Very Hard To remove virus (HijackThis)
Hey all, I got the virus , one of the Gaobot and it totally messed up my system, it deleted the "search" option in the start Menu , I couldn’t get in Symantec page after thatI couldn't get into the internet at all...so on .
I reinstalled Windows Xp pro on my system, updated my Norton Antivirus, did a full scan but nothing come up. After some time I got a massage from the antivirus that he found the virus W32.HLLW.Gaobot.AO and deleted it. Again I did a full scan, but he didn’t find any thing, the antivirus keeps finding this virus in the file winhlpp32.exe and deletes it evry half an hour or so. I tried adware, spybot, and couple more softwares like that, but nothing. I also tried symantec removel tool, and manual remove…..NOTHING! it keeps adding web pages to "hosts" and i keep removing them. my system became sooo sloww.. What should I do?
Edit :
i rescaned my computer with Kasperski antivirus and found alot of "Backdor" crap and deleted them, but the first powerfull virus is still in my system, i cant work on my system coz every thing is 100 times more slow then it use to before the virus.
maybe some files are deleted from the virus thats why its so slow? ..
here is the new log.
Logfile of HijackThis v1.97.7
Scan saved at 05:10:22, on 30/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\new\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL332.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5152893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
I reinstalled Windows Xp pro on my system, updated my Norton Antivirus, did a full scan but nothing come up. After some time I got a massage from the antivirus that he found the virus W32.HLLW.Gaobot.AO and deleted it. Again I did a full scan, but he didn’t find any thing, the antivirus keeps finding this virus in the file winhlpp32.exe and deletes it evry half an hour or so. I tried adware, spybot, and couple more softwares like that, but nothing. I also tried symantec removel tool, and manual remove…..NOTHING! it keeps adding web pages to "hosts" and i keep removing them. my system became sooo sloww.. What should I do?
Edit :
i rescaned my computer with Kasperski antivirus and found alot of "Backdor" crap and deleted them, but the first powerfull virus is still in my system, i cant work on my system coz every thing is 100 times more slow then it use to before the virus.
maybe some files are deleted from the virus thats why its so slow? ..
here is the new log.
Logfile of HijackThis v1.97.7
Scan saved at 05:10:22, on 30/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\new\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &רדיו - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL332.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5152893519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
0
This discussion has been closed.
Comments
The word bot in name is a strong clue that this thing is renewed from the web. Your box is getting reinfected by part of the gaobot package that you need the dedicated gaobot removal tool to remove. TECHNICALLY, you can run the dedicated fixer in SAFE MODE, without networking, from a write-protected floppy. This is the preferred way to kill\remove something that uses trojans in package to renew, or uses bots on the web to renew. It isolates box from web during removal.
John D.
Make sure to disable your System Restore before doing this work, then create a new restore point afterwards.
Dexter...