pws.hooker.trojan NEED HELP!!

[charity]

ok, so upon booting up last night, norton told me that i had 2 viruses on my computer. the first one was the Sobig.A virus. it couldn't be cleaned or quarantined. the other virus that i had was the PWS.Hooker.Trojan virus. the hooker couldn't be cleaned, but it was quarantined. not sure what good that does, but it doesn't satisfy me. each time i turn the computer on i get a box telling me about these viruses.

so i called up Dell where i got my computer (dimension 8200 with windows XP) and they helped me get rid of the Sobig one from downloading the FixSobig from the Symantec site. so that worked. then they had me download the BugBear Fix from the same site. that didn't work. after running that one, it said that it didn't find that virus on my computer. HOWEVER, the damn hooker is still there. upon rebooting, norton tells me that it is.

so i went to the site and tried to follow the instructions for getting rid of it. however, nothing happened when i went into RUN, entered regedit and then went through the whole HKEY_LOCAL_MACHINE . . . . blah blah blah and on down to RunOnce. but there was nothing in the right pane except some default mumbo jumbo. on the message board 2 other uses had the same problem. i tried sincerely to make heads or tails of what the person was telling them to do, but i am a computer dummy. i admit it. but i really want to get this thing off of my computer. dell is no help at all and my head hurts from trying to talk on the phone about it and getting put on hold and getting transferred and then not being able to understand what the person is saying because i only understand english . . . you get the picture.

any help that i could get would be so wonderful right now. this is just the cherry on top of my crappy week.

thanks
charity

 

[TonyKlein]

When infected files are quarantined, they're effectively rendered harmless.

Launch the Quarantine console, highlight everything in it, and hit 'remove'. The files will be deleted.

Next, please do this:

Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.

 

[charity]

ok, you said to launch the "quarantine console". i don't know what that is. sorry. i know exactly NO computer lingo. i feel like a big goof. but if you could explain. thanks.

charity

 

[charity]

ok, i went into norton and brought up the virus log. the files that were showed as quarantined (the hooker stuff) . . . well, i just deleted them. there were 2.

then i downloaded the thing you told me to and here it is. i guess you can make heads or tails of it.

thanks man!!

charity





StartupList report, 1/19/2003, 4:14:09 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\charity\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\mptask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\charity\Local Settings\Temp\Temporary Directory 3 for startuplist.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Digital Line Detect.lnk = ?
Microsoft Works Calendar Reminders.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
WindowsMGM = C:\WINDOWS\winmgm32.exe

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[ZingBatchAXDwnl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\batchdwnl.dll
CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.141/code/PWActiveXImgCtl.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 4,736 bytes
Report generated in 0.281 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[TonyKlein]

You still have the startup item for the Sobig worm enabled.

Go to Start > Run > Msconfig, and uncheck WindowsMGM on the Startup tab.

Click OK, reboot, and see whether C:\WINDOWS\winmgm32.exe is still there.

It might well be gone, but if it isn't, delete it.

I'd also run an online scan at Panda Active Scan , just to be sure.

Cheers,

 

[charity]

ok, i went to the startup tab in there. BUT i didn't see WINDOWSMGM. i saw the winmgm32 in there but not WINDOWSMGM.

charity

 

[TonyKlein]

That's the one. You'll want to uncheck it.

 

[charity]

ok, i unchecked it. hit OK, and it asked me if i wanted to restart. i did. when the computer came back on it put up a systems utility notice or something like that. i had changed the way windows started and it was . . . .well, i don't know what it was doing. i went to see if C:\WINDOWS\winmgm.32.exe was still there. it was there, but it wasn't checked. so i restarted the computer again, got the same damn notice when i started. hope that's ok.

before i did any of this, though. i did a virus scan. there is still one hooker that it quarantined. so i deleted it (i think). and just now when i started the computer for a second time, i got a norton notification that there was a hooker in c:\windows\system32\sysmgmt32.dll
i hadn't gotten any sobig warnings or notifications since i did the sobigfix thing yesterday.

what the hell is going on?

does this have anything to do with windows XP having some kind of SYSTEM RESTORE. when i was getting rid of the sobig virus i had to turn it off to do the scan.

i am going to restart the computer. that system utility thing makes me nervous.

charity

 

[TonyKlein]

Apparently the Sobig worm has NOT been removed. You NEED to delete C:\ Windows\Winmgm32.exe.

And meanwhile you appear to have acquired a backdoor trojan as well:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.lala.html


Have Norton remove it.

And run another online scan, this time at Trend Micro HouseCall

 

[charity]

ok, so how exactly do i remove that winmgm32.exe? will it hurt anything when i remove it?

and what about the hooker? is it in the winmgm32.exe also?

charity

 

[TonyKlein]

Winmgm32.exe is the Sobig worm file itsef, so deleting it can only be good for your computer.

So I suggest you do just that.

The trojan is another file: sysmgmt32.dll in your Windows\System32 directory.

Would you please do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

It will help us pinpoint that "hooker" trojan and it's startup entry, and make it easier to remove.

 

[charity]

here's the results of the hijack scan

Logfile of HijackThis v1.91.2
Scan saved at 5:05:57 PM, on 1/19/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://entertainment.yahoo.com/entnews/main/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



thanks so much for all you help on this. you are a saint.

charity

 

[TonyKlein]

No prob!

No sign of trojan startups in your log, which is good, but that doesn't say anything about the presence of the files themselves.

So find both winmgm32.exe and sysmgmt32.dll and delete them, if you haven't done that already.

 

[charity]

i am having trouble finding both of them. i found the winmgm32.exe in the run Msconfig start tab, but i can't seem to delete it from there. i right click on it and nothing happens. i just don't know HOW to delete them.

charity

 

[TonyKlein]

No, that's not what I mean. The unchecked entries in the Msconfig/Startup list are harmless, and moreover they're not the files themselves.

What I mean is, look for the presence of C:\WINDOWS\winmgm32.exe by opening Windows Explorer, and navigating to your C:\windows directory, or by doing a Find Files for winmgm32.exe.

If you find that file, delete it.

Same for c:\windows\system32\sysmgmt32.dll

If they're not there any more, your antivirus may have taken care of them already, and in that case I can only wish you happy surfing!