DelphiFAQ Home Search:
General :: Windows :: Processes
Do you wonder what that long list of processes in your task manager comes from? Are all those programs running there really needed or are they a virus, adware, spyware.. recording all your keystrokes and then sending your passwords to a remote server? Read the articles below and learn about some of those processes.

Articles:

This list is sorted by recent document popularity (not total page views).
New documents will first appear at the bottom.

Featured Article

bla.exe / Scvhost.exe trojan horse keeps coming back!

Question:

I cannot get rid of this trojan horse bla.exe. I first found it after I kept getting error messages from WinAmp ('Illegal Operation' on drive C:) even though I was not running WinAmp and I have WinAmp installed on drive E:.

I started the computer in safe mode, twice, and removed both of them and they just keep coming back.

Answer:

bla.exe belongs to the W32.HLLW.Gaobot worm. This worm attempts to spread to network shares with weak passwords. W32.HLLW.Gaobot also provides a hacker access to the infected computer through IRC. It uses the DCOM RPC vulnerability (tcp port 135, Windows XP) and the RPC locator vulnerability (tcp port 445).

There is a upx compressed version of this worm, the compressed version is classified as W32.HLLW.Gaobot.AE
It affects computers with Windows NT, Windows 2000 and Windows XP.

Besides running as bla.exe, it may also arrive on your computer as Scvhost.exe, WincfgM32.exe or Winhlpp32.exe.

To remove this trojan horse, you need to follow these steps:
  1. Disable System Restore (Windows XP only)
  2. Restart the computer in Safe mode or VGA mode.
  3. Run an updated virus scanner and run a full system scan and delete all the files detected as W32.HLLW.Gaobot.
  4. Delete the value that was added to the registry under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    There delete "Config Loader"="scvhost.exe"
    and in
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    delete "Config Loader"="scvhost.exe"
  5. Now boot again in normal mode


Generated 16:02:23 on Jan 19, 2017