system infected with W32.HLLW.Heffer worm

I have a dual-boot system with WinXP and Win 98 as my two operating systems. After noticing that my system was starting to freeze up and I was no longer able to burn CDs with Nero (the problem occurring in both operating systems), I scanned for viruses, etc. first with Norton, then with XSoftSpy, which revealed that my system had been infected with 3 things: Troj/AnaFTP-01, Marketscore(Netsetter), and W32.HLLW.Heffer. XSoftSpy seems to have deleted the first two, as I am unable to find any trace of them in my system (a susequent scan with XSoftSpy no longer detected them as well). This scan did show that W32.HLLW.Heffer was still in my system (even though the software claimed to have deleted it). I'm wondering how I can cleanse my system of this worm, and would also like to know if this could be the reason that my CD burning software is no longer functioning properly.
tedselkeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunray_2003Commented:
have you already checked this
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.heffer.html

In which OS does the scanner reports about the virus ?

Do these

When you scan for virus,do all the below in both Normal mode and Safe mode.

a) Update your virus definitions in your Anti-virus and run it.

b) Download Stinger from here : http://vil.nai.com/vil/stinger/  and run it.

c) Use this Online virus scanner also : http://housecall.trendmicro.com/ 

Remove temporary internet files, folders and cookies
How to Delete the Contents of the Temporary Internet Files Folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;260897

Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%

Disable system restore if you are working on XP side.

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup


0
sunray_2003Commented:
CD burning may not be anything to do with this but you never know.

First make sure there is no worm and then we can work on CD burning software.

Have you already tried to reinstall Nero and check if it would work ?

Login to windows xp Side , try to use the inbuilt CD writing software in XP and see if you can write CDs . That would prove that your CD writer is working fine .
0
tedselkeAuthor Commented:
Thanks for the suggestions. The scanner (xoftspy) found the virus in XP. I downloaded Stinger and Housecall, neither found any trace of the worm or other virus. I removed all temp files. I did re-install Nero previously, but haven't done it again since xoftspy found (and supposedly deleted) the worm again. I want to try to burn a CD using XPs inbuilt software, but I can't figure out how.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

SheharyaarSaahilCommented:
Hello tedselke =)

If the cd burning problem is with both the systems, then its hard to say that its because of virus, i think the reason is either the Nero itself, or the cd drive :-?
To verify it, plzz install another burning software like Roxio and then try with that to check if still its freezing the system :-?
And to use XP Built-in cd burning, plzz read here,

How do I use Windows XP's CD burning feature?
http://www.winnetmag.com/Article/ArticleID/20680/20680.html
0
sunray_2003Commented:
Is this what you have as scanner http://www.paretologic.com/

Are you sure it checks virus or only spyware related ?

Also scan for spywares and check if you come up clean

***

PLEASE GET THE SPYWARE REMOVAL TOOLS FROM THE BELOW WEBSITE. THAT PAQ IS CREATED SO THAT ALL THE TOOLS ARE NOT GUMMED UP IN THIS THREAD.

Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

My recommendation would be to start with Spybot ,Ad-ware ,CWshredder.After installing them, First Update them and then run

Once running all the above tools and others given in that thread, download and run Hijackthis.
Download Hijacthis from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml.
Get the log from Hijackthis and save the log and paste it here
http://hijackthis.de/index.php?langselect=english to analyze it.
 The analyser site is used so that you donot gum up the thread with the entire log.

Check this tutorial aswell : http://aumha.org/a/hjttutor.php

Remove the bad ones that the site reports. If it says unknown process, then use a search engine to check if those are bad ones. If bad remove them , if you still cannot find then post those files alone here.
*****

SR
0
tedselkeAuthor Commented:
Sunray_2003;

Thanks a lot for the help. I can now burn CDs in XP, hopefully I can rid 98 of the last traces and be able to burn there. Before closing out the question and awarding you all of the points (which I intend to do), I wanted to post the results of hijack this and see if there are any entries you think I should delete. I'll award you the points as soon as you let me know. Thanks again!



Logfile of HijackThis v1.98.2
Scan saved at 1:22:04 PM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\SYSTEM32\GEARSEC.EXE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\WINDOWS\System32\WFXSVC.EXE
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\PROGRA~1\WinFax\WFXMOD32.EXE
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\MSI\Core Center\CoreCenter.exe
E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Psych\Runner.EXE
E:\PROGRA~1\Canon\SCANGE~1\SGTBox.exe
E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarExe00.m00\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (E:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hqcqhxu5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (E:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hqcqhxu5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Runner.LNK = E:\Program Files\Psych\Runner.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CoreCenter.lnk = E:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Corel Registration.lnk = E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B3804F2-E3E8-4572-B01D-F1B3B4ADF936}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B3804F2-E3E8-4572-B01D-F1B3B4ADF936}: NameServer = 205.171.3.65 205.171.2.65

0
tedselkeAuthor Commented:
Here is the hijack this log for 98:

Logfile of HijackThis v1.98.2
Scan saved at 1:45:33 PM, on 11/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ECHOCON.EXE
C:\WINDOWS\SYSTEM\ECHOCON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

0
sunray_2003Commented:
have you already checked the hijackthis analyzer website and the tutorial. That should tell you the bad ones in your log..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.