Archived from groups: alt.sys.pc-clone.dell (More info?)

I was running Adaware with the latest updates, and got a Norton Antivirus
Pop up that it had found
C:\windows\system32\apihookdll.dll pws.hooker.trojan

I could not repair the file with NAV and could not close the popup unless I
used task manager.

I did a google and found out this is a keylogger.
Did a full scan with NAV it found the virus and could not repair it but
quarantined it.


The symantec site had this info for removal

Click Start, and then click Run. (The Run dialog box appears.)
1.. Type regedit

Then click OK. (The Registry Editor opens.)


2.. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


3.. In the right pane, delete the following value:

"kernel32"="C:\%System%\kern32.exe"


4.. Click Registry, and click Exit.
5..
I could not find that file.



Ran a full trojan scan with The Cleaner and it did not find anything.

Am I now rid of the problem since it was quarantined by NAV, or do I need
to take some further steps?

Bob

This is the first virus or trojan I had found in about 3 years.

Archived from groups: alt.sys.pc-clone.dell (More info?)

here is trend micro's instruction on how to repair it with the additional
comment on how to avoid it in the future (update windows with the security
patch to close the door on what this thing tries to exploit)...
http://www.trendmicro.com/vinfo/vi [...] _BUGBEAR.A

"Leanin' Cedar" <Nospam@nospam.org> wrote in message
news:a1Iyd.11332$yK.8265@newsread3.news.atl.earthlink.net...
>I was running Adaware with the latest updates, and got a Norton Antivirus
>Pop up that it had found
> C:\windows\system32\apihookdll.dll pws.hooker.trojan
>
> I could not repair the file with NAV and could not close the popup unless
> I used task manager.
>
> I did a google and found out this is a keylogger.
> Did a full scan with NAV it found the virus and could not repair it but
> quarantined it.
>
>
> The symantec site had this info for removal
>
> Click Start, and then click Run. (The Run dialog box appears.)
> 1.. Type regedit
>
> Then click OK. (The Registry Editor opens.)
>
>
> 2.. Navigate to the key:
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
>
>
> 3.. In the right pane, delete the following value:
>
> "kernel32"="C:\%System%\kern32.exe"
>
>
> 4.. Click Registry, and click Exit.
> 5..
> I could not find that file.
>
>
>
> Ran a full trojan scan with The Cleaner and it did not find anything.
>
> Am I now rid of the problem since it was quarantined by NAV, or do I need
> to take some further steps?
>
> Bob
>
> This is the first virus or trojan I had found in about 3 years.
>

Archived from groups: alt.sys.pc-clone.dell (More info?)

> I was running Adaware with the latest updates, and got a Norton Antivirus
> Pop up that it had found
> C:\windows\system32\apihookdll.dll pws.hooker.trojan

ftp://ftp.kaspersky.com/utils/

clrav.com

One shot program, has 4 possible outcomes - nothing found, found and
cleaned, found & cleaned but needs a reboot and re-run to complete, and
program error.

Covers all the major showstoppers from the last few years

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

Archived from groups: alt.sys.pc-clone.dell (More info?)

Thanks for the link. I had all of the current MS patches for XPhome SP2.
Does this get on a PC by simply opening an email (not an attachment)? The
grandkids are coming tomorrow and they know not to open attachment when they
check their email. And I never open an attachment or a suspicious email.

Bob
"Christopher Muto" <muto@worldnet.att.net> wrote in message
news:wLUyd.19158$Ff3.12354@trndny04...
> here is trend micro's instruction on how to repair it with the additional
> comment on how to avoid it in the future (update windows with the security
> patch to close the door on what this thing tries to exploit)...
> http://www.trendmicro.com/vinfo/vi [...] _BUGBEAR.A
>
> "Leanin' Cedar" <Nospam@nospam.org> wrote in message
> news:a1Iyd.11332$yK.8265@newsread3.news.atl.earthlink.net...
>>I was running Adaware with the latest updates, and got a Norton Antivirus
>>Pop up that it had found
>> C:\windows\system32\apihookdll.dll pws.hooker.trojan
>>
>> I could not repair the file with NAV and could not close the popup unless
>> I used task manager.
>>
>> I did a google and found out this is a keylogger.
>> Did a full scan with NAV it found the virus and could not repair it but
>> quarantined it.
>>
>>
>> The symantec site had this info for removal
>>
>> Click Start, and then click Run. (The Run dialog box appears.)
>> 1.. Type regedit
>>
>> Then click OK. (The Registry Editor opens.)
>>
>>
>> 2.. Navigate to the key:
>>
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>
>>
>> 3.. In the right pane, delete the following value:
>>
>> "kernel32"="C:\%System%\kern32.exe"
>>
>>
>> 4.. Click Registry, and click Exit.
>> 5..
>> I could not find that file.
>>
>>
>>
>> Ran a full trojan scan with The Cleaner and it did not find anything.
>>
>> Am I now rid of the problem since it was quarantined by NAV, or do I
>> need to take some further steps?
>>
>> Bob
>>
>> This is the first virus or trojan I had found in about 3 years.
>>
>
>

Archived from groups: alt.sys.pc-clone.dell (More info?)

