Jump to content


Photo

W32.HLLW.Gaobot.gen


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 11:08 AM

My Norton Antivirus 2004 reported presence of an W32.HLLW.Gaobot.gen in C:\WINDOWS\system32\winhlpp32.exe . It cannot be removed even using the Symantec Fix tool for it. Please advice me what to do. My System is on high risk!!
The Hijack log is:
Logfile of HijackThis v1.97.7
Scan saved at 3:44:53 PM, on 7/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
F:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.121
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn....v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8165.8778009259
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C402D619-52C3-4257-967D-28E296AAB0AE} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3in.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 02:01 PM

Please help me out

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 July 2004 - 02:12 PM

The file does not appear in your log. Have you tried to delete it?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 KinG

KinG

    Hmm...It's always raining...

  • Full Member
  • Pip
  • 85 posts

Posted 24 July 2004 - 02:21 PM

Are you sure Norton's tool did not work? Usually Norton/Symantec have decent remover tools. Try scanning with Norton after you have used the tool. People in the same boat link. Also try to download another anit-virus program like Avast! or AVG, but make sure you, if you do not want to keep it on your computer, uninstall completely including registry keys, etcs. Try Total Uninstall for that and keep it on when installing and uninstalling.

#5 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 04:04 PM

Hi king, I used the norton tool, for the first time it said that removal was successful, however, when I took up the full system scan again, the antivirus reported the same virus again. Now running again the same tool showed that no gaobot virus found. but the auto-protect still gives the warning that the files are infected with above virus, and delete failed and access denied. I have really no clue.
I attempted manual removal too as given on symantec web site. However, I didnt find any file as mentioned above as virus.
I had disabled system restore so that the virus may not come up again. But it also failed. The MS WINDOWS Patch as recommended by Symantec also failed to download.
PLEASE HELP ME

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 July 2004 - 04:30 PM

Where is the file that is being reported as infected now? It is certainly not running or it would show in your log.

I suspect that you have an infected system restore archive.
Try this: -Right click on the my computer icon, and select the properties. Then select the system restore tab. Put a check mark in the box "turn off system restore", and click OK.

Reboot.
That will delete all the old system restore points and associated files

Repeat the above process, only this time remove the checkmark.

Then set a new system restore point, by going to Start>Help & support>undo changes using system restore. Choose the option to set a restore point, and follow the prompts.
.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 04:51 PM

Hi Dave,
I had fixed the virus with symantec's fix tool only after turning off the system restore. I dont know if it will help now, however, i am trying to do it. I am adding NAV log for you to see that the virus still persist.
Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
7/24/2004 9:23:18 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 9:23:18 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 9:18:23 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 9:18:23 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:51:46 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:51:46 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:50:53 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:50:53 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:49:49 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:49:49 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407220006,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/24/2004 8:36:42 PM,Virus scanner,Download.Adware,Delete failed,File,N/A,N/A,200407220006,10.0.1.13,pau,PAU-1R4CD7CVRLW,",Threat category: AdwareSource: crack.exe,Description: The compressed file crack.exe within F:\Acrobat_PDF_Writer_v3.0.zip is a Adware threat."
7/23/2004 11:56:04 PM,Virus scanner,W32.HLLW.Gaobot.gen,Quarantined,File,N/A,N/A,200407220006,10.0.1.13,pau,PAU-1R4CD7CVRLW,",Threat category: VirusSource: C:\WINDOWS\system32\winhlpp32.exe,Description: The file C:\WINDOWS\system32\winhlpp32.exe is infected with the W32.HLLW.Gaobot.gen virus."
7/23/2004 5:31:44 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 5:31:44 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 5:31:44 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 5:31:44 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 3:38:58 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 3:38:58 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 3:29:00 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 3:29:00 PM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 9:55:47 AM,Virus scanner,W32.HLLW.Gaobot.gen,Quarantined,File,N/A,N/A,200407190048,10.0.1.13,pau,PAU-1R4CD7CVRLW,",Threat category: VirusSource: C:\WINDOWS\system32\smls.exe,Description: The file C:\WINDOWS\system32\smls.exe is infected with the W32.HLLW.Gaobot.gen virus."
7/23/2004 9:07:20 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/23/2004 9:07:20 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:29:36 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:29:36 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:23:27 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:23:27 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:23:27 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/22/2004 10:23:27 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/21/2004 9:58:31 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/21/2004 9:58:31 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/21/2004 9:58:25 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Access denied,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/21/2004 9:58:25 AM,Auto-Protect,W32.HLLW.Gaobot.gen,Repair failed,File,N/A,N/A,200407190048,10.0.1.13,SYSTEM,PAU-1R4CD7CVRLW,Source: C:\WINDOWS\system32\winhlpp32.exe
7/15/2004 4:30:24 PM,Auto-Protect,W32.HLLW.Pesin,Automatically deleted,File,N/A,N/A,200407070008,10.0.1.13,pau,PAU-1R4CD7CVRLW,Source: A:\Activities04.exe

Edited by Ansh, 24 July 2004 - 04:58 PM.


#8 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 04:54 PM

Hi Dave
I had done earlier as suggested by you to disable system restore before running the symantec tool. But it had not worked that time and the virus reappeared in NAV Threat Alert. I am not sure whether it will work this time.
The NAV is showing the virus location as same as I previously told you.
C:\WINDOWS\system32\winhlpp32.exe .
I need your help.

#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 July 2004 - 05:32 PM

Well, all I can suggest is that you find, and delete that file. It is not running, so it will not be "locked"

Try this: -

go to Start> Run, and type "cmd" (without the quotes) in the box, then click OK.
In the dos box, type the following commands, hitting Enter after each line.

cd\
cd windows\system32
del winhlpp32.exe
exit

Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#10 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 05:44 PM

Hmmm...........it says no such file found. I wish to add that for the last 4 hours I have not got any threat warning from my Auto-protect after
I have configured firewall and set it on.
WHAT COULD BE REASON FOR THIS??

#11 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 05:48 PM

I am going to take full system scan and will show you the report if the virus still remains?

#12 Ansh

Ansh

    Member

  • Full Member
  • Pip
  • 45 posts

Posted 24 July 2004 - 06:10 PM

yep..............The NAV reported no virus. I suppose virus is on LAN and is infecting thesystems. Am I safe as long as I am behind firewall??
Anyways Thanks Dave for your kind help!!!!!!!!!!

#13 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 25 July 2004 - 03:54 AM

It's possible that there is a virus on the network. Best move would be to check every other computer but I know that may not be possible.
As long as your A/V is running, and updated, you should be OK behind a firewall

Glad to help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button