1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

pws.hooker.trojan NEED HELP!!

Discussion in 'Virus & Other Malware Removal' started by charity, Jan 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, so upon booting up last night, norton told me that i had 2 viruses on my computer. the first one was the Sobig.A virus. it couldn't be cleaned or quarantined. the other virus that i had was the PWS.Hooker.Trojan virus. the hooker couldn't be cleaned, but it was quarantined. not sure what good that does, but it doesn't satisfy me. each time i turn the computer on i get a box telling me about these viruses.

    so i called up Dell where i got my computer (dimension 8200 with windows XP) and they helped me get rid of the Sobig one from downloading the FixSobig from the Symantec site. so that worked. then they had me download the BugBear Fix from the same site. that didn't work. after running that one, it said that it didn't find that virus on my computer. HOWEVER, the damn hooker is still there. upon rebooting, norton tells me that it is.

    so i went to the site and tried to follow the instructions for getting rid of it. however, nothing happened when i went into RUN, entered regedit and then went through the whole HKEY_LOCAL_MACHINE . . . . blah blah blah and on down to RunOnce. but there was nothing in the right pane except some default mumbo jumbo. on the message board 2 other uses had the same problem. i tried sincerely to make heads or tails of what the person was telling them to do, but i am a computer dummy. i admit it. but i really want to get this thing off of my computer. dell is no help at all and my head hurts from trying to talk on the phone about it and getting put on hold and getting transferred and then not being able to understand what the person is saying because i only understand english . . . you get the picture.

    any help that i could get would be so wonderful right now. this is just the cherry on top of my crappy week.

    thanks
    charity
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    When infected files are quarantined, they're effectively rendered harmless.

    Launch the Quarantine console, highlight everything in it, and hit 'remove'. The files will be deleted.

    Next, please do this:

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  3. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, you said to launch the "quarantine console". i don't know what that is. sorry. i know exactly NO computer lingo. i feel like a big goof. but if you could explain. thanks.

    charity
     
  4. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, i went into norton and brought up the virus log. the files that were showed as quarantined (the hooker stuff) . . . well, i just deleted them. there were 2.

    then i downloaded the thing you told me to and here it is. i guess you can make heads or tails of it.

    thanks man!!

    charity





    StartupList report, 1/19/2003, 4:14:09 AM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\charity\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\mptask.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\charity\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Digital Line Detect.lnk = ?
    Microsoft Works Calendar Reminders.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    UpdReg = C:\WINDOWS\UpdReg.EXE
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    WindowsMGM = C:\WINDOWS\winmgm32.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ZingBatchAXDwnl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\batchdwnl.dll
    CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
    CODEBASE = http://216.249.24.141/code/PWActiveXImgCtl.CAB

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 4,736 bytes
    Report generated in 0.281 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You still have the startup item for the Sobig worm enabled.

    Go to Start > Run > Msconfig, and uncheck WindowsMGM on the Startup tab.

    Click OK, reboot, and see whether C:\WINDOWS\winmgm32.exe is still there.

    It might well be gone, but if it isn't, delete it.

    I'd also run an online scan at Panda Active Scan , just to be sure.

    Cheers,
     
  6. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, i went to the startup tab in there. BUT i didn't see WINDOWSMGM. i saw the winmgm32 in there but not WINDOWSMGM.

    charity
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    That's the one. You'll want to uncheck it.
     
  8. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, i unchecked it. hit OK, and it asked me if i wanted to restart. i did. when the computer came back on it put up a systems utility notice or something like that. i had changed the way windows started and it was . . . .well, i don't know what it was doing. i went to see if C:\WINDOWS\winmgm.32.exe was still there. it was there, but it wasn't checked. so i restarted the computer again, got the same damn notice when i started. hope that's ok.

    before i did any of this, though. i did a virus scan. there is still one hooker that it quarantined. so i deleted it (i think). and just now when i started the computer for a second time, i got a norton notification that there was a hooker in c:\windows\system32\sysmgmt32.dll
    i hadn't gotten any sobig warnings or notifications since i did the sobigfix thing yesterday.

    what the hell is going on?

    does this have anything to do with windows XP having some kind of SYSTEM RESTORE. when i was getting rid of the sobig virus i had to turn it off to do the scan.

    i am going to restart the computer. that system utility thing makes me nervous.

    charity
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  10. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    ok, so how exactly do i remove that winmgm32.exe? will it hurt anything when i remove it?

    and what about the hooker? is it in the winmgm32.exe also?

    charity
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Winmgm32.exe is the Sobig worm file itsef, so deleting it can only be good for your computer.

    So I suggest you do just that.

    The trojan is another file: sysmgmt32.dll in your Windows\System32 directory.

    Would you please do this:

    Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    It will help us pinpoint that "hooker" trojan and it's startup entry, and make it easier to remove.
     
  12. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    here's the results of the hijack scan

    Logfile of HijackThis v1.91.2
    Scan saved at 5:05:57 PM, on 1/19/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://entertainment.yahoo.com/entnews/main/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O15 - Trusted Zone: http://free.aol.com
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    thanks so much for all you help on this. you are a saint.

    charity
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    No prob! :)

    No sign of trojan startups in your log, which is good, but that doesn't say anything about the presence of the files themselves.

    So find both winmgm32.exe and sysmgmt32.dll and delete them, if you haven't done that already.
     
  14. charity

    charity Thread Starter

    Joined:
    Jan 18, 2003
    Messages:
    12
    i am having trouble finding both of them. i found the winmgm32.exe in the run Msconfig start tab, but i can't seem to delete it from there. i right click on it and nothing happens. i just don't know HOW to delete them.

    charity
     
  15. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    No, that's not what I mean. The unchecked entries in the Msconfig/Startup list are harmless, and moreover they're not the files themselves.

    What I mean is, look for the presence of C:\WINDOWS\winmgm32.exe by opening Windows Explorer, and navigating to your C:\windows directory, or by doing a Find Files for winmgm32.exe.

    If you find that file, delete it.

    Same for c:\windows\system32\sysmgmt32.dll

    If they're not there any more, your antivirus may have taken care of them already, and in that case I can only wish you happy surfing! :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/113992

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice