How to clean files from W32.HLLW.Niklas

  • Thread starter Thread starter Joe Piscapo
  • Start date Start date
J

Joe Piscapo

Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?
 
Joe said:
Is it possible? Every now and then norton downloads new definitions
and it asks if it should try cleaning the infected files with the new
definitions but it always fails. I really want to get
W32.HLLW.Niklas off these files. They are important and are in
quarantine. Is there anyway of doing it?
Click to expand...

If the new definitions can't clean the files then they are most likely
uncleanable. Sorry, you're SOL on this one.
 
Joe Piscapo said:
Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?
Click to expand...

I would try at least one of these
free online virus scan programs,

RAV
http://www.ravantivirus.com/scan/

Panda:
http://www.pandasoftware.com/activescan/

BitDefender
http://www.bitdefender.com/scan/license.php

HTH,
Tom
 
Is it possible? Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails. I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?
Click to expand...
YEs,.. perhaps some other soft
http://www.nondisputandum.com/html/antivirus___firewall.html


--
www.nondisputandum.com

Protect, clean, tools, office, webbuilding
newsfeeds, entertainment, searching
+ the internet addiction test!
 
Joe Piscapo said:
Is it possible?
Click to expand...

Probably not.
Every now and then norton downloads new definitions and it
asks if it should try cleaning the infected files with the new definitions
but it always fails.
Click to expand...

This one confuses me because HLLW if I'm not mistaken stands for
High Level Language Worm - and if it is a worm file (as opposed to
a virally infected file) there is nothing to clean as it is all malware. The
descriptions I have read indicate that you should delete files detected
as W32.HLLW.Niklas, which is in keeping with the worm assumption.
I really want to get W32.HLLW.Niklas off these files.
They are important and are in quarantine. Is there anyway of doing it?
Click to expand...

Are these file important, or do you just believe that they are important
because you assume that they are infected (otherwise legitimate) program
files that you wanted from your p2p application's offerings?

I'm not trying to accuse you of stupidity - I am just trying to figure out
what this thing really is from the confusing descriptions I have found.
Symantec calls it a worm, and yet mentions that it prepends itself to
executable program files (which seems like virus function to me).

....no wonder there is so much confusion as to what these terms mean.
 
Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)
I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore :(
 
Joe Piscapo said:
Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)
Click to expand...

The registry files are not infectable, as they are data files. Are you
referring to Regedit, the registry editor? Have you scanned those
suspect files with another AV program to help eliminate the false
positive alert possibilities?

I am not familiar enough with XP to help you to extract replacement
files from your installation CD, but it appears that you should do this.
On that CD is a program called the "recovery console" which should
allow you to do this.
I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore :(
Click to expand...

Sorry I can't help you, hopefully someone else reading this can. :o(
 
Important files like the registry and msconfig are infected. I am wondering
how I can still install stuff (doesn't windows xp need the registry when
installing?)
Click to expand...


Joe, I think you're making this more complicated than it is. Try this
description http://www.sophos.com/virusinfo/analyses/w32lausa.html

The registry is not infected. There is an entry that needs to be
removed, but this is not infection of the registry itself. The same
goes for MSCONFIG - it is merely reading the registry.
I used to get that dialog saying to insert the xp disk to replace the
corrupt files but I couldn't find my cd so I just kept clicking cancel. Now
I found the cd but I don't get that dialog anymore :(
Click to expand...

This was probably because of the niklaus.exe running. The way it's
set up, niklaus.exe is technically a "corrupt system file", however
it's not one you want to replace. It appears Norton is using the term
"appended" rather than "infected" because while these altered files
are _copies_ of system files, they are then only dropped in file
sharing folders, not put in use by the system.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.niklas.html

If you have used Start > Run > MSCONFIG to disable the entry referring
to niklaus.exe, and deleted all files identified by Norton as infected
- which should be the niklaus.exe, and files in WINNT\Temp\Binary32\,
and anything in file sharing folders - then you are clean of
W32.HLLW.Niklas. Checking with another AV like
http://housecall.trendmicro.com/ wouldn't be a bad idea, and if Norton
isn't running when you start your computer anymore, it may need to be
reinstalled.


Carol
 
The way it's set up, niklaus.exe is technically a "corrupt system file",
however it's not one you want to replace. It appears Norton is using
the term "appended" rather than "infected" because while these altered
files are _copies_ of system files, they are then only dropped in file
sharing folders, not put in use by the system.
Click to expand...

Thanks for the explanation, Carol. So it appears that Norton was using
terminology that focuses on the "trojanization" of the executable rather
than the "infection" (and I only use the term infection when denoting an
infectious modification, not just any modification. I do realize that I am
probably alone in this). When the otherwise legitimate file is executed,
it does result in another iteration if the worm, so I would say that it does
qualify as a viral aspect of the program.

Still - the recommended treatment is that for worm not virus, so I can't
blame them for stating it the way they did (though I wish that they had
been clearer).

Thanks again.
 
Thanks for the explanation, Carol. So it appears that Norton was using
terminology that focuses on the "trojanization" of the executable rather
than the "infection" (and I only use the term infection when denoting an
infectious modification, not just any modification. I do realize that I am
probably alone in this).
Click to expand...

I'd have to agree but it's not very practical in use. I tried using
"infested" when referring to non-viral trojans or worms, but it
confused too many people so I went back to "infected". Those people
don't know what infected means either, but they think they do.
Fighting a terminology battle against the antivirus companies for the
minds of the users is just not my chosen war. If it's yours, go for
it.
When the otherwise legitimate file is executed,
it does result in another iteration if the worm, so I would say that it does
qualify as a viral aspect of the program.
Click to expand...

In this particular case, since the new file is not being set up to run
in place of the system file, isn't the system file there merely as
distraction material to hopefully obscure the worm body? So who is
infecting whom here?

Yes, I'm being facetious. Sort of.
Still - the recommended treatment is that for worm not virus, so I can't
blame them for stating it the way they did (though I wish that they had
been clearer).
Click to expand...

I've noticed this recently with a few other worms. At first I
thought, "Now what the heck is THAT supposed to mean?" But reading
closely for what's happening to these "appended" files in the end
result provided the explanation well enough. I guess we shouldn't
complain too much, since they don't have to make their descriptions
available to the public at all.

You may have noticed that Sophos doesn't bother mentioning this
unimportant "appending" feature of the worm - that way they don't have
to name it either way, I suppose. <G>


Carol
 
Wait so it doesn't respawn the virus, then what do those "infected" files
do?
I don't want to replace all the files I think I'm just gonna install windows
overtop of this old windows that should fix everything up eh?
 
Fighting a terminology battle against the antivirus companies for the
minds of the users is just not my chosen war. If it's yours, go for
it.
Click to expand...

Nah, they wouldn't listen to me anyway. Besides, when the curious use AV
websites to investigate exactly what the differences are - they end up so
confused that they come here asking for clarification. Then it is interesting to
observe how everyone seems to know the "correct" answer - and yet they
are greeted with examples that don't fit the definitions that have been laid out.

The AV community has reasons for the classifications that they use, but
they *do* seem to be logically inaccurate.
In this particular case, since the new file is not being set up to run
in place of the system file,
Click to expand...

Viruses don't need to ensure that the program that they "infect" is
ever executed - only that *if* the program is asked to be executed
the virus will be executed as a result
isn't the system file there merely as distraction material to hopefully
obscure the worm body?
Click to expand...

Perhaps, or it is good enough packaging for a trojan, or it is just acting
like a hermit crab (hey - nice can...aluminum siding...). It is funny that
both appending and prepending is mentioned in Symantec's description.
It prepends itself to host executables, and if the particular instance is
running from an "infected" executable, the program detects that the
(host?) executable is appended to the worms executable image and
will detach and execute that detached executable.

....sounds very viruslike to me indeed.

I don't know how a legitimate msconfig or regedit would get infected
though.
So who is infecting whom here?
Click to expand...

It apparently "infects" exefiles in download directories, shared ones, and
some other directories too (like the desktop).
Yes, I'm being facetious. Sort of.
Click to expand...

It does make you wonder.
I've noticed this recently with a few other worms. At first I
thought, "Now what the heck is THAT supposed to mean?" But reading
closely for what's happening to these "appended" files in the end
result provided the explanation well enough. I guess we shouldn't
complain too much, since they don't have to make their descriptions
available to the public at all.
Click to expand...

True, but I do wish that they wouldn't treat these as mutually exclusive
entities, and at the same time say such and such is infected by the

"Backdoor Trojan Worm Virus" or something similar.
You may have noticed that Sophos doesn't bother mentioning this
unimportant "appending" feature of the worm - that way they don't have
to name it either way, I suppose. <G>
Click to expand...

They don't make it at all clear that previously legitimate programs on the
local machine (such as msconfig.exe) could have been modified.

....if this is indeed the case (which is what I understand in the Symantec
write-up).
 
Joe Piscapo said:
Wait so it doesn't respawn the virus, then what do those "infected" files
do?
Click to expand...

The way that *I* read the description - they do.

....but many here have said that I read too much into things.
I don't want to replace all the files
Click to expand...

???

You only mentioned msconfig, and made vague reference to the registry. I
would say that *where* these files are would be a good indication as to
*what* these files are. I would do as suggested (delete all files detected
as "Niklas", and replace any that were actually needed by you from CD.)
I think I'm just gonna install windows
overtop of this old windows that should fix everything up eh?
Click to expand...

It *should*, but pulling a couple of files from CD is no biggie either.
 
Back
Top