Nav32_loader.exe is a virus


the problem my computer is causing is that whenever it starts up, it gives me this error msg saying winservices has caused problems, i press ok, then it gives me the error msg saying that nav32_loader has caused a problem in syster tray remains empty, and whatever program i try to run, in most of the cases it gives me nav32_loader msg and asks me to restart the comp if the problem remains.......i try to restart or shut it down, but again the same error msg reappears, it wouldnt even let me shut down the computer....i dunno what to do, help me out as soon as possible........thanks for ur help


This question was answered on February 27, 2003. Much of the information contained herein may have changed since posting.

You have a virus go to this online website first and search nav32_loader.exe


This is a worm that propagates by sending email to addresses found in MSN Messenger, .NET messenger, Yahoo Pager and Windows Address Book Please see the details sections for the list of possible email formats the worm composed

The worm also terminates certain antivirus products and firewall software, including the Windows Task Manager program in Windows NT/2K/XP operating systems

The worm also copies itself to the system directory as the following file names:




It creates auto startup and shell spawning registry entries to execute these programs every time the system restarts or a program is double-clicked

The worm has payload that is triggered on March 25, May 22 or Thursday It does the following on the trigger date:

Swaps mouse buttons

Modifies Internet Explorer Start page

Set file attributes of files in My Documents folder to "Hidden"

Drops a file AYERHS.TXT the Desktop folder



To automatically remove this malware from your system, please use the Trend Micro System Cleaner


Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run an EXE file The following procedures should restore the registry to its original settings

Click Start>Run

In the Open input box, type:

command /c copy %WiDir%\rgedit.exe |

Press Enter

In the left panel, double-click the following:


In the right panel, locate the registry entry:


Check whether its value is the path and filename of the malware file

If the value is the malware file, right-click Default and select Modify to change its value

In the Value data input box, delete the existing value and type the default value:

"%1&uot; %* /p>

Close Registry Editor

Click Start>Run, then type:

command /c del %WiDir%\

Press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup

Open Registry Editor In the left panel, double-click the following:



In the right panel, locate and delete the entry or entries:

%Sytem\Winservices.exe %Sytem\Tcpsvs32.exe %Sytem\Nav32_loader.exe

%Sytem% rfers to the System folder, which usually either C:\Windows\System (9x/Me), C:\WinNT\System32 (NT/2000), or C:\Windows\System32 (XP)

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings

Close all Internet Explorer windows

Open Control Panel Click Start>Settings>Control Panel

Double-click the Internet Options icon

In the Internet Properties window, click the Programs tab

Click the �SReset Web Settings⬦⬝ button

Select �SAlso reset my home page.⬝ Click Yes

Click OK.

Removing the Dropped File

Delete the file AYERHS.TXT located on your desktop

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_YAHA.M To do this, Trend Micro customers must download the latest pattern file and scan their system Other Internet users can use HouseCall, Trend Micro's free online virus scanner

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!


Posted by Eugene of Katharine Gibbs School - New York on February 27, 2003