File Types (33)
Internet Explorer (6)
bla.exe / Scvhost.exe trojan horse keeps coming back!
9 comments. Current rating: (4 votes). Leave comments and/ or rate it.
Question:I cannot get rid of this trojan horse bla.exe. I first found it after I kept getting error messages from WinAmp ('Illegal Operation' on drive C:) even though I was not running WinAmp and I have WinAmp installed on drive E:.
I started the computer in safe mode, twice, and removed both of them and they just keep coming back.
Answer:bla.exe belongs to the W32.HLLW.Gaobot worm. This worm attempts to spread to network shares with weak passwords. W32.HLLW.Gaobot also provides a hacker access to the infected computer through IRC. It uses the DCOM RPC vulnerability (tcp port 135, Windows XP) and the RPC locator vulnerability (tcp port 445).
There is a upx compressed version of this worm, the compressed version is classified as W32.HLLW.Gaobot.AE
It affects computers with Windows NT, Windows 2000 and Windows XP.
Besides running as bla.exe, it may also arrive on your computer as Scvhost.exe, WincfgM32.exe or Winhlpp32.exe.
To remove this trojan horse, you need to follow these steps: