Hi! I recently posted my problem with 'Gaobot' virus. Someone kindly directed me to the Symantec website for a fix. However, my problem is still not solved - I tried the following: 1. Switched off System restore 2. Updated latest Microsoft patches 3. Installed Norton anti-virus 4. Ran 'Live Update' But here is where the problems start. I can't activate Norton or perform a scan - the system won't allow it! The Norton window is always closed as soon as I open it. Somehow the worm seems to try to stop me from removing it! Also, I tried to open the Registry, but this is also automatically closed after a few seconds. What's going on?!! I ran a Symantec online virus scan, and found the follwing: Infected files: C:\WINDOWS\System32\scvhost.exe C:\WINDOWS\System32\winhlpp.32.exe both infected with W32.HLLW.Gaobot.AO When I look at the Task Manager, I see that I have an 'scvhost.exe' process - shouldn't this be 'svchost.exe' (c and v are the wrong way round!)? Please please please let me know if anyone can suggest a solution. Thanks! Chris

Let's have a look, Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!

Thanks for the response. Here's the log: Logfile of HijackThis v1.97.3 Scan saved at 14:37:56, on 08/11/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\System32\scvhost.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Chris\My Documents\General\HIJACK\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME&MMJB_KEY=&MMUID={FA8E9449-87AF-475A-AA47-659FDEF7FDC4}&grant=1&VERSION=7.50.3102HP_NBU&OEM=HP_NBU&OOEM=HP_NBU&LANG=ENU&LANG=ENU&Grant=1 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.exe O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: MoneySide (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://qau8l.hpwis.com O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37929.3504861111 O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/SysQuery.cab Hope you have some ideas! Chris

Have you tried to close out C:\WINDOWS\System32\scvhost.exe and then run Norton? Another possibility is that scvhost.exe is associated with executeables. To fix that go here: http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/ and run the exefix

Open the task manager and end process on C:\WINDOWS\System32\scvhost.exe. Delete C:\WINDOWS\System32\scvhost.exe. Run an online virus scan here and delete any files listed as infected. RAV

Problem solved! here's how: 1. Turn off system restore 2. Cut and paste infected "scvhost.exe" to another directory (at this stage it wouldn't give me permission to delete it!) 3. End process 'scvhost.exe' in task manager (couldn't do this before I moved the file) 4. Delete scvhost.exe file (couldn't delete until the process had been killed). 5. Now I was able to run Norton, run 'live update', run microsoft update and look in the register. However, I found no further infected files and no strange entries in the register. 6. Reset machine, reactivate system restore, rejoice at haveing my CPU free again! The order of events in moving files, ending processes etc seems to be important. I'd like to thank those who responded to my request for help - really appreciate it guys. Chris

Okay, I think I have the same problem. Yesterday, I discovered it when I came home. However, since it was so late in the evening, I decided to check it out this morning. Big Mistake! My network connections are gone, Norton wont start, and I disabled my XP's system restart. The computer, because of the NT authority system, keeps counting down and restarting every 60 seconds after it is completely loaded. So I cant go online via my verizon DSL to get help, and the Virus scan cant be authorized to do anything! Someone help me PLEASE. This is a new computer (3 weeks old) with tons of memory and I cant afford for it to mess up.