tedselke
asked on
system infected with W32.HLLW.Heffer worm
I have a dual-boot system with WinXP and Win 98 as my two operating systems. After noticing that my system was starting to freeze up and I was no longer able to burn CDs with Nero (the problem occurring in both operating systems), I scanned for viruses, etc. first with Norton, then with XSoftSpy, which revealed that my system had been infected with 3 things: Troj/AnaFTP-01, Marketscore(Netsetter), and W32.HLLW.Heffer. XSoftSpy seems to have deleted the first two, as I am unable to find any trace of them in my system (a susequent scan with XSoftSpy no longer detected them as well). This scan did show that W32.HLLW.Heffer was still in my system (even though the software claimed to have deleted it). I'm wondering how I can cleanse my system of this worm, and would also like to know if this could be the reason that my CD burning software is no longer functioning properly.
CD burning may not be anything to do with this but you never know.
First make sure there is no worm and then we can work on CD burning software.
Have you already tried to reinstall Nero and check if it would work ?
Login to windows xp Side , try to use the inbuilt CD writing software in XP and see if you can write CDs . That would prove that your CD writer is working fine .
First make sure there is no worm and then we can work on CD burning software.
Have you already tried to reinstall Nero and check if it would work ?
Login to windows xp Side , try to use the inbuilt CD writing software in XP and see if you can write CDs . That would prove that your CD writer is working fine .
ASKER
Thanks for the suggestions. The scanner (xoftspy) found the virus in XP. I downloaded Stinger and Housecall, neither found any trace of the worm or other virus. I removed all temp files. I did re-install Nero previously, but haven't done it again since xoftspy found (and supposedly deleted) the worm again. I want to try to burn a CD using XPs inbuilt software, but I can't figure out how.
Hello tedselke =)
If the cd burning problem is with both the systems, then its hard to say that its because of virus, i think the reason is either the Nero itself, or the cd drive :-?
To verify it, plzz install another burning software like Roxio and then try with that to check if still its freezing the system :-?
And to use XP Built-in cd burning, plzz read here,
How do I use Windows XP's CD burning feature?
http://www.winnetmag.com/Article/ArticleID/20680/20680.html
If the cd burning problem is with both the systems, then its hard to say that its because of virus, i think the reason is either the Nero itself, or the cd drive :-?
To verify it, plzz install another burning software like Roxio and then try with that to check if still its freezing the system :-?
And to use XP Built-in cd burning, plzz read here,
How do I use Windows XP's CD burning feature?
http://www.winnetmag.com/Article/ArticleID/20680/20680.html
Is this what you have as scanner http://www.paretologic.com/
Are you sure it checks virus or only spyware related ?
Also scan for spywares and check if you come up clean
***
PLEASE GET THE SPYWARE REMOVAL TOOLS FROM THE BELOW WEBSITE. THAT PAQ IS CREATED SO THAT ALL THE TOOLS ARE NOT GUMMED UP IN THIS THREAD.
Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
My recommendation would be to start with Spybot ,Ad-ware ,CWshredder.After installing them, First Update them and then run
Once running all the above tools and others given in that thread, download and run Hijackthis.
Download Hijacthis from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml.
Get the log from Hijackthis and save the log and paste it here
http://hijackthis.de/index.php?langselect=english to analyze it.
The analyser site is used so that you donot gum up the thread with the entire log.
Check this tutorial aswell : http://aumha.org/a/hjttutor.php
Remove the bad ones that the site reports. If it says unknown process, then use a search engine to check if those are bad ones. If bad remove them , if you still cannot find then post those files alone here.
*****
SR
Are you sure it checks virus or only spyware related ?
Also scan for spywares and check if you come up clean
***
PLEASE GET THE SPYWARE REMOVAL TOOLS FROM THE BELOW WEBSITE. THAT PAQ IS CREATED SO THAT ALL THE TOOLS ARE NOT GUMMED UP IN THIS THREAD.
Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
https://www.experts-exchange.com/questions/20975384/Standard-response-material-re-Spyware-Adware-BHOs-and-other-Malware.html
My recommendation would be to start with Spybot ,Ad-ware ,CWshredder.After installing them, First Update them and then run
Once running all the above tools and others given in that thread, download and run Hijackthis.
Download Hijacthis from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml.
Get the log from Hijackthis and save the log and paste it here
http://hijackthis.de/index.php?langselect=english to analyze it.
The analyser site is used so that you donot gum up the thread with the entire log.
Check this tutorial aswell : http://aumha.org/a/hjttutor.php
Remove the bad ones that the site reports. If it says unknown process, then use a search engine to check if those are bad ones. If bad remove them , if you still cannot find then post those files alone here.
