Jump to content
TSM Forums
Sign in to follow this  
Guest redbaron51

Problems with my computer

Recommended Posts

Guest redbaron51

There is a major problem in my computer.

 

Almost anything in my computer will not function properly.

 

Anything that I try to open reads as follows:

 

It reads

 

Windows can not find (insert type of program)

 

This program is needed for opening files of type of 'Application'

 

What the hell is going on?

Share this post


Link to post
Share on other sites
Guest I'm That Damn Zzzzz

http://support.microsoft.com/default.aspx?...b;en-us;q250931

You Are Unable to Start a Program with an .exe File Extension

The information in this article applies to:Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows 95

Microsoft Windows NT Server 4.0

Microsoft Windows NT Workstation 4.0

Microsoft Windows Millennium Edition

 

 

This article was previously published under Q250931

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry

 

SYMPTOMS

When you attempt to start a program that has a .exe file extension, the program may not start, and you may receive one of the following error messages:

Windows cannot find FILES32.VXD. This program is needed for opening files of type "Application".

Path to program is not a valid Windows NT application

Your desktop may appear to be blank. Also, the problem appears many times on reboot. Even after an anti-virus program has indicated it has cleaned the virus, the registry entry listed later in this article is still in the registry.

CAUSE

This issue may be caused by the Pretty Park virus. The Pretty Park virus creates the Files32.vxd file, and then copies the Files32.vxd file to the Windows\System folder of your computer. Also, the Pretty Park virus modifies a registry key that causes the Files32.vxd file to run when you attempt to run any program that has a .exe file extension.

NOTE:Microsoft does not offer software for computer virus detection or removal. Microsoft recommends that you obtain current anti-virus software from a vendor commercially involved in virus detection and removal. For a list of suppliers (vendors) of anti-virus software, please see the following article in the Microsoft Knowledge Base: 49500 List of Anti-Virus Software Vendors

 

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this issue, perform the following steps:

NOTE: When you run the Regedit.exe file, you may experience the symptoms described earlier in this article. To work around this issue, rename the Regedit.exe file to Regedit.com, and then follow the instructions listed later in this article. After you are finished, rename the Regedit.com file back to Regedit.exe. Use Registry Editor to view and then modify the following registry key:HKEY_LOCAL_MACHINE\Software\Classes\Exefile\Shell\Open\Command

 

Double-click the following registry string value:

In Windows NT:<NO NAME>: REG_SZ: "files32.vxd" "%1" %*

In Windows 95/98: (Default)"files32.vxd" "%1" %*

 

In the String box, remove Files32.vxd from the string. The correct string for this value is: "%1" %*

NOTE: HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command may also contact the same string value and must also be modified to remove Files32.vxd from the string. When removing the Files32.vxd from the string, if a space is included, you may receive the message windows cannot find .exe when trying to run an .exe file. Verify that there are no extra spaces in the string after removing Files32.vxd.

 

Click OK, and then quit Registry Editor.

Click Start, point to Find, and then click Files or Folders.

In the Named box, type files32.vxd, and then click Find Now

In the Name box, right-click the Files32.vxd file, and then click Delete.

 

NOTE: The Files32.vxd file is not a Windows file and does not reside on the Windows media.

MORE INFORMATION

For additional information about the Files32.vxd file and the Pretty Park virus, view the following Symantec Web site: http://www.symantec.com/avcenter/venc/data...ypark.worm.html

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

NOTE: Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For a list of antivirus software manufacturers, click the following article number to see the article in the Microsoft Knowledge Base:49500 List of Antivirus Software Vendors

 

Last Reviewed:

8/6/2002

Share this post


Link to post
Share on other sites
Guest I'm That Damn Zzzzz

http://www.symantec.com/avcenter/venc/data...ypark.worm.html

 

PrettyPark.Worm

 

This worm program behaves similarly to Happy99 Worm. It was originally spread by email. When the attached program file, PrettyPark.exe, is executed, it may display the 3D pipe screen saver.

Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

 

 

Also Known As: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp

Type: Worm

Infection Length: 37,376 bytes

 

Virus Definitions (Intelligent Updater) *

 

June 04, 1999

 

*

 

Intelligent Updater virus definitions are released daily, but require manual download and installation.

