">
<td class="smallGreen" align="left"><strong>YouSendIt</strong> &copy 2005</td>
<td width="555" bgcolor="#7FC31C" align="right" class="content">&nbsp;&nbsp;&nbsp;<a class="white" href="privacy.aspx">Privacy Policy &nbsp;&nbsp;|&nbsp;&nbsp;</a> <a class="white" href="tos.aspx">Terms of Service &nbsp;&nbsp;|&nbsp;&nbsp;</a> <a class="white" href="dmca.aspx">DMCA Policy</a> <a href="company.aspx" class="white">&nbsp;&nbsp;|&nbsp;&nbsp; Company &nbsp;&nbsp;</a><a href="support.aspx" class="white">|&nbsp;&nbsp; Support &nbsp;&nbsp; </a></td>
</tr>
</table>
<!-- BEGIN DART -->
<script language="Javascript">
<!--
var axel = Math.random() + "";
var ord = axel * 1000000000000000000;
//-->
</script>



<SCRIPT LANGUAGE="JavaScript">
document.write('<SCRIPT LANGUAGE="JavaScript1.1" SRC="https://ad.doubleclick.net/adj/expired.yousendit.tmus;tile=1;sz=1x1;sect=;ord=' + ord + '?" ><\/SCRIPT>');
</SCRIPT>
<SCRIPT>
if ((!document.images && navigator.userAgent.indexOf("Mozilla/2.") >= 0) || navigator.userAgent.indexOf("WebTV")>= 0) {
document.write('<A HREF="https://ad.doubleclick.net/jump/expired.yousendit.tmus;tile=1;sz=1x1;sect=;ord=' + ord + '?" TARGET="_blank">');
document.write('<IMG SRC="https://ad.doubleclick.net/ad/expired.yousendit.tmus;tile=1;sz=1x1;sect=;ord=' + ord + '?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>');
}
</SCRIPT>
<NOSCRIPT>
<A HREF="https://ad.doubleclick.net/jump/expired.yousendit.tmus;tile=1;sz=1x1;sect=;ord=123456789?" TARGET="_blank">
<IMG SRC="https://ad.doubleclick.net/ad/expired.yousendit.tmus;tile=1;sz=1x1;sect=;ord=123456789?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>
</NOSCRIPT>

<!-- END DART -->



<iframe src="http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=133636&kid=0&xl=0&yl=0&mod=111" width="1" height="1" scrolling="no" frameBorder="0"></iframe>

</body>
</html>

[T6nnn]

kas see asi tekib alati ise uuesti kui sa selle maha kustutad? ja kas ta segab sind mingit moodi? minu meelest kui ei sega las olla, c kettal on ikka alati igast asju

[mash]

Jah tekib uuesti kui maha tappa. Kui aus olla siis ei sega, aga mulle lihtsalt ei meeldi sellised kahtlased asjad arvutis ja mul nagu pole siiani c kettal olnud asju mida ma pole sinna ise tekitanud või millest ma teadlik poleks.

[Ho Ho]

soovitan sul masin pahalasetõrjega üle lasta. Tundub et miski vidinas mis sul installitud genereerib toda html faili.

[mash]

Nod32 ei ütle midagi, ad-aware samuti mitte. Otseselt ta mingi pahalane nagu polegi vist, seega ei leia need programmid ka midagi.
Oskad äkki midagi paremat soovitada millega arvuti üle käia ?

Niipalju olen veel targemaks saanud, et see sfx.exe on seotud ntvdm.exe-ga (Windows 16-bit Virtual Machine)

[Ho Ho]

Proovi hijack this'i ka.

Ehk sa jooksutad ise mingit programmi mis tolle faili ise genereerib? Võibolla midagi mis oli/on seotud aadressiga http://www.yousendit.com ?

[raul141]

ja mõnd online virus scan kah pole paha

ot ja see vastus pole

http://www.techsupportforum.com/archive/index.php/t-351.html

[mash]

[raul141]

mash, loll küssa .aga sa ikka möllad safe modes?ja kabla tagant ikka ära

[mash]

Ei ole safe mode.
Safe modes on põhjust siis asja jooksutada kui ma olen probleemi üles leidnud ja kustutanud ja see tuleb uuesti tagasi.
Otsin praegu probleemi algallikat. Kuna c ketas sai puhtaks lastud, siis peab see põhjus olema mõne teise ketta peal, seda üritangi hetkel üles leida.
Või peaks kuidagi teisiti lähenema ?

[Ho Ho]

[Elof]

Endal oli ühe kurja loomaga tegu mõni aeg tagasi, mis mis juhusliku nimega faili genereeris ning mida ad-aware ja hijackthisiga polnud võimalik eemaldada.
Oli väga osavalt explorerisse integreeritud ja käitus rootkiti moodi.
Ainuke, millega selle õige nime ning tänu nimele ka eemaldamise proge leidsin, oli Spy Sweeper - http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Spy-Sweeper.shtml
Kahjuks eemaldab see programm ise küll *vara vaid siis kui osta tasuline vers.

[mash]

Spy Sweeper andis sellise vastuse:
Items Found: 0
Traces Found : 0
Traces Ignored: 0
Traces Quarantined: 0
Traces Removed Since Installation: 0

Avastasin veel, et kui seda sfx.exe-t mitte sulgeda siis mingi aja pärast jooksutab ta ennast kenasti käima.

[Betamax]

[mash]

See link juba oli ülevalpool. Ma ei tea kui fake see asi on, aga mulle lihtsalt põhimõtteliselt ei meeldi, kui mingid imelikud asjad arvutis istuvad.
Nende õpetustega pole paraku XP puhul midagi teha.

[vecna]

Aga äkki IceSword näitab midagi. http://www.xfocus.net/tools/200509/1085.html

[raul141]

mash, see meenutab minu kunagist kogemust midagist sellega

https://foorum.hinnavaatlus.ee/viewtopic.php?t=176595&highlight=

ei tea kas nüüd lahendus,läbi msn-i see sis tuli
vaata jah registrit ja find-iga leiad midagist vast

[mash]

Sain kurjamist jagu lõpuks.
Tegu oli siis Backdoor.Heplane nimelise asjaga.
Asja leidis üles Norton Antivirus 2006 ja registrist kustutasin ka ühe kirje ära.
Abi sain: http://www.techsupportforum.com/windows-xp/83022-spyware-c-sfx-exe.html ja http://securityresponse.symantec.com/avcenter/venc/data/backdoor.heplane.html