navapw32.exe - Dangerous
%windir%\navapw32.exe
Manual removal instructions:
Antivirus Report of %windir%\navapw32.exe:
%windir%\navapw32.exe
W32.Joot.A@mm is a mass-mailing worm that attempts to send itself to the email addresses that it finds on the computer.
It also attempts to spread using open shares and the peer-to-peer file-sharing networks Kazaa, iMesh, and Grokster.
The worm tries to disable the processes of several antivirus and personal firewall applications.
Due to bugs in the code, it may not function as intended.
Copies itself as %Windir%\Regedit.exe.tmp.
%Windir%\Regedit.exe is then executed on a new virtual desktop, and %Windir%\Regedit.exe.tmp is injected into its process space.
Looks for the locations of the Kazaa, iMesh, and Grokster shared folders in these registry keys:
HKEY_LOCAL_MACHINE\Software\Grokster\LocalContent
HKEY_LOCAL_MACHINE\Software\iMesh\Client\LocalContent
HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent
Copies itself to:
%Windir%\Navapw32.exe
%Windir%\SBBServ.exe
Adds the value: "ScriptBBlocking"="SBBServ.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
(In Windows 95/98/Me.)
Adds the value: NAV Agent="navapw32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Attempts to add itself to the [boot] section of the System.ini file and the "run=" line of Win.ini file.
Searches for the email addresses in the files that have these extensions: .html; .htm; .tmp; .bak
Tries to send itself to any addresses that it finds, using the email account details gathered from the following registry location:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
The email will be one of the following:
Subject: Hi!
Message: This is a nice game I found. Beat my score: 5386 Points! Try it! :) See you later!
Subject: Something funny!
Message: This is my little test
May modify the following registry values to help it spread:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Flags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm2enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Remark
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Type
Automatically remove this worm from your system by using RegRun Startup Optimizer.
| %windir%\navapw32.exe | Malware |
| %windir%\navapw32.exe | Dangerous |
| %windir%\navapw32.exe | High Risk |
It also attempts to spread using open shares and the peer-to-peer file-sharing networks Kazaa, iMesh, and Grokster.
The worm tries to disable the processes of several antivirus and personal firewall applications.
Due to bugs in the code, it may not function as intended.
Copies itself as %Windir%\Regedit.exe.tmp.
%Windir%\Regedit.exe is then executed on a new virtual desktop, and %Windir%\Regedit.exe.tmp is injected into its process space.
Looks for the locations of the Kazaa, iMesh, and Grokster shared folders in these registry keys:
HKEY_LOCAL_MACHINE\Software\Grokster\LocalContent
HKEY_LOCAL_MACHINE\Software\iMesh\Client\LocalContent
HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent
Copies itself to:
%Windir%\Navapw32.exe
%Windir%\SBBServ.exe
Adds the value: "ScriptBBlocking"="SBBServ.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
(In Windows 95/98/Me.)
Adds the value: NAV Agent="navapw32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Attempts to add itself to the [boot] section of the System.ini file and the "run=" line of Win.ini file.
Searches for the email addresses in the files that have these extensions: .html; .htm; .tmp; .bak
Tries to send itself to any addresses that it finds, using the email account details gathered from the following registry location:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
The email will be one of the following:
Subject: Hi!
Message: This is a nice game I found. Beat my score: 5386 Points! Try it! :) See you later!
Subject: Something funny!
Message: This is my little test
May modify the following registry values to help it spread:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Flags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm2enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Remark
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Type
Automatically remove this worm from your system by using RegRun Startup Optimizer.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.