*****
SR
ASKER
Sunray_2003;
Thanks a lot for the help. I can now burn CDs in XP, hopefully I can rid 98 of the last traces and be able to burn there. Before closing out the question and awarding you all of the points (which I intend to do), I wanted to post the results of hijack this and see if there are any entries you think I should delete. I'll award you the points as soon as you let me know. Thanks again!
Logfile of HijackThis v1.98.2
Scan saved at 1:22:04 PM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.e
E:\WINDOWS\system32\csrss.
E:\WINDOWS\system32\winlog
E:\WINDOWS\system32\servic
E:\WINDOWS\system32\lsass.
E:\WINDOWS\system32\Ati2ev
E:\WINDOWS\system32\svchos
E:\WINDOWS\system32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\system32\spools
E:\WINDOWS\system32\Ati2ev
E:\WINDOWS\SYSTEM32\GEARSE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEED
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\wdfmgr
E:\WINDOWS\System32\WFXSVC
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\PROGRA~1\WinFax\WFXMOD3
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\NORTON~1\NORTO
E:\Program Files\ATI Multimedia\main\launchpd.e
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\alg.ex
E:\Program Files\MSI\Core Center\CoreCenter.exe
E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
E:\Program Files\InterVideo\Common\Bi
E:\Program Files\Psych\Runner.EXE
E:\PROGRA~1\Canon\SCANGE~1
E:\DOCUME~1\ADMINI~1\LOCAL
N3 - Netscape 7: user_pref("browser.startup
N3 - Netscape 7: user_pref("browser.search.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTO
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.e
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Runner.LNK = E:\Program Files\Psych\Runner.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: CoreCenter.lnk = E:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Corel Registration.lnk = E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bi
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-7
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
Thanks a lot for the help. I can now burn CDs in XP, hopefully I can rid 98 of the last traces and be able to burn there. Before closing out the question and awarding you all of the points (which I intend to do), I wanted to post the results of hijack this and see if there are any entries you think I should delete. I'll award you the points as soon as you let me know. Thanks again!
Logfile of HijackThis v1.98.2
Scan saved at 1:22:04 PM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.e
E:\WINDOWS\system32\csrss.
E:\WINDOWS\system32\winlog
E:\WINDOWS\system32\servic
E:\WINDOWS\system32\lsass.
E:\WINDOWS\system32\Ati2ev
E:\WINDOWS\system32\svchos
E:\WINDOWS\system32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\svchos
E:\WINDOWS\system32\spools
E:\WINDOWS\system32\Ati2ev
E:\WINDOWS\SYSTEM32\GEARSE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEED
E:\WINDOWS\System32\svchos
E:\WINDOWS\System32\wdfmgr
E:\WINDOWS\System32\WFXSVC
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\PROGRA~1\WinFax\WFXMOD3
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\NORTON~1\NORTO
E:\Program Files\ATI Multimedia\main\launchpd.e
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\alg.ex
E:\Program Files\MSI\Core Center\CoreCenter.exe
E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
E:\Program Files\InterVideo\Common\Bi
E:\Program Files\Psych\Runner.EXE
E:\PROGRA~1\Canon\SCANGE~1
E:\DOCUME~1\ADMINI~1\LOCAL
N3 - Netscape 7: user_pref("browser.startup
N3 - Netscape 7: user_pref("browser.search.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTO
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.e
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Runner.LNK = E:\Program Files\Psych\Runner.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: CoreCenter.lnk = E:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Corel Registration.lnk = E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bi
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-7
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
ASKER
Here is the hijack this log for 98:
Logfile of HijackThis v1.98.2
Scan saved at 1:45:33 PM, on 11/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\WINDOWS\SYSTEM\ECHOCON.
C:\WINDOWS\SYSTEM\ECHOCON.
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\WINDOWS\DESKTOP\HIJACKT
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-7
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
Logfile of HijackThis v1.98.2
Scan saved at 1:45:33 PM, on 11/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\WINDOWS\SYSTEM\ECHOCON.
C:\WINDOWS\SYSTEM\ECHOCON.
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\WINDOWS\DESKTOP\HIJACKT
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-7
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.heffer.html
In which OS does the scanner reports about the virus ?
Do these
When you scan for virus,do all the below in both Normal mode and Safe mode.
a) Update your virus definitions in your Anti-virus and run it.
b) Download Stinger from here : http://vil.nai.com/vil/stinger/ and run it.
c) Use this Online virus scanner also : http://housecall.trendmicro.com/
Remove temporary internet files, folders and cookies
How to Delete the Contents of the Temporary Internet Files Folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;260897
Also remove windows Temp files going to
1) Start --> run --> typein: %systemroot%/temp
2) Start --> run --> typein: %temp%
Disable system restore if you are working on XP side.
Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup