Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 16 of 16 Posts

· Registered
80 Posts
Discussion Starter · #1 ·
Ok, I now have the W32/Gaobot.worm.gen.d virus on my computer doing the very same thing as the last virus I had yesterday (refer to for further details). That was the W32/Polybot.gen!irc virus. But this virus (Gaobot one) is in the same exact location as the previous one: C:\Documents and Settings\All Users\Documents\ folder. The program for this virus is called hallowelt.exe. I don't understand where this is come from, I never open/download anything I don't recognize. I also have McAfee VirusScan (the autoscan keeps recognizing the virus, deleting it and popping right back up saying the same thing)...... Please help me out if you can........

· Registered
80 Posts
Discussion Starter · #2 ·

Can sum1 please help me out?

Here's my HJT logfile just in case...

Logfile of HijackThis v1.97.7
Scan saved at 7:11:24 PM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave\Desktop\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;ams-server*
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O16 - DPF: Yahoo! Euchre -
O16 - DPF: Yahoo! Poker -
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {46EB676D-8C0B-4C15-8E61-5770B172DE2F} (ThemeCreator Control) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -,0,0,76/
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) -
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -,0,0,16/
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

· Registered
826 Posts

· Registered
80 Posts
Discussion Starter · #6 ·
Right off the bat it said, "HouseCall has found and cleaned a malware.BKDR_IRCFLOOD.X" But it said something similar to that when I scanned with HouseCall for the previous virus I couldn't get rid of the other day....

· Registered
80 Posts
Discussion Starter · #11 ·
Ok, I followed all the instructions.... I didn't find any of the files in my registry, nor did I find anything when I did the virus scan. I also checked my host files, and they were all clean. This is the same thing that happened with the previous virus. It just sorta went away after I did all that work with no proof that my computer was infected........ Any ideas???

· Registered
826 Posts

· Registered
80 Posts
Discussion Starter · #13 ·
I did that. I started my computer in safe mode, ran regedit and found nothing in my registry. I then proceeded to do a virus scan which found nothing as well. I know I should have found the hallowelt.exe program, as should I have found the soundman.exe file last time around for the last virus. So, I dunno what's goin' on.... I'm sure in the next day or so I'll get another virus similar to these two and the same thing will happen.....

· Registered
80 Posts
Discussion Starter · #14 ·
Ok, this is really weird.... My autoprotect thing just popped up again saying:

A Virus Has Been Detected and Cleaned!

The file C:\Documents and Settings\All Users\Documents\hallowelt.exe was infected by the W32/Gaobot.worm.gen.d virus and has been deleted to complete the Clean process.

That is word for word what it said. I then proceed to click "Continue what I was doing". It asks me if I'd like all my files to be scanned. I click yes and do a full scan of all my files. And nothing is found, yet the same message keeps popping up saying the virus has been detected and cleaned.........

What is going on here?????

· Registered
826 Posts
The file is still there, and cant be deleted because its running.

see my instructions in post #12

Your directory is
C:\Documents and Settings\All Users\Documents\
and file name is hallowelt.exe

Make sure that you have enabled view hidden/system files (link in post#12) so that the file can be viewed if hidden.

· Registered
80 Posts
Discussion Starter · #16 ·
I did all that. The only thing I did that may have been wrong was to start my computer in "safe mode with networking". I only did that so I could go to the symantec website to see which registry files to delete and the rest of the removal process. But I don't understand how my autodetect virusscan can detect the virus, but the full out virus scan cannot find it. And if it does still exist on my computer (which obviously it does) then why aren't any of the registry files here and how come it didn't mess with my host files?

P.S. I PMed you..... Check that....
1 - 16 of 16 Posts
Not open for further replies.