Norton Antivirus...

[bucket]

TemplarNight mentioned Yaha.k . Here is the Symantec write up on it:

[url]http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html[/ur]

Wonder which virus hit MetalMaggot ?

[secretagent]

hi

i recently cleaned up a pc that had a variant of yaha, called yerh$ - at first i had been unable to get into the registry - the regedit screen would pop up for a sec or two, then disappear (how very odd), even in safe mode, as this was my main way of removing startup programs from windows i was pretty much stuffed. i was about to give up and backup, wipe and reinstall the box (which i didn't really want to do as it wasn't one of mine). luckily i found out what worm this was by a dump file that yerh$ hides on the desktop, and read up on it from the trendmicro and symantec sites. anyways, if you can't access regedit because it does the same thing, then copy regedit.exe to regedit.com and run regedit.com, that will allow you in to remove the entries from startup (look for WinServices and TCPSRV32 or something like that). hope this helps anyone else who gets it.

regards,
mark.

Originally posted here by MetalMaggot
Hello everybody, i'm new around here.

Last month i scanned my computer for virii, and i found : mnsvcp.dll
But i can't delete the file! When i click on it and press DEL it says something like this: Can't delete mnsvcp.dll because it might be in use or something like that. So when i start my computer it says: virus found. Does anybody know how to get the thing of my harddisk?

Thanks a lot

MetalMaggot

hi

i got a bit carried away with the yerh$ stuff.

the places to check where it is loaded up would be (some of these had already been mentioned):
1. registry (try HKLM\software\microsoft\windows\currentversion\run or runservices)
2. windows' win.ini (run= should normally be blank), system.ini (shell= should normally be explorer.exe or litestep.exe if you're a litestep user)
3. autoexec.bat (not really done anymore)

hope this helps.

regards,
mark.