?
Solved

system infected with W32.HLLW.Heffer worm

Posted on 2004-11-15
8
Medium Priority
?
856 Views
Last Modified: 2009-07-29
I have a dual-boot system with WinXP and Win 98 as my two operating systems. After noticing that my system was starting to freeze up and I was no longer able to burn CDs with Nero (the problem occurring in both operating systems), I scanned for viruses, etc. first with Norton, then with XSoftSpy, which revealed that my system had been infected with 3 things: Troj/AnaFTP-01, Marketscore(Netsetter), and W32.HLLW.Heffer. XSoftSpy seems to have deleted the first two, as I am unable to find any trace of them in my system (a susequent scan with XSoftSpy no longer detected them as well). This scan did show that W32.HLLW.Heffer was still in my system (even though the software claimed to have deleted it). I'm wondering how I can cleanse my system of this worm, and would also like to know if this could be the reason that my CD burning software is no longer functioning properly.
0
Comment
Question by:tedselke
  • 4
  • 3
8 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12586239
have you already checked this
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.heffer.html

In which OS does the scanner reports about the virus ?

Do these

When you scan for virus,do all the below in both Normal mode and Safe mode.

a) Update your virus definitions in your Anti-virus and run it.

b) Download Stinger from here : http://vil.nai.com/vil/stinger/  and run it.

c) Use this Online virus scanner also : http://housecall.trendmicro.com/ 

Remove temporary internet files, folders and cookies
How to Delete the Contents of the Temporary Internet Files Folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;260897

Also remove windows Temp files going to

1) Start --> run --> typein:  %systemroot%/temp
2) Start  --> run --> typein: %temp%

Disable system restore if you are working on XP side.

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there except Anti-virus.Reboot the machine and check if the error occurs.
If not, then enable one at a time in the same startup tab and find the application that might cause this
at startup


0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12586264
CD burning may not be anything to do with this but you never know.

First make sure there is no worm and then we can work on CD burning software.

Have you already tried to reinstall Nero and check if it would work ?

Login to windows xp Side , try to use the inbuilt CD writing software in XP and see if you can write CDs . That would prove that your CD writer is working fine .
0
 

Author Comment

by:tedselke
ID: 12588814
Thanks for the suggestions. The scanner (xoftspy) found the virus in XP. I downloaded Stinger and Housecall, neither found any trace of the worm or other virus. I removed all temp files. I did re-install Nero previously, but haven't done it again since xoftspy found (and supposedly deleted) the worm again. I want to try to burn a CD using XPs inbuilt software, but I can't figure out how.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12591410
Hello tedselke =)

If the cd burning problem is with both the systems, then its hard to say that its because of virus, i think the reason is either the Nero itself, or the cd drive :-?
To verify it, plzz install another burning software like Roxio and then try with that to check if still its freezing the system :-?
And to use XP Built-in cd burning, plzz read here,

How do I use Windows XP's CD burning feature?
http://www.winnetmag.com/Article/ArticleID/20680/20680.html
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12603362
Is this what you have as scanner http://www.paretologic.com/

Are you sure it checks virus or only spyware related ?

Also scan for spywares and check if you come up clean

***

PLEASE GET THE SPYWARE REMOVAL TOOLS FROM THE BELOW WEBSITE. THAT PAQ IS CREATED SO THAT ALL THE TOOLS ARE NOT GUMMED UP IN THIS THREAD.

Some of the experts here have helped in compiling all the important spyware tools and they are listed in this thread
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html

My recommendation would be to start with Spybot ,Ad-ware ,CWshredder.After installing them, First Update them and then run

Once running all the above tools and others given in that thread, download and run Hijackthis.
Download Hijacthis from here http://www.softpedia.com/public/cat/10/17/10-17-69.shtml.
Get the log from Hijackthis and save the log and paste it here
http://hijackthis.de/index.php?langselect=english to analyze it.
 The analyser site is used so that you donot gum up the thread with the entire log.

Check this tutorial aswell : http://aumha.org/a/hjttutor.php

Remove the bad ones that the site reports. If it says unknown process, then use a search engine to check if those are bad ones. If bad remove them , if you still cannot find then post those files alone here.
*****

SR
0
 

Author Comment

by:tedselke
ID: 12617313
Sunray_2003;

Thanks a lot for the help. I can now burn CDs in XP, hopefully I can rid 98 of the last traces and be able to burn there. Before closing out the question and awarding you all of the points (which I intend to do), I wanted to post the results of hijack this and see if there are any entries you think I should delete. I'll award you the points as soon as you let me know. Thanks again!



Logfile of HijackThis v1.98.2
Scan saved at 1:22:04 PM, on 11/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\SYSTEM32\GEARSEC.EXE
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\WINDOWS\System32\WFXSVC.EXE
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\PROGRA~1\WinFax\WFXMOD32.EXE
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
E:\Program Files\ATI Multimedia\main\launchpd.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\MSI\Core Center\CoreCenter.exe
E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Psych\Runner.EXE
E:\PROGRA~1\Canon\SCANGE~1\SGTBox.exe
E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarExe00.m00\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (E:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hqcqhxu5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (E:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hqcqhxu5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] E:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ATI Launchpad] "E:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Runner.LNK = E:\Program Files\Psych\Runner.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CoreCenter.lnk = E:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Corel Registration.lnk = E:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B3804F2-E3E8-4572-B01D-F1B3B4ADF936}: NameServer = 205.171.3.65 205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B3804F2-E3E8-4572-B01D-F1B3B4ADF936}: NameServer = 205.171.3.65 205.171.2.65

0
 

Author Comment

by:tedselke
ID: 12617583
Here is the hijack this log for 98:

Logfile of HijackThis v1.98.2
Scan saved at 1:45:33 PM, on 11/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ECHOCON.EXE
C:\WINDOWS\SYSTEM\ECHOCON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 2000 total points
ID: 12617597
have you already checked the hijackthis analyzer website and the tutorial. That should tell you the bad ones in your log..
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question