W32.Yalove.F

Contents of this article pertain W32.Yalove.F. This page includes description, technical aspects, and removal guide to delete the threat from your computer.

W32.Yalove.F is a computer worm that typically spread via Yahoo! Instant Messenger program. It copies itself to all hard drives and removable drives it may found of the infected computer. This worm may also connect to a remote location to download more threats. It can disable certain Windows system tools and security programs. The worm brings potential damages that can lead to failure of some programs.

Alias: W32/Shahrokh-A, Worm.Win32.AutoRun.dpc, Win32/AutoRun.MC

Damage Level: Low

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
On first execution, W32.Yalove.F will drop a couple of executable files inside Windows System folder. It also infects all drives by placing “auto.exe” and “autorun.inf” which allows the worm to run when user accesses the drive. To gain more strength and overpower the system, the worm adds entry to system registry and modifies existing settings. These changes will allow the threat to run each time Windows starts. Additional registry entries in places on the system will perform the following actions:

  • Redirect Internet browser to myebuddy.com
  • Disable task manager and folder options
  • Set a different homepage for the affected browser
  • Ends processes that are included in its block list

This worm occasionally connects to various URLs and tries to update itself by downloading files from that location. It may also reduce current security settings of the infected computer by ending any processes that belongs to anti-virus programs.

Distribution
W32.Yalove.F spreads via Yahoo! Instant Messaging application. It will gather contact details on the compromised PC and uses this information to mass-send a message containing malicious links that points to a site where visitors may be infected with the worm.

How to Remove W32.Yalove.F

1. Temporarily Disable System Restore (Windows Me/XP).
2. Open your antivirus application and update the virus definition file. This method ensures that your antivirus program can detect even newer variants of W32.Yalove.F

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Online Virus Scanner:

Another way to remove W32.Yalove.F without the need to install additional antivirus application is to perform a thorough scan with free online virus scanner that can be found here or on websites of legitimate anti-virus and security provider.

5. Go to Online Virus Scanner list and run a virus scan. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.
6. After completing the necessary download, your system is now ready for online virus scanning.
7. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
8. Remove or delete all detected items.
9. When scanning is finished you may now restart the computer in normal mode.

Reset the Internet Explorer home page

- Start Microsoft Internet Explorer.
- Connect to the Internet, and then go to the page that you want to set as your home page.
- Click Tools > Internet Options.
- In the Home page section of the General tab, click Use Current > OK.
- Close Internet Explorer and reboot the computer.

Alternative Removal Method for W32.Yalove.F

Option 1 : Use Windows System Restore to return Windows to previous state

If W32.Yalove.F enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Yalove.F infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

Option 2 : W32.Yalove.F manual uninstall guide

IMPORTANT! Manual removal of W32.Yalove.F requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Yalove.F.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Yalove.F files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by W32.Yalove.F.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Technical Reference

Associated Files and Folders:Added Registry Entries: