I'm in ugent need of help here. Right, I stupidly downloaded an attachment from an email and it turned out to be a virus (I really should've known). It went though 2 virus scans from seperate programs as well as an auto-protect, but it still got through. Now, I'm running Windows 2000 SP3 and the virus created 3 .exes in C:\WINNT\System32 - nav32_loader.exe, tcpsvs32.exe and WinServices.exe. The icons for each of these files is a blue love heart.

nav32_loader.exe shut down Norton Antivirus 2002 and is preventing it from loading again.

tcpsvs32.exe keeps trying to access the internet but has so far been blocked by my firewall (Zone Alarm Pro).

Both these files can be deleted, but are immediately spawned again by WinServices.exe. WinServices.exe cannot be deleted. I went into Properties and set all permissions to Deny and deselected the "Allow inheritable permissions from parent to propagate to this object". I still couldn't delete it, but I hoped that this would stop it spawning those two other files. However, once I'd done that, any file with a .exe extension wasn't allowed to run (something to do with not being able to locate the file or the correct library). So I gave the permissons back and ticked that box. And lo and behold the other two files spawned again.

As you can see, I'm in somewhat of a pickle and would really appreciate some help.

Zulu: See here. (https://www.europe.f-secure.com/v-descs/yaha_j.shtml).


Apparently you need to delete all those files, and apply a registry fix (linked from the above, but the link is here. (ftp://ftp.europe.f-secure.com/anti-virus/tools/yaha_fix.reg)


Good luck ! :)

Wow! Thank you! Just one problem, that last file (WinServices.exe) cannot be deleted - it's in use, apparently. Do I apply the registry fix and then that will allow me to delete that last file?

To be honest, I'm not completely sure....

What you could try is to apply the reg fix, then reboot.

When you get the boot screen, push f8 and try booting in safe mode.

Hopefully the reg fix will prevent the file from loading in the first place, but safe-mode will maek doubly sure. You should then be able to delete it.:)

OK, I booted in safe mode and tried deleting the files. This time, tcpsvs32.exe AND WinServices.exe were in use and couldn't be deleted. So I applied the registry and fix and rebooted in safe mode again. No change. So I restarted in normal mode, and it was only the WinServices.exe that was in use. But the virus is still there.

OK - you can try the following, since you're in Win 2000. (although tis a bit riskier....)

Hit CTRL-ALT-DELETE.
Choose "Task Manager".

This should then bring up a list of programs running. Its likely that WinServices.EXE won't be on it.

Hist the "Processes" tab. The winservices.exe should be on that list at least....

If it is, select it and hit "end process". If this is succesful, you should then be able to delete the file.

Not guaranteeing anything though.....

The Task Manager screen appears and the vanishes. Damn, this is a sneaky virus...

Bloody heck :eek:


I've never tried it, but can you reboot, hit f8 and get some form of command prompt? If so, you might be able to use the old dos-style commands to delete those files from the command line.

Here's some more detailed instructions (if you have norton anit virus):

link here. (http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.j@mm.html)

I actually found that, there's just one problem. When navigating in regedit to HKEY_LOCAL_MACHINE\Software\Classes\exefile there is no DefaultIcon, no Shell, no Command. All I get by expanding .exe is PersistantHandler.

Then sorry, can't help :(

Maybe those registry entries were removed by instaling that regfix thingy?

Just to let you know, I fixed the problem. I installed a new antivirus software - AVG 6.0. Then when I rebooted I couldn't open any .exe file, probably because the virus was using the to piggyback it's way into operation and the antivirus software was preventing that. Unfortunately, that meant AVG6 couldn't run either! I only managed to get Windows Explorer to run by using the command line. However, I was able to use AVG to scan for viruses by Start > Search > Viruses (a new feature put in by AVG6) which then 'healed' the viruses. I then applied that registry fix and now everything is back to normal. So thanks for your help! :)

I would've suggested booting to command prompt only and using DOS commands to get those files.

THat does sound like a bad virus but good job in getting rid of it! :)

@ Zulu: Good to hear :)

@Gonzo: Can you boot to a Command Prompt in Win 2000? :confused:

Originally posted by ainwood
@Gonzo: Can you boot to a Command Prompt in Win 2000? :confused: [/B]

Yes, but if you do the command prompt is all you have (i.e. no GUI)

Originally posted by zulu9812
Yes, but if you do the command prompt is all you have (i.e. no GUI)

OK. :)

If you boot to the command prompt, then none of the main windows driver files are loaded. I don't know if you've ever used DOS commands before, but if you had booted to the command prompt, then those files you wanted to delete would have not have been in-use (they won't load until windows loads) and you can therefore easily delete them. EG:

del C:\WINNT\System32\nav32_loader.exe


:)

Cool, all that hassle with the virus has got me interested in using the command prompt - handy, innit? :)

Just seach around for DOS commands. The old dos commands that require the old dos exe's to run don't work anymore for the most part. e.g. UNFORMAT and such. But the are, for the most part, simple and IDEAL for getting rid of infected files.

A few attrib commands and the old del command will have most viruses cooked by bedtime :)

Not to mention searching for something in DOS is easier then windows, to search a directory just use

DIR searchterm

and to search your whole computer just use

DIR searchterm /s

Not to mention wildcards are allowed :)

To add to gonzo's post....

I don't think that the DIR command finds "hidden" files, which is what virus files often set themselves to be ( :hmm: - now the reason for hiding the files is starting to come clear). I'm not sure if DEL works on hidden files, but I'm pretty sure it doesn't...

Normally, I set my windows explorer options to show all files, so I don't notice hidden ones. If there's a hidden file you want to delete, find it in windows explorer. From the DOS / command prompt, you can unhide it by the following:

ATTRIB -h path_name_of_file

Then delete with:
DEL path_name_of_file

Hence Gonzo mentioning the attrib function :)

I think that if you change the virus to be unhidden in windows, the virus changes itself back again. :(

Be sure not to delete the "wrong" file with the DEL function - the windows recycle bin doesn't work with the dos prompt (at least I don't think it does...:)

Aaah i got that screensaver on my hotmail from an unknow person. Hop deleted it without thinking of seeing it. I never trust those things

That virus sucks. I get it from different people (who I don't even know most of the time), but I always recognize it as such (don't open attachements most of the time anyway). Well, today I opened my mailbox after a weeks abcence, and bammo! 75 screensaver emails from the same unknown dude...

Crap...

I don't suppose ainwood or gonzo would be kind enough to put together a stickied FAQ on the command prompt?