my fiance and i have been trying to remove this worm from my computer we have tried everything i was wondering if anyone else had any experience with this worm and if they have gotten rid of it and is so how did you do it b/c we cannot figure it out what they tell us to do on symnatec does not work

Michelle, Warning! W32.HLLW.Hai can be tricky to remove. W32.HLLW.Hai is a worm written in C++. This worm spreads its infection in a manner that is very similar to worms such as W32.HLLW.Bymer and W32.HLLW.Qaz. It spreads by finding computers that share the \Windows folder with full access set to "Everyone." If such a share is found, the worm copies itself to the share and modifies the Win.ini file so that the worm is executed when the computer is restarted. This worm cannot spread to computers that do not have the NetBIOS protocol installed. Type: Worm Virus Definitions: August 10, 2001 Technical description: W32.HLLW.Hai is a worm that spreads over a network. It spreads by looking for computers 1) on which the NetBIOS protocol is installed, and 2) that share the \Windows folder with full access for "Everyone." The worm does this by spawning a new thread that looks for computers with open Windows shares. When it finds such a computer, the worm copies itself into the \Windows folder. It also modifies the Win.ini file so that the next time the computer is started, the worm will be executed. The name that this worm uses is chosen at random. All of the samples of this worm that SARC has received have been encrypted with a known Portable Executable (PE) file-encryption program. Removal instructions: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files. 3. Delete all files that are detected as W32.HLLW.Hai. 4. Click Start, and click Run. 5. Type the following, and then click OK. edit c:\windows\win.ini The MS-DOS Editor opens. NOTE: If Windows is installed in a different location, make the appropriate path substitution. 6. In the [windows] section of the file, look for the line that begins with run= 7. If the line exists, and if there is text to the right of the = sign, examine the text carefully. If you are not absolutely sure that the text refers to a program that you are familiar with, and that you want to run when the computer starts, delete the text. 8. Click File, and then click Exit. Click Yes when prompted to save changes. Additional information: Prevention It is never a good idea to share the entire hard drive or the \Windows folder with full access for "Everyone." By having a share like this, anyone on the Internet who knows your IP address will have full access to any files within that share. If you need to have shares on your computer, it is highly recommended that you protect them with a password. For more information on configuring shares please see the Knowledge Base article, How to configure shared Windows folders for maximum network protection. What are Portable Executable (PE) files? PE files are files that are portable across all Microsoft 32-bit operating systems. You can execute the same PE-formatted file on any version of Windows 95, 98, Me, NT, and 2000. Therefore, all PE files are executable, but not all executable files are portable. A good example of a Portable Executable is a screen saver (.scr) file. If this don't work, then download a porgram called swat-it from: http://lockdowncorp.com/bots/downloadswatit.html Tank863

You should disable the netbois binding from TCP/IP also to prevent nsey parkers loooking at your shares.

well thank you tank863 and hmmmm i tried swatit and that did not find anything what happens is all of sudden norton says that it has found a virus and its like 186 files that end up being quarentined and so then i do another scan on my computer and it doesn't find a thing and also when i go to the win.ini i do not see a thing about run= even when i first found out that i had the worm so i am open for suggestions on how to get rid of this my fiance has already reformatted my drives and then the next day norton said i had a virus and i did not install anything thank you again for the help my fiance said to tell you that my ops is xp and i am running norton,bitdefender and tds3 also with bitdefender is murphy v2.0 and only norton and murphy has picked up the virus

Michelle, You reformatted your harddrives and still had a virus the next day... I never heard of that, but lets think on this one a bit. Not to suggest anything, but are you using a legit version of windows xp? If not, the virus/worm may be attached to it. Having said that you are running all of those good AV programs, I am stumpped as to why you still have the virus.. but, ther are still things that can be done. When Norton quarantines the virus, do you delete it? When using XP, you are automatically secured with the system restore feature. What is probably happening is the virus is in your system restore folder. I need you to disable the system restore feature. Then run the antivirus program. Make sure everything is clean. Make sure your AV program is up to date. To disable the system restore feature, do the following: Right click on the My computer icon ---> go to properties.... ---> click on the system restore tab ---> click on the turn off system restore for all drives check box and click okay. Then run the AV and clean your system. Keep me advised as to your progress. Tank863

well thank you again tank863 i did what you suggested and when i ran nav again it found 77 more viruses and my fiance deleted them and so far nothing has happened if anything happens again i will post another message sorry took so long to reply but im only on this computer on the weekends but thank you from the bottom of my heart and computer i appreciate it very much