Click here to download manually.

 

**

 

LiveUpdate virus definitions are usually released every Wednesday.

Click here for instructions on using LiveUpdate.

 

Wild:

Number of infections: 0 - 49

Number of sites: 3 - 9

Geographical distribution: High

Threat containment: Moderate

Removal: Easy

 

Threat Metrics

 

Wild:

Low

 

Damage:

Low

 

Distribution:

High

 

 

 

Damage

Payload: Dial-up Passwords, System Information, ICQ Information Compromises security settings: Allows remote receipt, creation, deletion, and execution of files

 

 

 

Distribution

Subject of email: C:\CoolProgs\Pretty Park.exe

Name of attachment: PrettyPark.EXE

Size of attachment: 37,376 bytes

Target of infection: Windows Registry

 

 

PrettyPark.Worm is a worm that performs similarly to Happy99.Worm. This worm was originally spread through a mass emailing. The program file attached to these email is named PrettyPark.exe. When PrettyPark.exe is executed, it may display the Windows 3D Pipes screen saver. It also does the following:

It creates a file named Files32.vxd in the \Windows\System folder .

It modifies the (Default) value from "%1" %* to FILES32.VXD "%1" %* in the following registry key:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

 

It tries to email itself, every 30 minutes, to addresses in your Internet address book.

It tries to connect to an IRC server and join a specific IRC channel. If it is successful, the worm sends information to this IRC channel every 30 seconds to keep itself connected and to retrieve any commands. By using IRC, the author or distributor of the worm can access information on your system including:Computer name

Product name

Product identifier

Product key

Registered owner

Registered organization

System root path

Version number

ICQ identification numbers

ICQ nicknames

Your email address

Dial-Up networking user name and passwords

 

In addition, being connected to IRC opens a security hole in which your computer can potentially be used to receive and execute files.

 

 

 

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

 

 

Automatic removal instructions

The easiest way to remove this worm is to use the Fix PrettyPark.Worm tool.

Manual removal instructions

To remove this worm, please follow the instructions in each section. We strongly recommend that you read and understand the entire procedure before proceeding.

PrettyPark.Worm comprises two files: PrettyPark.exe and Files32.vxd. It also adds a registry key that loads PrettyPark.exe whenever an executable program is launched. To remove this worm, you must first change the Windows registry so it will not run the virus program; then you must delete the PrettyPark.exe file.

NOTE: The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a computer consultant.

If you cannot start Windows

If you cannot start Windows 95/98/2000 at all, then you must start Windows in Safe Mode. Once Windows is in Safe Mode:

If you cannot run program files, proceed to the next section.

If you can run program files, skip to the section titled Edit the registry.

 

Follow these steps to start Windows 95/98/2000 in Safe Mode:

NOTE: In Safe Mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.

Windows 95:1. Exit all programs.

2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.

3. Click Shut Down, and then click OK.

4. Click Yes to confirm the shutdown.

5. Turn off the computer (if necessary) and wait 30 seconds.

NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.

6. Turn on the power.

7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.

8. Select Safe Mode and press Enter. Windows starts in Safe Mode.

 

Windows 98:1. Click Start, and click Run.

2. Type msconfig and click OK. The System Configuration Utility dialog box appears.

3. Click Advanced on the General tab.

4. Check Enable Startup Menu, click OK, and then click OK again.

5. Exit all programs.

6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.

7. Click Shut Down, and then click OK.

8. Click Yes to confirm the shutdown.

9. Turn off the computer and wait 30 seconds.

NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.

10. Turn on the computer and wait for the Windows 98 Startup menu.

11. Select Safe Mode, and then press Enter. Windows will start in Safe Mode.

NOTE: (Optional) When you have completed all of the procedures in this document, you can disable the Startup Menu, if desired. To do so, return to this section and then follow these steps:1. Click Start, and click Run.

2. Type msconfig and click OK. The System Configuration Utility dialog box appears.

3. Click Advanced on the General tab.

4. Uncheck Enable Startup Menu, click OK, and then click OK again.

5. Restart the computer.

 

 

 

Windows 2000:1. Exit all programs.

