How to clean files from W32.HLLW.Niklas

[Joe Piscapo]

Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?

 

[The Prophecy]

Is it possible? Every now and then norton downloads new definitions
and it asks if it should try cleaning the infected files with the new
definitions but it always fails. I really want to get
W32.HLLW.Niklas off these files. They are important and are in
quarantine. Is there anyway of doing it?

If the new definitions can't clean the files then they are most likely
uncleanable. Sorry, you're SOL on this one.

 

[Tom R]

Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?

I would try at least one of these
free online virus scan programs,

RAV
http://www.ravantivirus.com/scan/

Panda:
http://www.pandasoftware.com/activescan/

BitDefender
http://www.bitdefender.com/scan/license.php

HTH,
Tom

 

[NonDisputandum.com]

Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?

YEs,.. perhaps some other soft
http://www.nondisputandum.com/html/antivirus___firewall.html


--
www.nondisputandum.com

Protect, clean, tools, office, webbuilding
newsfeeds, entertainment, searching
+ the internet addiction test!

 

[FromTheRafters]

Is it possible?

Probably not.

Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails.

This one confuses me because HLLW if I'm not mistaken stands for
High Level Language Worm - and if it is a worm file (as opposed to
a virally infected file) there is nothing to clean as it is all malware. The
descriptions I have read indicate that you should delete files detected
as W32.HLLW.Niklas, which is in keeping with the worm assumption.

I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?

Are these file important, or do you just believe that they are important
because you assume that they are infected (otherwise legitimate) program
files that you wanted from your p2p application's offerings?

I'm not trying to accuse you of stupidity - I am just trying to figure out
what this thing really is from the confusing descriptions I have found.
Symantec calls it a worm, and yet mentions that it prepends itself to
executable program files (which seems like virus function to me).

....no wonder there is so much confusion as to what these terms mean.

 

[Joe Piscapo]

Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)
I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore

 

[FromTheRafters]

Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)

The registry files are not infectable, as they are data files. Are you
referring to Regedit, the registry editor? Have you scanned those
suspect files with another AV program to help eliminate the false
positive alert possibilities?

I am not familiar enough with XP to help you to extract replacement
files from your installation CD, but it appears that you should do this.
On that CD is a program called the "recovery console" which should
allow you to do this.

I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore

Sorry I can't help you, hopefully someone else reading this can. (

 

[FromTheRafters]

I am not familiar enough with XP to help you to extract replacement
files from your installation CD, but it appears that you should do this.

I just stumbled across this - it may help.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001123112044539

 

[mzlindyone]

Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)

Joe, I think you're making this more complicated than it is. Try this
description http://www.sophos.com/virusinfo/analyses/w32lausa.html

The registry is not infected. There is an entry that needs to be
removed, but this is not infection of the registry itself. The same
goes for MSCONFIG - it is merely reading the registry.

I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore

This was probably because of the niklaus.exe running. The way it's
set up, niklaus.exe is technically a "corrupt system file", however
it's not one you want to replace. It appears Norton is using the term
"appended" rather than "infected" because while these altered files
are _copies_ of system files, they are then only dropped in file
sharing folders, not put in use by the system.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.niklas.html

If you have used Start > Run > MSCONFIG to disable the entry referring
to niklaus.exe, and deleted all files identified by Norton as infected
- which should be the niklaus.exe, and files in WINNT\Temp\Binary32\,
and anything in file sharing folders - then you are clean of
W32.HLLW.Niklas. Checking with another AV like
http://housecall.trendmicro.com/ wouldn't be a bad idea, and if Norton
isn't running when you start your computer anymore, it may need to be
reinstalled.


Carol

 

[FromTheRafters]

The way it's set up, niklaus.exe is technically a "corrupt system file",
however it's not one you want to replace. It appears Norton is using
the term "appended" rather than "infected" because while these altered
files are _copies_ of system files, they are then only dropped in file
sharing folders, not put in use by the system.

Thanks for the explanation, Carol. So it appears that Norton was using
terminology that focuses on the "trojanization" of the executable rather
than the "infection" (and I only use the term infection when denoting an
infectious modification, not just any modification. I do realize that I am
probably alone in this). When the otherwise legitimate file is executed,
it does result in another iteration if the worm, so I would say that it does
qualify as a viral aspect of the program.

Still - the recommended treatment is that for worm not virus, so I can't
blame them for stating it the way they did (though I wish that they had
been clearer).

Thanks again.

