Author |
Topic: Virus help, ANYONE!!! (Read 269 times) |
|
brain_cramps
New Board Hall of Famer
Gender: 
Posts: 2103
|
 |
Virus help, ANYONE!!!
« on: Mar 3rd, 2003, 1:36pm » |
 Quote  Modify
|
Has anyone out there ran into the "W32/Yaha-L" virus?
Besides changing your 'home-page', it runs 'whenever you launch a file with an EXE extension'.
This makes it especially tough to remove 'bad' registry entries using 'regedit'. I have been able to locate the files that it installs, but am unable to delete them until their references are removed from the registry. Kinda a 'catch-22'.
Help and thanks in advance,
grant
|
| « Last Edit: Mar 3rd, 2003, 1:36pm by brain_cramps » |
 IP Logged |
|
|
|
brain_cramps
New Board Hall of Famer
Gender:
Posts: 2103
|
|
Re: Virus help, ANYONE!!!
« Reply #1 on: Mar 3rd, 2003, 1:40pm » |
Quote Modify
|
Note: I've already tried to run regedit in 'safe mode' and same problem. It starts, runs for about a second, and quits.
Somebody should shoot the bastards that think up shit like this!!!
|
|
IP Logged |
|
|
|
Kirk
CH.com Alumnus
New Board Hall of Famer
VINIMUS, VIDIMUS, DOLAVIMUS
    
Gender:
Posts: 1914
|
|
Re: Virus help, ANYONE!!!
« Reply #2 on: Mar 3rd, 2003, 1:42pm » |
Quote Modify
|
Try RegClean 4.1a. http://www.cnet.com has it in thier Windows download section.. It's free and might do the trick.
Other then that run FreeBSD or Linux are the best I can suggest. ;D
|
|
IP Logged |
|
|
|
brain_cramps
New Board Hall of Famer
Gender:
Posts: 2103
|
|
Re: Virus help, ANYONE!!!
« Reply #3 on: Mar 3rd, 2003, 1:48pm » |
Quote Modify
|
on Mar 3rd, 2003, 1:42pm, Kirk wrote:| Other then that run FreeBSD or Linux are the best I can suggest. |
|
ROTFLMAO - Its my parents system. I kinda think Linux might be a little over their heads.
Downloading RegClean and going to give it a shot.
Thanks Kirk and I'll let you know,
grant
|
|
IP Logged |
|
|
|
brain_cramps
New Board Hall of Famer
Gender:
Posts: 2103
|
|
Re: Virus help, ANYONE!!!
« Reply #4 on: Mar 3rd, 2003, 2:06pm » |
Quote Modify
|
Well Kirk, no such luck. ???
Attached is a link describing it:
http://www.sophos.com/virusinfo/analyses/w32yahal.html
<<
Once executed, W32/Yaha-L stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software including:
- atuomatically resetting the registry modifications if they are changed
- actively terminating a range of anti-virus, firewall and internet serviceprograms
- actively terminating REGEDIT
>>
Pretty creative, huh? 
|
|
IP Logged |
|
|
|
Kirk
CH.com Alumnus
New Board Hall of Famer
VINIMUS, VIDIMUS, DOLAVIMUS
Gender:
Posts: 1914
|
|
Re: Virus help, ANYONE!!!
« Reply #5 on: Mar 3rd, 2003, 2:15pm » |
Quote Modify
|
Found another for you. http://onlinepcfix.com/virushelp/antivirus.htm
They have a standalone remover for all the Yaha(Lentin) worms there.
Just put the Redmond splash screen and theme on Linux and don't tell your parents. hehehehehe ;D
|
|
IP Logged |
|
|
|
BruceD
CH.com Alumnus
New Board Hall of Famer
Got Atrium?
Gender:
Posts: 507
|
|
Re: Virus help, ANYONE!!!
« Reply #6 on: Mar 3rd, 2003, 2:16pm » |
Quote Modify
|
I just looked and Symantec has a program to remove it. I don't know if you've tried that yet, but it may be of use. They've got some step-by-step instructions too.
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.l@mm.ht ml
Hope this helps
BruceD
|
|
IP Logged |
Childhood is short, maturity is forever. (The Indispensable Calvin and Hobbes)
|
|
|
Kirk
CH.com Alumnus
New Board Hall of Famer
VINIMUS, VIDIMUS, DOLAVIMUS
Gender:
Posts: 1914
|
|
Re: Virus help, ANYONE!!!
« Reply #7 on: Mar 3rd, 2003, 2:23pm » |
Quote Modify
|
Just another script kiddie. Nothing really creative about it. Although the DDos attack against a Pakistani govrerment site is almost cute..
If the remover doesn't work let me know. We're all pulling for ya over here. Who needs another head ache.
|
|
IP Logged |
|
|
|
brain_cramps
New Board Hall of Famer
Gender:
Posts: 2103
|
|
Re: Virus help, ANYONE!!!
« Reply #8 on: Mar 3rd, 2003, 2:25pm » |
Quote Modify
|
Thx everybody
Already tried the 'onlinepcfix.com' link and the 'securityresponse.symantec.com' link.
'onlinepcfix.com' wants $ and I guess that will probably be the next step.
'sophos.com' gives a bunch of instructions that they obviously never tested, since they admit that REGEDIT won't run but they still want you to remove registry entries.
frozen and frustrated!
grant
|
|
IP Logged |
|
|
|
BruceD
CH.com Alumnus
New Board Hall of Famer
Got Atrium?
Gender:
Posts: 507
|
|
Re: Virus help, ANYONE!!!
« Reply #10 on: Mar 3rd, 2003, 2:33pm » |
Quote Modify
|
Try renaming the regedt32.exe to regedt32.com and give that a go.
|
|
IP Logged |
Childhood is short, maturity is forever. (The Indispensable Calvin and Hobbes)
|
|
|
brain_cramps
New Board Hall of Famer
Gender:
Posts: 2103
|
|
Re: Virus help, ANYONE!!!
« Reply #11 on: Mar 3rd, 2003, 4:42pm » |
Quote Modify
|
Thanks Kirk, BruceD, Ueli and Randy
on Mar 3rd, 2003, 2:23pm, Kirk wrote:| Although the DDos attack against a Pakistani govrerment site is almost cute.. |
|
That's about the only CUTE thing I found.
If anyone gets this little steaming nugget of shit virus, beware of the following:
- OnlinePCFix.com has incomplete/incorrect instructions.
- Sophos.com also has incomplete/incorrect instructions.
- Symantec has incomplete/incorrect instructions, but has a downloadable fix that is FREE and WORKS!
After copying REGEDIT.EXE to REG.COM, still had problems. If you go and make the 'required' registry changes, when you go back in, the changes have already been overwritten with the incorrect changes.
The 3 sites said there would only be 3 infected files to be deleted and 3 registry entries to be changed. There was 15 files to be deleted.
Thanks and Its Miller time,
Grant 
|
|
IP Logged |
|
|
|
|
|
|
Home
Help
Search
Members
Member Map
Login
Register
Reply
Notify of replies
Send Topic
Print
Remove
test rss