2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.

3. Click Shut Down, and then click OK.

4. Click Yes to confirm the shutdown.

5. Turn off the computer and wait 30 seconds.

NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.

6. Turn on the computer.

7. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to |||||||||||||||||||||||||||||. Beneath this line you will see the text, "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.

8. Select Safe Mode, and then press Enter. Windows will start in Safe Mode.

 

 

If you cannot run program files

If you cannot run program files because you have already deleted the Files32.vxd file, then follow the procedure for the version of Windows that you are running. Otherwise, go on to the next section.Windows 95/98

1. Click Start, point to Programs, and click MS-DOS Prompt.

2. Type copy regedit.exe regedit.com and then press Enter.

3. Type start regedit.com and then press Enter.

4. Proceed to the Edit the registry section.

NOTE: The Registry Editor will open in front of the DOS window. After you have finished editing the registry, and have closed the Registry Editor, close the DOS window.

 

Windows NT/2000

1. Click Start, point to Find, and click Files or Folders.

2. Make sure that "Look in" indicates the drive on which Windows is installed.

3. Type regedit.exe in the Named box, and click Find Now.

4. Right-click the Regedit.exe file in the results pane, and click Copy.

5. Close the Find dialog box.

6. Right-click the Windows desktop, point to New, and click Folder. Type a name for the folder, such as RegFix, and then press Enter.

7. Double-click the folder you just created to open it, click the Edit menu, and click Paste. This will place a copy of Regedit.exe in the folder.

8. Click the View menu, and click Options. The Options dialog box appears.

9. Click the View tab, and make sure that "Hide file extensions for known file types" is not checked. Click OK.

10. Right-click the copy of the Regedit.exe file, and click Rename.

11. Change Regedit.exe to Regedit.com, and then press Enter. Click Yes to confirm the change.

12. Double-click the Regedit.com file to start the Registry Editor, and then proceed to the Edit the registry section.

 

 

NOTE: After PrettyPark.Worm has been successfully removed, you may delete the Regedit.com file.

Edit the registry

CAUTION: We strongly recommend that you back up the Windows registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.

If you are confident that you can complete the following steps without error, then please proceed with caution, keeping in mind all warnings you have read.1. Start the Registry Editor if necessary:If you have performed the procedure in the previous section, the Registry Editor is already open. Skip to step 4.

If it was not necessary to perform the procedures in the previous section, go on to step 2.

 

2. Click Start, and click Run. The Run dialog box appears.

3. Type regedit and click OK. The Registry Editor opens.

4. Navigate to and open the following key:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

Important Warning!

The \Classes subkey contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.

Do not modify the HKEY_LOCAL_MACHINE\Software\Classes\.exe key.

Do modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey that is shown in the following figure.

<<=== NOTE: This is the key that you need to modify.

5. Double-click the (Default) value in the right pane.

6. Delete the current value data, and then type "%1" %* (quote-percent-one-quote-space-percent-asterisk).

NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

""%1" %*"

Make sure you completely delete all value data in the command key before typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, making sure to completely remove the current value data.

7. Close the Registry Editor, and perform a full system scan with Norton AntiVirus to completely remove all traces of the PrettyPark.Worm program files.

8. Restart the computer.

 

To delete the PrettyPark.Worm program files1. Click Start, point to Find, and click Files or Folders.

2. Make sure that "Look in" is pointing your hard drive, or all drives if this is an option.

3. Type files32.vxd in the Named box, and then click Find Now.

4. Delete any copies that appear.

5. Make sure that "Look in" is pointing your hard drive, or all drives if this is an option.

6. Type pretty*.exe in the Named box, and then click Find Now.

7. Delete any copies that appear.

NOTE: If Norton AntiVirus is installed and running on this computer, you may be alerted that the files are infected when you complete the previous steps. If that happens, choose Delete and ignore any subsequent Windows messages that say that the file cannot be deleted. (This is Windows alerting you that it cannot find the specified file. It cannot find the file because it has already been deleted by Norton AntiVirus.)

