wirus - kernels8.exe

IP: *.autocom.pl 18.05.06, 20:30
Zablokował mi menadżera zadań a na pasku zadań pojawiło się czerwone kółko z
informacją Windows Security Center has detected spyware/adware infection. No
i dodatkowo zablokowało mi pulpit i nie mogę zmienić tapety. Wirusa się chyba
pozbyłem ale nadal jest zablokowany pulpit. Jak go odblokować??? Proszę o
pomoc!
    • barracuda7110 Re: wirus - kernels8.exe 18.05.06, 21:12
      Wklej loga z hijackthis.
      • Gość: abc Re: wirus - kernels8.exe IP: *.autocom.pl 18.05.06, 23:59
        Sorki ale nie wiem co to jest hijackthis.
        • Gość: abc log - proszę o sprawdzenie IP: *.autocom.pl 19.05.06, 00:50
          Już wiem co to jest hijackthis :)

          Proszę o sprawdzenie loga:

          Logfile of HijackThis v1.99.1
          Scan saved at 00:37:09, on 2006-05-19
          Platform: Windows XP (WinNT 5.01.2600)
          MSIE: Internet Explorer v6.00 (6.00.2600.0000)

          Running processes:
          C:\WINDOWS\System32\smss.exe
          C:\WINDOWS\SYSTEM32\winlogon.exe
          C:\WINDOWS\system32\services.exe
          C:\WINDOWS\system32\lsass.exe
          C:\WINDOWS\system32\svchost.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\spoolsv.exe
          C:\WINDOWS\Explorer.EXE
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
          C:\Program Files\QuickTime\qttask.exe
          C:\WINDOWS\System32\RUNDLL32.EXE
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
          C:\Program Files\Common Files\Real\Update_OB\realsched.exe
          C:\WINDOWS\System32\ctfmon.exe
          C:\WINDOWS\system32\GStartUp.exe
          C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
          C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
          C:\WINDOWS\System32\nvsvc32.exe
          C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
          C:\WINDOWS\System32\svchost.exe
          C:\WINDOWS\system32\fxssvc.exe
          D:\PATEFKA\programik-sprawdzacz\HijackThis.exe

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          www.google.pl/
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
          F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
          O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
          C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
          O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
          c:\program files\google\googletoolbar2.dll
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
          C:\WINDOWS\System32\msdxm.ocx
          O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
          files\google\googletoolbar2.dll
          O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
          atboottime
          O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32
          \NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32
          \NvMcTray.dll,NvTaskbarInit
          O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
          O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
          Files\Real\Update_OB\realsched.exe" -osboot
          O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
          O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
          O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
          Office\Office\OSA9.EXE
          O4 - Global Startup: hpoddt01.exe.lnk = ?
          O4 - Global Startup: hp psc 1000 series.lnk = ?
          O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
          Files\Adobe\Calibration\Adobe Gamma Loader.exe
          O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
          Server\80\Tools\Binn\sqlmangr.exe
          O8 - Extra context menu item: &Google Search - res://c:\program
          files\google\GoogleToolbar2.dll/cmsearch.html
          O8 - Extra context menu item: &Translate English Word - res://c:\program
          files\google\GoogleToolbar2.dll/cmwordtrans.html
          O8 - Extra context menu item: Backward Links - res://c:\program
          files\google\GoogleToolbar2.dll/cmbacklinks.html
          O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
          files\google\GoogleToolbar2.dll/cmcache.html
          O8 - Extra context menu item: Similar Pages - res://c:\program
          files\google\GoogleToolbar2.dll/cmsimilar.html
          O8 - Extra context menu item: Translate Page into English - res://c:\program
          files\google\GoogleToolbar2.dll/cmtrans.html
          O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
          O14 - IERESET.INF: START_PAGE_URL=www.sur5.net
          O15 - Trusted Zone: *.iframedollars.biz
          O15 - Trusted Zone: *.iframedollars.biz (HKLM)
          O15 - Trusted IP range: 213.159.117.202
          O16 - DPF: BSK Online - ssl.bsk.com.pl/component/BSKOnl.cab
          O16 - DPF: ING Bank Online -
          ssl.bsk.com.pl/bskonlreg/component/INGOnl.cab
          O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
          O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
          O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
          O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab
          O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab
          O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) -
          www.lemontv.pl/lmctrls.cab
          O16 - DPF: {37A49D66-2735-4BB9-8503-82BA5E2333D0} (MailCfg Control) -
          www.poczta.wp.pl/autoryzacja/mailcfg.ocx
          O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (GINBOARDS Class) -
          67.15.101.3/g_bin/pl/boards_2_0_0_19.cab
          O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
          tools.ebayimg.com/eps/activex/EPUWALControl_v1-0-3-18.cab
          O16 - DPF: {5F874A6F-8B34-433D-BA4B-47AC91C0567F} (MailCfg Control) -
          poczta.wp.pl/autoryzacja/mailcfg2.ocx
          O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
          update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122498292718
          O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
          www.pandasoftware.com/activescan/as5/asinst.cab
          O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) -
          www.lemontv.pl/lmctrlp.cab
          O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
          www.mks.com.pl/skaner/SkanerOnline.cab
          O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32
          \Ati2evxx.exe
          O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
          C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
          O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1
          \Grisoft\AVGFRE~1\avgupsvc.exe
          O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1
          \Grisoft\AVGFRE~1\avgemc.exe
          O23 - Service: StartUp Service (GStartUp) - G DATA Software Sp. z o.o. -
          C:\WINDOWS\system32\GStartUp.exe
          O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
          Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32
          \IDriverT.exe
          O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
          C:\WINDOWS\System32\nvsvc32.exe
          O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

          • Gość: k Re: log - proszę o sprawdzenie IP: *.warszawa.sdi.tpnet.pl 19.05.06, 01:49
            Zamknij porty w wwdc, nie uzywaj IE tylko zainstaluj Opere lub FF.

            W hjt usun:
            O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe <- plik usun
            z dysku.
            O15 - Trusted Zone: *.iframedollars.biz
            O15 - Trusted Zone: *.iframedollars.biz (HKLM)
            O15 - Trusted IP range: 213.159.117.202
            O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
            O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
            O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
            O16 - DPF: {11111111-1111-1111-1111-611111193457} - file://c:\wx.cab
            O16 - DPF: {11111111-1111-1111-1111-611111193458} - file://c:\wx.cab
            O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) -
            www.lemontv.pl/lmctrls.cab

            Do tego zrob skan systemu przy pomocy ewido.

            W razie pytan poczytaj FAQ.
    • Gość: k Re: wirus - kernels8.exe IP: *.warszawa.sdi.tpnet.pl 18.05.06, 23:09
      Tutaj masz opis usuwania:
      www.searchengines.pl/phpbb203/index.php?s=&showtopic=31936&view=findpost&p=294996

      Jak juz wszystko zrobisz to dopiero wklej log z hjt.
Pełna wersja