PWS.hooker.trojan

  VoG II 22:33 11 May 2004
Locked

Big help needed here please folks.

Laptop with Windows XP and NIS 2004.

Keeps coming up with Virus alert. It says it cannot delete (or do anything with) the file which is C:\windows\system32\luqgflg.dll

I have tried the instructions at click here but whenever I restart and connect to the net it comes back. The error message will not go away. The mentioned registry entry is not present.

Deleted it in safe mode, then went into msconfig and deleted the suspicious program fcmyhf.exe

Restarted- all OK. Thought I had won there. Connect to net and the Norton warnings come back. Plus Norton is constantly checking outgoing e-mails so I'm worried that this is broadcasting whatever it is.

This is not my machine but I've got to fix it.

As ever, all help much appreciated.

  maz2 22:57 11 May 2004

It must be bad if you can't get rid of it, I know when I tried to get rid of Blaster I couldn't until I had installed all the windows updates, it didn't work with downloading just the one patch relating to it, also you could try runnign trend micro housecall, I have great faith in them since Norton let me down, still I could be just talking a load of rubbish anyway it's just a few suggestions, which you have most probably tried anyway

  powerless 23:06 11 May 2004

Do a HJT.

  VoG II 23:19 11 May 2004

OK, hang on.............

  VoG II 23:47 11 May 2004

Logfile of HijackThis v1.97.7
Scan saved at 23:38:38, on 11/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program
Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\pctspk.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Common
Files\Logitech\QCDriver\LVCOMS.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\System32\fcmyhf.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Aimee Jackson\Local Settings\Temp\Temporary Directory 1 for hjt.zip\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll


O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec

Shared\AdBlocking\NISShExt.dll

  VoG II 23:47 11 May 2004

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll


O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll



O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe


O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe

O4 - HKLM\..\Run: [fcmyhf]

C:\WINDOWS\System32\fcmyhf.exe
O4 - Startup: SpywareGuard.lnk = C:

\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\Clean KMD\blueyonder IST\bin\matcli.exe

O4 - Global Startup: Post-it® Software Notes


Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program


Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

s://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000


O8 - Extra context menu item: Si&milar Pages - res://C:\Program F

iles\Google\GoogleToolbar2.dll/cmsimilar.html


O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmtrans.html


O9 - Extra button: Research (HKLM)


O9 - Extra button: Real.com (HKLM)


O9 - Extra button: TakeThatMP3 (HKLM)


O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: Yahoo! Dice - click here
O16 - DPF: Yahoo! Pool 2 - click here
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - click here
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - click here
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - click here
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - click here

  VoG II 23:48 11 May 2004

I think I've spotted it but help please.

  hugh-265156 23:55 11 May 2004

dont shout at me but you did disable system restore before scanning yeah?

  hugh-265156 23:57 11 May 2004

have you tried click here maybe worth a shot

  Dan the Confused 00:02 12 May 2004

Think the suspicious prog is back

  powerless 00:04 12 May 2004

C:\Documents and Settings\Aimee Jackson\Local Settings\Temp\Temporary Directory 1 for hjt.zip\HijackThis.exe

Run HJT from a folder of its own. So backups can be restored...

Unless my eyes are going, the log seems clean.

Trojans etc.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Indie publisher Canongate’s top 10 book covers of 2017

New iMac Pro release date, UK price & specs rumours

Tablettes Amazon Fire : quel modèle choisir ?