8. Delete the file PrettyPark.exe.

9. Restart the computer.

Share this post


Link to post
Share on other sites
Guest redbaron51

Still not working properly.

 

I changed the registry, but Norton can't find the two viruses

Share this post


Link to post
Share on other sites
Guest I'm That Damn Zzzzz

http://www.symantec.com/avcenter/venc/data...32.navidad.html

 

W32.Navidad

 

W32.Navidad is a mass-mailing worm program. Using MAPI, the worm replies to all inbox messages that contain a single attachment. This worm is able to distribute itself through any MAPI-compliant email client, including Microsoft Outlook. However, email messages that are infected with this worm can be received by any email client. The worm utilizes the existing email subject line and body and attaches itself as Navidad.exe. Due to the bugs in the code, when the worm is executed, it causes your system to be unusable.

Click here to download a tool to repair W32.Navidad damage.

Symantec has also created an interactive tutorial to help you get rid of this worm.

 

Also Known As: I-Worm.Navidad.a [AVP], W32/Navidad.gen@M [McAfee], Win32.Navidad [CA], W32/Navidad [sophos], WORM_NAVIDAD.A [Trend]

Type: Worm

Infection Length: 32,768 bytes

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

Systems Not Affected: Windows 3.x, Macintosh, UNIX, Linux

 

Virus Definitions (Intelligent Updater) *

 

November 06, 2000

 

 

Virus Definitions (LiveUpdate™) **

 

November 06, 2000

 

 

*

 

Intelligent Updater virus definitions are released daily, but require manual download and installation.

Click here to download manually.

 

**

 

LiveUpdate virus definitions are usually released every Wednesday.

Click here for instructions on using LiveUpdate.

 

Wild:

Number of infections: More than 1000

Number of sites: More than 10

Geographical distribution: High

Threat containment: Moderate

Removal: Difficult

 

 

Threat Metrics

 

Wild:

Low

 

Damage:

High

 

Distribution:

Medium

Damage

Payload: Causes system instability: Improperly changes registry keys

Distribution

Subject of email: Uses existing subject lines

Name of attachment: NAVIDAD.EXE

Size of attachment: 32,768 bytes

 

NOTE: If you are running Windows 95 or Windows 98, it is assumed that Windows is located in C:\Windows. If you are running Windows NT or Windows 2000, it is assumed that Windows is located in C:\Winnt. If Windows is installed in a different directory, make the appropriate substitutions.

This is how the worm works:

 

1. When executed, the worm displays a dialog box with the cryptic letters

UI

and the title

Error

2. If you are running Windows 95 or Windows 98, the worm adds the following registry key:

HKEY_USERS\.DEFAULT\Software\Navidad

If you are running Windows NT or Windows 2000, the worm adds the following registry key:

HKEY_CURRENT_USER\Software\Navidad

This key was supposed to be used to see if the computer was already infected. However, due to bugs in the code, the registry key is not used.

3. If you are running Windows 95 or Windows 98, the worm adds the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

with the value

Win32BaseServiceMOD=\Windows\System\Winsvrc.exe

If you are running Windows NT or Windows 2000, the worm adds the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

with the value

Win32BaseServiceMOD=\Winnt\System32\Winsvrc.exe

4. The worm copies itself into the Windows system folder as Winsvrc.vxd. Due to the difference in file name, the virus does not execute properly at startup. After the file has been copied, the worm modifies two additional registry keys. If you are running Windows 95 or Windows 98, the worm changes

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\open\command

to equal

\Windows\System\winsvrc.exe "%1" %*"

If you are running Windows NT or Windows 2000, the worm changes

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

HKEY_CLASSES_ROOT\exefile\shell\open\command

to equal

\Winnt\System32\winsvrc.exe "%1" %*"

Due to the mistake in the file name, the system is unusable. Whenever an .exe file is executed, the Windows prompts you for the location of Winsvrc.exe. The net result is that no program files can be launched. This may cause system instability and you may have difficulty restarting the system.

5. Next, the worm begins the email routine. The worm uses MAPI to send mail and works with any MAPI-compliant email client, including Microsoft Outlook. The worm checks for all messages in your Inbox and replies to those messages that have one attachment. The reply consists of the same subject line and body, but contains the worm attached as NAVIDAD.EXE.

6. Finally, the worm places a blue eye icon in the system tray of the taskbar. When the mouse pointer is over the icon, the worm displays a yellow dialog box that states

Lo estamos mirando... (In English: We are watching it...)

When you click the icon, a dialog box with a button appears. The button contains the following text:

Nunca presionar este boton (In English: Never press this button)

If you click the button, an error box with the title

Feliz Navidad (In English: Merry Christmas)

displays the message

Lamentablemente cayo en la tentacion y perdio su computadora (In English: Unfortunately you've fallen to temptation and have lost your computer)

If you close the dialog box by clicking the X instead of clicking the button, the following message appears:

buena eleccion (In English: Good selection)

and exits. Despite the warning of losing the computer, no further changes are made to the system.

 

 

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

 

 

The Symantec AntiVirus Research Center (SARC) has developed a tool to help you repair the damage done by the worm. The W32.Navidad Fix Tool, and instructions on how to use it, are available here.

If you prefer to remove the worm without using the tool, or if the tool does not work on your computer, then follow the instructions in each section in the order shown. We strongly recommend that you read and understand the entire procedure before proceeding.

To remove this worm, you must do the following:

Copy Regedit.exe to Regedit.com (in some cases).

Edit the registry, and remove keys and changes made by the worm.

Set Windows to show all files.

Delete files placed on the computer by the worm.

Run a full system scan.

 

To copy Regedit.exe to Regedit.com:

If you cannot start program files, or if you see the message "Windows cannot find winsvrc.exe," then you'll need to copy Regedit.exe to Regedit.com.1. Do one of the following, depending on which operating system you have installed:Windows 95/98. Click Start, point to Programs, and then click MS-DOS Prompt.

Windows Me. Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.

Windows 2000.A. Click Start, and click Run.

B. Click Browse, and then browse to the \Winnt\System32 folder.

C. Double-click the Command.com file, and then click OK.

D. Type cd \winnt and then press Enter.

 

 

2. Type copy regedit.exe regedit.com and then press Enter.

3. Type start regedit.com and then press Enter.

4. Proceed to the section "To edit the registry and remove keys and changes made by the worm."

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, close the DOS window as well.

To edit the registry and remove keys and changes made by the worm:

Follow these steps to undo the changes made to the Windows registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read the document How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.

1. Start the Registry Editor if necessary:If you have performed the procedure in the previous section, the Registry Editor is already open. Skip to step 4.

If it was not necessary to perform the procedures in the previous section, go on to step 2.

 

2. Click Start, and click Run. The Run dialog box appears.

3. Type regedit and then click OK. The Registry Editor opens.

NOTE: If you see an error message or the Registry Editor does not open, go back to and follow the instructions in the previous section.

4. Navigate to and delete the following keys:

NOTE: It is likely that you will find only one.

HKEY_CURRENT_USER\Software\Navidad

HKEY_CURRENT_USER\Software\Emanuel

5. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

6. In the right pane, look for and select any of the following values that exist:

Win32BaseServiceMOD         C:\Windows\System\winsvrc.exe

Win32BaseServiceMOD         C:\Windows\System\wintask.exe

NOTE: Some other variants of this have been seen, such as win b service. If in doubt, delete it. Removing items from the \Run key does not actually delete files from the hard disk--it only prevents them from being run when the computer starts.

7. Press Delete, and then click Yes to confirm.

8. Navigate to and select the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.

Do not modify the HKEY_CLASSES_ROOT\.exe key.

Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:

<<=== NOTE: This is the key that you need to modify.

9. Double-click the (Default) value in the right pane.

10. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

11. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>." If this happens to you, start over at the beginning of this document, making sure to completely remove the current value data.

12. Restart the computer.

To set Windows to show all files:

You need to do this to make sure that you can find the files installed by W32.Navidad.1. Start Windows Explorer.

