• From: "Pam" <ltf01@xxxxxxxxxx>
  • To: <pcductape@xxxxxxxxxxxxx>
  • Date: Wed, 8 Jan 2003 00:39:09 -0600

This from Trend, is a manual way to remove the virus.  See below that for
links to auto tools at various AV sites.

Terminating the Malware Program

This procedure terminates the running malware process from memory on Windows
9x/ME systems only. You will need the name(s) of the file(s) detected

  1.. Open Windows Task Manager. To do this, press the CTRL+ALT+DELETE keys
  2.. In the list of running programs*, locate the malware file or files
detected earlier.
  3.. Select one of the detected files, then press the End Task button.
  4.. Do the same for all detected malware files in the list of running
  5.. To check if the malware process has been terminated, close Task
Manager, and then open it again.
  6.. Close Task Manager.
Note: On systems running Windows NT/2000/XP, Task Manager is terminated by
the malware. To effectively terminate the malware process(es), you may use a
third party process viewer similar to the Process Explorer provided by
Sysinternals and then continue with the next procedure, noting additional

Resetting the Mouse Configuration

The malware swaps the functions of the left and right mouse buttons as a
payload. Follow these instructions to reset your mouse configuration.

  1.. Open Control Panel. Click Start>Settings>Control Panel.
  2.. Select Mouse, then press Enter.
  3.. In the Buttons Tab, pick either Right-handed or Left-handed depending
on your original configuration. Click OK.
  4.. Close Control Panel.
Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run an
.EXE file. The following procedures should restore the registry to its
original settings.

  1.. Click Start>Run.
  2.. In the Open input box, type:
  command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
  3.. Press Enter.
  4.. In the left panel, double-click the following:
  5.. In the right panel, locate the registry entry: Default
  6.. Check whether its value is the path and filename of the malware file.
  7.. If the value is the malware file, right-click Default and select
Modify to change its value.
  8.. In the Value data input box, delete the existing value and type the
default value: "%1" %*
  9.. Close Registry Editor.
  10.. Click Start>Run, then type: command /c del %WinDir%\regedit.com
  11.. Press Enter.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from
executing during startup.

  1.. Open Registry Editor again. To do this, click Start>Run, type REGEDIT,
then press Enter.
  2.. In the left panel, double-click the following:
  3.. In the right panel, locate and delete the entry or entries:
  "WinServices" = %System%\WinServices.exe
  4.. In the left panel, double-click the following:
  5.. In the right panel, locate and delete the entry or entries:
  "WinServices" = %System%\WinServices.exe
  (Note: %System% is the Windows system folder, which is usually
C:\Windows\System on Windows 9x and ME, C:\WINNT\System32 on Windows NT and
2000, or C:\Windows\System32 on Windows XP.)
  6.. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as
described in the previous procedure, restart your system.
To Unhide Personal Folder

  1.. Enable Show All Files
    1.. Open Windows Explorer. Right-click Start then click Explore.
    2.. Enable the Show All Files option:
    On Windows 9x/NT:
      1.. On the View menu, click Options or Folders Options.
      2.. Click the View tab.
      3.. Select ?Show all files,? then click OK.
    On Windows 2000/ME/XP:
      1.. On the Tools menu, click Folder Options.
      2.. Click the View tab.
      3.. Select ?Show hidden files and folders,? then click OK.
  2.. In Windows Explorer, access your usual personal folder, which should
be visible by now. The personal folder is usually C:\My Documents.
  3.. Right-click the folder and click properties.
  4.. In the Attributes section, uncheck Hidden and click OK.
  On Windows 9x/NT, repeat the process for all files and folder inside your
personal folder.
  On Windows ME/2000/XP, select to Apply changes to this folder, subfolder
and files.
  5.. Close Windows Explorer.

auto removal tools from various AV sites:  (be sure to find the right


(near bottom of page)



  -----Original Message-----
  From: pcductape-bounce@xxxxxxxxxxxxx
[mailto:pcductape-bounce@xxxxxxxxxxxxx]On Behalf Of trapper
  Sent: Wednesday, January 08, 2003 12:24 AM
  To: Tech- Pc-Ductape
  Subject: [pcductape] FYI: YAHA WORM SPREADING

  So do we have a fix for it???
  Originating from the Middle East, could this be the first Al Qaeda
computer virus? It threw AV researchers for a loop initially, because it
arrived in three separate packages. Are you protected from Yaha.J, Yaha.K
and Yaha.L? Check our story to cut through the confusion!

  " + "

  Arts of Alaska

  To join a " Christian Study " click below

Other related posts: