NAVW32.EXE altered
Daniel Frank
Version: 4.0
Hey Guys,
I got this really wierd error message tonight when I tried to scan a
disk before uploading it onto my hard drive. The message stated:
"The file NAVW32.EXE has been altered.
Please restart your computer from your NAV rescue disks and scan for
viruses. If no viruses are found, try re-installing Norton
Anti-Virus from your original disks."
After this message had been displayed, the computer froze. As I am
also running Norton Crash Guard, I was able to hit the
Ctrl-Alt-Delete keys and end the frozen task. However, the computer
remained locked and did not respond to any subsecquent attempts at
the Ctrl-Alt-Delete key sequence. I then shut off the power and
tried rebooting with the Norton Rescue Disks I had created. These
were of no help; they did not detect a virus and windows would not
reboot. I turned off the power again and let the computer rest for a
minute. When I attempted a cold-reboot without the Norton Rescue
Disks, the computer started up as normal.
At that time I attempted to reinstall the Norton Anti-Virus Software
as instructed by the error message. This move had no effect on the
problem as I later realized.
When I attempted to test the integrity of the diskette for a second
time, the same error message was displayed. This time the computer
did not freeze. The Norton System Doctor on my computer then did a
scan and prompted me that a virus had been detected on my computer.
When I attempted to fix the problem, the same old error message
appeared.
This is quite a frustrating problem as it appears that my Norton
Anti-Virus software is now useless. Please advise on how I may be
able to fix this problem.
Steve Topilnycky <S.S.V.>
It appears that your NAV has become infected. As of recently a virus named
W95.CIH has been the culprit. If you would like to remove the virus W95.CIH
from your computer, follow
these instructions:
Download the KILL_CIH.EXE tool from:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton
_antivirus/
The KILL_CIH tool is designed to safely detect and remove all known strains
of the W95.CIH virus (known strains as of August 3rd, 1998) from memory
under Windows 95 and Windows 98 (the W95.CIH virus cannot infect Windows NT
systems). If the tool is run before the virus has infected the system, it
will also "inoculate" the computer's memory to prevent the W95.CIH virus
from infecting the system until the next system reboot.
*NOTE* If you are already infected with the W95.CIH virus, run the KILL_CIH
tool first before attempting to continue.
Once you have run the KILL_CIH.EXE file, create a boot disk.
To create a Windows 95 Boot Disk, Go to the Control Panel. Click Add/Remove
Programs. Click the Startup Disk Tab. Click the Create Disk button. Once
the disk has been created, write protect it, to prevent it from becoming
infected.
ABSOLUTELY DO NOT scan an infected system from a DOS window. W95.CIH goes
memory resident and infects upon opening files, for example, when copying or
reading. This means that you cannot scan with NAVC in the login script or
NAVC will spread the virus to all W32 files on infected systems. Use of NAVC
requires a clean boot as specified in this document:
1. Make a folder (directory) called C:\NAVC. At a command prompt type
MD C:\NAVC and press the Enter key.
2. Download the file NAVC10.EXE into the new directory C:\NAVC This file is
located at: http://www.symantec.com/nav/navc.html
3. Power down, and then boot to a command line from a known clean boot disk.
4. Change to the C:\NAVC directory by typing:
C: [Enter]
CD C:\NAVC [Enter]
5. At the C:\NAVC> prompt, type NAVC10 and press the Enter key. This will
extract the
necessary files to that directory.
6. At the same C:\NAVC> prompt, type:
NAVC /doallfiles /repair and press the Enter key.
This scans the entire system. Any occurrences that are not repaired by NAVC
should be sent in as a sample to the Symantec AntiVirus Research Center at
http://www.sarc.com
If you would like to learn more information about this virus, check out:
http://www.sarc.com/avcenter/data/cih.html
Don't hesitate to let me know if I can be of further assistance.
Regards,
--
Steve Topilnycky
Symantec Norton AntiVirus Support Volunteer
================================================================
Please continue to post your messages to the public discussion group as
Symantec does not provide support via private e-mail. Thank you.
If you have difficulty getting a response, please read the following
article:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414
Home Brewed Computing Solutions (My Home Page):
http://ourworld.compuserve.com/homepages/steve_topilnycky/
=================================================================
Daniel Frank wrote in message <980822034732.3283477146@servicenews>...
Daniel Frank
I printed out your instructions so that I would not miss any steps,
however there seems to be some problem somewhere.
I downloaded the kill_cih.exe and the navc10.exe from symantec, made
a write-proof boot disk, and ran kill_cih.exe. After that, I powered
down, waited five seconds and powered back up with the boot disk in
the A: drive. At the prompt, I switched to c:/navc and ran
navc10.exe. This progam found that 273 files were infected with the
W95.CIH.1075 virus, many of which I recognized to be key Windows 95
files. I then started windows and reloaded my Norton Anti-Virus
software to replace the corrupted NAVW32.EXE file. I then downloaded
the updated virus definitions from Norton Live Update and proceeded
to reboot the computer. As the computer was rebooting, the screen
began to display a red box in the center telling me that a certain
.exe file had been infected with the W95.CIH virus and giving me
several options. In all cases, I choose to do the repair function
and the reboot progressed until it ran into the next infected file.
After everything had been loaded, my Norton Utilies, which has
Anti-Virus as a part, prompted me that a virus had been found.
However, when I tried to run Norton Anti-Virus to repair this
problem, I found that the NAVW32.EXE file was still altered. My
computer did not crash as it did the first time, but the procedures
that I performed did not seem to work. Please advise on if I did
something wrong or if there is a different procedure I should follow.
Thanks for your help,
Daniel Frank
LaVonne Perry [Symantec]
I'd recommend rebooting the system to DOS from your boot disk and running
another scan with NAVC10. Make sure that you're using this command:
navc /doallfiles /repair
Note that there are spaces between each switch. Let the scan complete. Then,
restart normally. Once you have removed the virus from your system, you may
have to uninstall, and reinstall NAV. If after reinstalling you still get the
message that NAVW32.EXE is altered, then please submit a sample to SARC for
analysis. You may have a new strain of the virus.
If you should have any further questions or concerns, please don't hesitate to
ask.
Thanks for writing,
--
LaVonne Perry
Senior Support Analyst
Symantec Corporation
Please continue to post your messages to the public discussion group as
Symantec does not provide support via private e-mail. Thank you.
If you have difficulty getting a response, please read the following article:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414
For free technical support newsletters, Knowledge Base support articles, our
Online Support Genie, and FAQs, visit our Norton AntiVirus support page:
http://www.symantec.com/techsupp/nav.html
Personalize your technical support pages at:
http://www.symantec.com/techsupp/custom/custom.cgi