 

[mzlindyone]

Thanks for the explanation, Carol. So it appears that Norton was using
terminology that focuses on the "trojanization" of the executable rather
than the "infection" (and I only use the term infection when denoting an
infectious modification, not just any modification. I do realize that I am
probably alone in this).

I'd have to agree but it's not very practical in use. I tried using
"infested" when referring to non-viral trojans or worms, but it
confused too many people so I went back to "infected". Those people
don't know what infected means either, but they think they do.
Fighting a terminology battle against the antivirus companies for the
minds of the users is just not my chosen war. If it's yours, go for
it.

When the otherwise legitimate file is executed,
it does result in another iteration if the worm, so I would say that it does
qualify as a viral aspect of the program.

In this particular case, since the new file is not being set up to run
in place of the system file, isn't the system file there merely as
distraction material to hopefully obscure the worm body? So who is
infecting whom here?

Yes, I'm being facetious. Sort of.

Still - the recommended treatment is that for worm not virus, so I can't
blame them for stating it the way they did (though I wish that they had
been clearer).

I've noticed this recently with a few other worms. At first I
thought, "Now what the heck is THAT supposed to mean?" But reading
closely for what's happening to these "appended" files in the end
result provided the explanation well enough. I guess we shouldn't
complain too much, since they don't have to make their descriptions
available to the public at all.

You may have noticed that Sophos doesn't bother mentioning this
unimportant "appending" feature of the worm - that way they don't have
to name it either way, I suppose. <G>


Carol

 

[Joe Piscapo]

Wait so it doesn't respawn the virus, then what do those "infected" files
do?
I don't want to replace all the files I think I'm just gonna install windows
overtop of this old windows that should fix everything up eh?

 

[FromTheRafters]

Fighting a terminology battle against the antivirus companies for the
minds of the users is just not my chosen war. If it's yours, go for
it.

Nah, they wouldn't listen to me anyway. Besides, when the curious use AV
websites to investigate exactly what the differences are - they end up so
confused that they come here asking for clarification. Then it is interesting to
observe how everyone seems to know the "correct" answer - and yet they
are greeted with examples that don't fit the definitions that have been laid out.

The AV community has reasons for the classifications that they use, but
they *do* seem to be logically inaccurate.

In this particular case, since the new file is not being set up to run
in place of the system file,

Viruses don't need to ensure that the program that they "infect" is
ever executed - only that *if* the program is asked to be executed
the virus will be executed as a result

isn't the system file there merely as distraction material to hopefully
obscure the worm body?

Perhaps, or it is good enough packaging for a trojan, or it is just acting
like a hermit crab (hey - nice can...aluminum siding...). It is funny that
both appending and prepending is mentioned in Symantec's description.
It prepends itself to host executables, and if the particular instance is
running from an "infected" executable, the program detects that the
(host?) executable is appended to the worms executable image and
will detach and execute that detached executable.

....sounds very viruslike to me indeed.

I don't know how a legitimate msconfig or regedit would get infected
though.

So who is infecting whom here?

It apparently "infects" exefiles in download directories, shared ones, and
some other directories too (like the desktop).

Yes, I'm being facetious. Sort of.

It does make you wonder.

I've noticed this recently with a few other worms. At first I
thought, "Now what the heck is THAT supposed to mean?" But reading
closely for what's happening to these "appended" files in the end
result provided the explanation well enough. I guess we shouldn't
complain too much, since they don't have to make their descriptions
available to the public at all.

True, but I do wish that they wouldn't treat these as mutually exclusive
entities, and at the same time say such and such is infected by the

"Backdoor Trojan Worm Virus" or something similar.

You may have noticed that Sophos doesn't bother mentioning this
unimportant "appending" feature of the worm - that way they don't have
to name it either way, I suppose. <G>

They don't make it at all clear that previously legitimate programs on the
local machine (such as msconfig.exe) could have been modified.

....if this is indeed the case (which is what I understand in the Symantec
write-up).

 

[FromTheRafters]

Wait so it doesn't respawn the virus, then what do those "infected" files
do?

The way that *I* read the description - they do.

....but many here have said that I read too much into things.

I don't want to replace all the files

???

You only mentioned msconfig, and made vague reference to the registry. I
would say that *where* these files are would be a good indication as to
*what* these files are. I would do as suggested (delete all files detected
as "Niklas", and replace any that were actually needed by you from CD.)

I think I'm just gonna install windows
overtop of this old windows that should fix everything up eh?

It *should*, but pulling a couple of files from CD is no biggie either.