Thanks for the link.
Ran it and nothing found.

Bob
"Colin Wilson" <void@btinternet.com> wrote in message
news:MPG.1c36313c4995484a98abe2@news.individual.net...
>> I was running Adaware with the latest updates, and got a Norton Antivirus
>> Pop up that it had found
>> C:\windows\system32\apihookdll.dll pws.hooker.trojan
>
> ftp://ftp.kaspersky.com/utils/
>
> clrav.com
>
> One shot program, has 4 possible outcomes - nothing found, found and
> cleaned, found & cleaned but needs a reboot and re-run to complete, and
> program error.
>
> Covers all the major showstoppers from the last few years
>
> --
> Please add "[newsgroup]" in the subject of any personal replies via email
> --- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

Archived from groups: alt.sys.pc-clone.dell (More info?)

you would have had to run (click) on the attachment. you probably were not
infected. mantec/nav advertises when the find something and bother/confuses
the user... all so that they can promote their name. the end result of
which was wasting your time with something that the program automatically
dealt with (stopping it before it became a problem). other vendors software
(mcafee, ca, etc) do not do this unless it is something that requires user
intervention. just another reason to dislike symantec/nav.

"Leanin' Cedar" <Nospam@nospam.org> wrote in message
newsOXyd.12156$Z47.8078@newsread2.news.atl.earthlink.net...
> Thanks for the link. I had all of the current MS patches for XPhome SP2.
> Does this get on a PC by simply opening an email (not an attachment)? The
> grandkids are coming tomorrow and they know not to open attachment when
> they check their email. And I never open an attachment or a suspicious
> email.
>
> Bob
> "Christopher Muto" <muto@worldnet.att.net> wrote in message
> news:wLUyd.19158$Ff3.12354@trndny04...
>> here is trend micro's instruction on how to repair it with the additional
>> comment on how to avoid it in the future (update windows with the
>> security patch to close the door on what this thing tries to exploit)...
>> http://www.trendmicro.com/vinfo/vi [...] _BUGBEAR.A
>>
>> "Leanin' Cedar" <Nospam@nospam.org> wrote in message
>> news:a1Iyd.11332$yK.8265@newsread3.news.atl.earthlink.net...
>>>I was running Adaware with the latest updates, and got a Norton Antivirus
>>>Pop up that it had found
>>> C:\windows\system32\apihookdll.dll pws.hooker.trojan
>>>
>>> I could not repair the file with NAV and could not close the popup
>>> unless I used task manager.
>>>
>>> I did a google and found out this is a keylogger.
>>> Did a full scan with NAV it found the virus and could not repair it but
>>> quarantined it.
>>>
>>>
>>> The symantec site had this info for removal
>>>
>>> Click Start, and then click Run. (The Run dialog box appears.)
>>> 1.. Type regedit
>>>
>>> Then click OK. (The Registry Editor opens.)
>>>
>>>
>>> 2.. Navigate to the key:
>>>
>>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>>
>>>
>>> 3.. In the right pane, delete the following value:
>>>
>>> "kernel32"="C:\%System%\kern32.exe"
>>>
>>>
>>> 4.. Click Registry, and click Exit.
>>> 5..
>>> I could not find that file.
>>>
>>>
>>>
>>> Ran a full trojan scan with The Cleaner and it did not find anything.
>>>
>>> Am I now rid of the problem since it was quarantined by NAV, or do I
>>> need to take some further steps?
>>>
>>> Bob
>>>
>>> This is the first virus or trojan I had found in about 3 years.
>>>
>>
>>
>
>

Archived from groups: alt.sys.pc-clone.dell (More info?)

thanks:
I ran all of the mentioned scans and nothing was found. Like I said I never
open attachments. I think I am done with NAV.

