unknown process

Status
Not open for further replies.
sujeet2555

sujeet2555

In the zone
i have zone alarm pro firewall.recently when i was surfing the internet zone alarm alert me that a process "kernel32.exe want to access 66.197.161.149 ",i denied.task manager also shows it running.the zone alarm report here:


.........................................................................................................
Whois Report from Zone Labs




Details about 66.197.161.149, the IP address of the computer that caused the alert you received from ZoneAlarm Pro, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 66.197.161.149 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.

The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 66.197.161.149. The report probably does not list the administrator of the specific computer at IP address 66.197.161.149.

You should not assume that individuals listed in this report are responsible for the alert you received on your computer.

Whois Information




Network Operations Center Inc. HOSTNOC-2BLK (NET-66-197-128-0-1)
66.197.128.0 - 66.197.255.255
imagelinkusa.net IMAGELIN797 (NET-66-197-161-100-1)
66.197.161.100 - 66.197.161.199

# ARIN WHOIS database, last updated 2005-02-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


OrgName: imagelinkusa.net
OrgID: IMAGEL-4
Address: PO Box 10856
City: Rockvile
StateProv: MD
PostalCode: 20851
Country: US

NetRange: 66.197.161.100 - 66.197.161.199
CIDR: 66.197.161.100/30, 66.197.161.104/29, 66.197.161.112/28, 66.197.161.128/26, 66.197.161.192/29
NetName: IMAGELIN797
NetHandle: NET-66-197-161-100-1
Parent: NET-66-197-128-0-1
NetType: Reassigned
Comment:
RegDate: 2002-02-21
Updated: 2002-02-21

TechHandle: DJ566-ARIN
TechName: Jackson, Dave
TechPhone: +1-301-212-9863
TechEmail: webmaster@imagelinkusa.net

OrgTechHandle: DJ566-ARIN
OrgTechName: Jackson, Dave
OrgTechPhone: +1-301-212-9863
OrgTechEmail: webmaster@imagelinkusa.net

# ARIN WHOIS database, last updated 2005-02-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


..........................................................................................................


i don't understand that is this a good or something michievious is happening.when i stopped kernel32,system hangs;no programs works nor the system shut-down.whwn i wanted to open task manager ,it display task manager has been disabled by your administrator.when i reboot the the computer it displays blue screen showing that "a critical process has been exited".kernel32 also adds to startup;i removed it from startup using msconfig but it starts on its own on start-up.please help :roll:



the process running is kernels32.exe not kernel32.exe.the log file of hijack this is
Logfile of HijackThis v1.99.1
Scan saved at 1:01:44 PM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program\Tweakz\Tweakz.exe
C:\Program Files\Serials3k\Serials3k.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
E:\Program Files\SlyDiman\SlyControl2\SlyCtrl2.exe
F:\Program Files\Cheatbook Database 2005\base2005.exe
C:\Documents and Settings\sujeet\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *red.clientapps.yahoo.com/customize/ycomp/defaults/sb/**www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *red.clientapps.yahoo.com/customize/ycomp/defaults/su/**www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - F:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PixGrabber Helper - {0FD387DF-5E13-4EAB-BB19-A1F4C2D0B325} - f:\Program Files\PixGrabber Free\PxGIEPlugins.dll
O2 - BHO: CookieHlprObj Class - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - f:\PROGRA~2\TRWinCNO\POPUPK~1\TRBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - f:\Program Files\LostGoggles\LGoggles.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - F:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Indiatimes Toolbar - {8755877D-4952-441a-8AAB-841D479F07FE} - F:\PROGRA~2\INDIAT~1\ComBar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: Pictures - {8E929F51-5914-11D6-971F-0050FC3F9161} - f:\Program Files\Pictures Toolbar\IEBand.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: PixGrabber Links Bar - {4A360645-F363-416A-A7A3-54E4804F90ED} - f:\PROGRA~2\PIXGRA~1\PxGIEGUI.dll
O3 - Toolbar: PixGrabber Bar - {9377C91E-EB13-4AF4-9B45-42BE835BB548} - f:\PROGRA~2\PIXGRA~1\PxGIEGUI.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Samsung Internet Keyboard.lnk = C:\Program Files\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
O8 - Extra context menu item: &Download with &DAP - F:\PROGRA~2\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://F:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://F:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - F:\PROGRA~2\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: GuruNet... - file:f:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - f:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - f:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - F:\PROGRA~2\DAP\DAP.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~2\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - F:\PROGRA~2\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - *downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - *us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - *www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - *community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - *ccon.futuremark.com/global/msc34.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC7FA299-F505-4203-9824-CC3093703092}: NameServer = 61.1.96.69 61.1.96.71
O20 - Winlogon Notify: WB - F:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - f:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


but another problem arised my goole toolbar is showing only

 
anandk

anandk

Distinguished Member
kernel32.exe is a virus. it is a Floodnet/Tendulf virus which attempts to send e-mails to everyone using Outlook aliases. pls do not confuse the virus/trojan file, Kernel32.exe, with the legitima windows file, kernel32.dll.

run your anti-virus in safe mode or schedule a boot-time avast scan.

also visit *www.auditmypc.com/process/kernel32.asp

have fun ! :lol:
 
saROMan

saROMan

QA Juggler
Kernel32 - kernel32.exe - Process Information

Process File: kernel32 or kernel32.exe
Process Name: Floodnet virus

Description:
kernel32.exe is a Floodnet virus and attempts to send e-mails to everyone using Outlook aliases. This program is a registered security risk and should be removed immediately. Note! kernel32.dll is the most important Microsoft Windows Kernel. Functionality addressing most of windows functions are linked to this kernel DLL in some way.

Author: na
Part Of: Floodnet virus

System Process: No
Background Process: No
Uses Network: Yes
Hardware Related: No
Common Errors: N/A
Memory Usage: N/A ( Free Up Memory )

Security Risk (0-5): 4
Spyware: No
Adware: No
Virus: Yes
Trojan: Yes

Here is info fm Symantec :

When Trojan.PSW.Gip runs, it does the following:

Copies itself as %System%\Kernel32.exe.

NOTES:
%System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Do not confuse the Trojan file, Kernel32.exe, with the legitimate Windows file, Kernel32.dll.


Adds the values:

Welcome = %System%\kernel32.exe

to the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs each time you start Windows.

Adds the values:

Config = %System%\kernel32.exe

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs each time you start Windows.

Adds the value:

Sevice = %System%\kernel32.exe

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

so that it runs as a service under Windows 95/98/Me, and it is not displayed in the Windows 95/98/Me "Close Program" dialog box.

Sends email messages to the hacker with the following information:
Computer system information
RAS Dialup information
Cached login names and passwords
Login names and passwords for Internet access
ICQ information including your Unique Identification Number (UIN) and password


Downloads a file from a specified Web site.

Adds the value:

Welcome = TMP15F.EXE

to the Registry auto-run key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce

so that the file runs the next time you start Windows.

Adds or deletes the values:

File1
File2
File3
Count
Date
LastError
Ver

to or from the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows





Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.




These instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Reverse the changes that the Trojan made to the registry, and then restart the computer.
Update the virus definitions.
Run a full system scan and delete all the files detected as Trojan.PSW.Gip.

For specific details on each of these steps, read the following instructions.

1. Reversing the changes that the Trojan made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

Welcome = %System%\kernel32.exe

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

Config = %System%\kernel32.exe

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices

NOTE: This key does not exist on all the systems.

In the right pane, delete the value:

Sevice = %System%\kernel32.exe

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce

In the right pane, delete the value:

Welcome = TMP15F.EXE

Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows

In the right pane, delete the values:

File1
File2
File3
Count
Date
LastError
Ver


Exit the Registry Editor.

Restart the computer.

Update your Antivirus and then Run a Full scan ....also download Counterspy ..update it and scan your PC...
 
Status
Not open for further replies.
Top Bottom