2. Click the View menu (Windows 95/98) or the Tools menu (Windows Me), and then click Options or Folder Options.

3. Click the View tab, and uncheck "Hide file extensions for known file types."

4. Click Show all files, and click OK.

To delete the files left by the worm:

To delete the files installed by W32.Navidad, follow these steps:1. Click Start, point to Find or Search, and then click Files or Folders.

2. Make sure that "Look in" is set to (C:) and that Include subfolders is checked.

3. In the "Named" or "Search for..." box, type--or copy and paste--the following:

navidad*.exe

4. Click Find Now or Search Now.

5. Delete any copies that you find.

6. Delete the text navidad*.exe from the "Named" or "Search for..." box.

7. In the "Named" or "Search for..." box, type--or copy and paste--the following:

winsvrc.* winsvic.* wintask.* emanuel*.exe

8. Click Find Now or Search Now.

9. Delete any files named Winsvrc.exe, Winsvrc.vxd, Winsvic.vxd, Wintask.exe, Wintask.vxd, or Emanuel.exe that you find.

NOTE: If Norton AntiVirus is installed and running on this computer, you may be alerted that the files are infected when you complete the previous steps. If that happens, choose Delete, and ignore any subsequent Windows messages saying that the file cannot be deleted. (This is Windows alerting you that it cannot find the specified file. It cannot find the file because it has already been deleted by Norton AntiVirus.)

10. Close the Find or Search window.

11. Right-click the Recycle Bin icon on the Windows desktop, and click Empty Recycle Bin.

The link to the removal tool: http://www.sarc.com/avcenter/venc/data/w32...avidad.fix.html

Share this post


Link to post
Share on other sites
Guest redbaron51

It shows that I have no virus on my computer.

 

I remember having one virus before, and deleting the sucker might have fucked my hardrive massivly then.

Share this post


Link to post
Share on other sites
Guest I'm That Damn Zzzzz

I found exe-fix but have no idea if it works.

 

The readme.txt from that site:

 

Reticulated's "Only-IE" Section

(For those that do not have an unzip program)

--------------------------------------------

Please use your Internet Explorer browser to download the files.

(Many Netscape browsers have difficulty downloading com files)

 

File descriptions

-----------------

Rx-Pack for Windows 95/98 - Freeware by rmbox

The "Only-IE" Rx Trojan Assitance Pack contains:

EXEfix08 - 43.3 KB

This program will restore the standard "EXE" information

into a SubSeven type Trojan altered Windows Registry.

(Use this program before any of the others)

StartUp Log - 44.6 KB

This little program will show you all the programs that start in

the many usual places when you start Windows.

(a very useful tool to help spot trojans)

Edit-WI - 39.0 KB

This program lists the usual infected lines in the win.ini file

in a generated text file and opens the win.ini in an Editor.

The text provides helpful assistance.

 

Edit-SI - 39.0 KB

This program lists the usual infected line in the system.ini file

in a generated text and opens the system.ini for Editing.

The text provides helpful assistance.

ReadMe.txt - 2.60 KB

This ReadMe file.

Notes

-----

 

The download files are used to help correct a system that has

been compromised by a Back Door Type Trojan.

Trojans will allow an unscrupulous person on the Internet

with the control part of the trojan, access to your computer.

Once they have access, they can do anything on your computer

that you can plus many things that you would not want done.

When the current Anti-Virus software packages spot a trojan,

they useually delete or quarantine it.

This can create a system paralysis that will not allow any of

the programs with an "EXE" extension to work.

The EXEfix08 will end this paralysis and allow the programs to

operate normally.

The next step in the trojan removal is to edit it from your

System Files and Registry.

I have included two programs to assist in doing this, but the

best way is to install and or use a good StartUp Editor.

Windows 98 users can use MSCONFIG.EXE.

Windows 95 users can get a very good StartUp Editor at:

  http://www.blds.canterbury.ac.nz/pcmag/StartupCop.htm

 

None of these freeware programs will make any unknown changes

or leave any unknown files on your computer.

I expect all of these programs with the exception of StartUp Log

to become obsolete when the large Anti-Virus companies finally

get around to providing a comprehensive fix.

                                            ~ rmbox  5/29/2000

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×