Bob
"Christopher Muto" <muto@worldnet.att.net> wrote in message
news:nBZyd.9461$vF5.4068@trndny07...
> you would have had to run (click) on the attachment. you probably were
> not infected. mantec/nav advertises when the find something and
> bother/confuses the user... all so that they can promote their name. the
> end result of which was wasting your time with something that the program
> automatically dealt with (stopping it before it became a problem). other
> vendors software (mcafee, ca, etc) do not do this unless it is something
> that requires user intervention. just another reason to dislike
> symantec/nav.

Archived from groups: alt.sys.pc-clone.dell (More info?)

> Thanks for the link.
> Ran it and nothing found.

I`d seriously consider NAV being wrong on this one then :-}

--
Please add "[newsgroup]" in the subject of any personal replies via email
--- My new email address has "ngspamtrap" & @btinternet.com in it ;-) ---

Archived from groups: alt.sys.pc-clone.dell (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher Muto wrote:
> you would have had to run (click) on the attachment. you probably were not
> infected. mantec/nav advertises when the find something and bother/confuses
> the user... all so that they can promote their name. the end result of
> which was wasting your time with something that the program automatically
> dealt with (stopping it before it became a problem). other vendors software
> (mcafee, ca, etc) do not do this unless it is something that requires user
> intervention. just another reason to dislike symantec/nav.

You know, if he went through the actual clean process and found the
entries it is a good bet that he had it. I've been using NAV for years
now and have never had a single problem with it telling me I had
something that I didn't have. As far as McAfee goes... Well, you can
use that if you want to of course, but I wouldn't recommend it as its
bloated beyond belief and is made by a dishonest company who has no idea
what technical support means.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: http://members.cox.net/dwhagar/personal-key.asc
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iEYEARECAAYFAkHPCckACgkQbPwf4VgkRDsiggCg/SyMcgwG7+FUBqNrvAJR3Hnn
YGwAoOjQhm44DGx9aTM1njb5i554SoXN
=MQLa
-----END PGP SIGNATURE-----

Archived from groups: alt.sys.pc-clone.dell (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leanin' Cedar wrote:
> thanks:
> I ran all of the mentioned scans and nothing was found. Like I said I never
> open attachments. I think I am done with NAV.

You don't always have to open attachments to get infected. There are
many other ways to be infected by a virus. Do you use a firewall? Does
anyone ever click on ads from web sites?

Hell, I was infected myself with various trojans and keyloggers because
NetBIOS was open and my ISP wasn't blocking. Someone else on my subnet
at the ISP was scanning/infecting systems.

If you really want security, use linux. Or better yet, get a mac.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: http://members.cox.net/dwhagar/personal-key.asc
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iEYEARECAAYFAkHPCmYACgkQbPwf4VgkRDszCQCeI0nG+Q3D8k6MnsFDUw4V2Iey
o7cAoLXhd/RHLjLnH70jw1m5IyoXUWeB
=vKQP
-----END PGP SIGNATURE-----

Archived from groups: alt.sys.pc-clone.dell (More info?)

I run a firewall; webroot spysweeper is always active: Spybot Search and
Destroy in always active: my email is checked with NAV: and I do not click
on any ads on websites: and the preview pane is off for my email. I check my
email with telnet on the server before I download anything. I have a feeling
it might have been a site the grandkids went to. Just in case I always run
all of the security software and do a Ghost Image before they get here. All
unneeded services are turned off also.

Bob

"Cyclops" <david.hagar@gmail.com> wrote in message
news:iTDzd.3391$2_4.2133@okepread06...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leanin' Cedar wrote:
>> thanks:
>> I ran all of the mentioned scans and nothing was found. Like I said I
>> never
>> open attachments. I think I am done with NAV.
>
> You don't always have to open attachments to get infected. There are
> many other ways to be infected by a virus. Do you use a firewall? Does
> anyone ever click on ads from web sites?
>
> Hell, I was infected myself with various trojans and keyloggers because
> NetBIOS was open and my ISP wasn't blocking. Someone else on my subnet
> at the ISP was scanning/infecting systems.
>
> If you really want security, use linux. Or better yet, get a mac.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: http://members.cox.net/dwhagar/personal-key.asc
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkHPCmYACgkQbPwf4VgkRDszCQCeI0nG+Q3D8k6MnsFDUw4V2Iey
> o7cAoLXhd/RHLjLnH70jw1m5IyoXUWeB
> =vKQP
> -----END PGP SIGNATURE-----

Archived from groups: alt.sys.pc-clone.dell (More info?)

my experience with the software and support from symantec vs mcafee is the
complete opposite of yours.
trend micro is the current best of the lot in terms of effectiveness and
efficiency... symantec is at the bottom of my list in large part because of
their subscription renewal service which i consider to be horribly
misleading. they happily take peoples money to renewing their old software
subscriptions without adequately warning them that the subscription renewal
of old software leaves then wide open to the current big threats of trojans
and spyware... many people come to me to solve their trojan/spyware problems
telling me that they renewed their norton anitvirus subscription and keep it
up to date and wonder why their computer is infected...

"Cyclops" <david.hagar@gmail.com> wrote in message
news:QQDzd.3390$2_4.446@okepread06...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Christopher Muto wrote:
>> you would have had to run (click) on the attachment. you probably were
>> not
>> infected. mantec/nav advertises when the find something and
>> bother/confuses
>> the user... all so that they can promote their name. the end result of
>> which was wasting your time with something that the program automatically
>> dealt with (stopping it before it became a problem). other vendors
>> software
>> (mcafee, ca, etc) do not do this unless it is something that requires
>> user
>> intervention. just another reason to dislike symantec/nav.
>
> You know, if he went through the actual clean process and found the
> entries it is a good bet that he had it. I've been using NAV for years
> now and have never had a single problem with it telling me I had
> something that I didn't have. As far as McAfee goes... Well, you can
> use that if you want to of course, but I wouldn't recommend it as its
> bloated beyond belief and is made by a dishonest company who has no idea
> what technical support means.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: http://members.cox.net/dwhagar/personal-key.asc
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkHPCckACgkQbPwf4VgkRDsiggCg/SyMcgwG7+FUBqNrvAJR3Hnn
> YGwAoOjQhm44DGx9aTM1njb5i554SoXN
> =MQLa
> -----END PGP SIGNATURE-----

Archived from groups: alt.sys.pc-clone.dell (More info?)

Leanin Cedar,
I pretty much follow your procedure as well. But what is: " check my
email with telnet on the server"?
I use Outlook with the preview panes off, how would I employ telnet?
Paul

"Leanin' Cedar" <Nospam@nospam.org> wrote in message
news:UG1Ad.14253$Z47.3313@newsread2.news.atl.earthlink.net...
>I run a firewall; webroot spysweeper is always active: Spybot Search and
>Destroy in always active: my email is checked with NAV: and I do not click
>on any ads on websites: and the preview pane is off for my email. I check
>my email with telnet on the server before I download anything. I have a
>feeling it might have been a site the grandkids went to. Just in case I
>always run all of the security software and do a Ghost Image before they
>get here. All unneeded services are turned off also.
>
> Bob
>
> "Cyclops" <david.hagar@gmail.com> wrote in message
> news:iTDzd.3391$2_4.2133@okepread06...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Leanin' Cedar wrote:
>>> thanks:
>>> I ran all of the mentioned scans and nothing was found. Like I said I
>>> never
>>> open attachments. I think I am done with NAV.
>>
>> You don't always have to open attachments to get infected. There are
>> many other ways to be infected by a virus. Do you use a firewall? Does
>> anyone ever click on ads from web sites?
>>
>> Hell, I was infected myself with various trojans and keyloggers because
>> NetBIOS was open and my ISP wasn't blocking. Someone else on my subnet
>> at the ISP was scanning/infecting systems.
>>
>> If you really want security, use linux. Or better yet, get a mac.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.0 (MingW32)
>> Comment: http://members.cox.net/dwhagar/personal-key.asc
>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkHPCmYACgkQbPwf4VgkRDszCQCeI0nG+Q3D8k6MnsFDUw4V2Iey
>> o7cAoLXhd/RHLjLnH70jw1m5IyoXUWeB
>> =vKQP
>> -----END PGP SIGNATURE-----
>
>

Archived from groups: alt.sys.pc-clone.dell (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher Muto wrote:
> my experience with the software and support from symantec vs mcafee is the
> complete opposite of yours.
> trend micro is the current best of the lot in terms of effectiveness and
> efficiency... symantec is at the bottom of my list in large part because of
> their subscription renewal service which i consider to be horribly
> misleading. they happily take peoples money to renewing their old software
> subscriptions without adequately warning them that the subscription renewal
> of old software leaves then wide open to the current big threats of trojans
> and spyware... many people come to me to solve their trojan/spyware problems
> telling me that they renewed their norton anitvirus subscription and keep it
> up to date and wonder why their computer is infected...

That is a real shame as I've never had the kinds of issues that you
state, though every couple of years I upgrade my software. I run pretty
much only two things that constantly run to keep my system clean...
Norton Person Firewall