Yahoo Messenger Worm/Virus Attack
October 31, 2006 at 10:28 am | In Technology, Tutorial, hack & crack | 13 CommentsOriginal posting from: http://forums.sureshkumar.net/showthread.php?t=7790
Here the posting:
It is one of the most powerful Trojan /virus I have ever seen.. If your computer is infected with this virus ” It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.
I don’t know the actual target of the idiot who created it. May be to advertise his site or to steal very imp data from your computer. I resolved the problem manually from 2 infected PC’s. Just go through the below steps carefully.
What are those links ?:
Nsl-school.org or other (Do not open this url in your browser).
If you are infected with it what is going to happen ?
1: It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.
2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore.
3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.
you can find these files in windows/ & temp/ directories.
4: It will sends the secured & protected information to attacker
How to remove this manually from your computer ?
1: Close the IE browser. Log out messenger / Remove Internet Cable.
2: To enable Regedit
Click Start, Run and type this command exactly as given below: (better – Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better – Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to google.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with google.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get.
Start menu > Run > Regedit >
8: Restart the computer. That’s it now you are virus free.
I don’t know whether any removal patch that works for this Trojan/virus. But we can easily delete it manually.
** Send this URL to all of your friends through messenger so that they can get rid off this virus. **
Conclution : Better not to open any unknown url from your Computer.. There are lot of black hat hackers who are waiting to steal your credit card numbers, passwords or what not…. Use a better firewall & updated anti virus. However an Antivirus can do nothing if the virus is very latest…
Let me know if you need any more help…
To know more about protecting your passwords.. read my other article here..
http://forums.sureshkumar.net/showthread.php?t=94
Cheers,
Sureshkumar CH,
Information Security Specialist.
www.sureshkumar.net.
13 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
i made a removal tool for the above mentioned trojan .. u can download it from http://www.sendspace.com/file/8ohu68
.. hope it helps someone ..
mohnish(x-microsoft tech support executive)
Comment by mohnish — November 4, 2006 #
Hi Suresh,
I donno why, my “RUN” is lost after the virus is in my pc. Now how am going to do it when I don have that so called “RUN” ?
Please enlighten. Thanks
Comment by Brandon — November 4, 2006 #
That was really helpful..you, a genius! Your instructions were so clear, it made me feel really smart after I killed the damn virus. thanks again..
Comment by Mamtha — November 5, 2006 #
goto WINDOWS\system32 and run the file named gpedit.msc
After that User Configuration > Administrative Templates > Start Menu And Taskbar
Find the line Remove run menu from Start Menu and double click it
select disabled and click ok (Note: if disabled option is already selected, select not configured option instead)
now try windows + R .. if it still doesnt work
goto task manager and end explorer.exe process
then click on file > new … explorer.exe and press enter
now try windows + R ..
ne probs mail me at mohnish_loves_none@hotmail.com
— mohnish (x-microsoft tech support executive)
Comment by mohnish — November 5, 2006 #
mohnish and suresh
thankyou …..it really works….i did it…
now its free from viruus
thanx again
Comment by kapil — November 9, 2006 #
hi fren i have problem..i cant remove the virus..its give some error msg..i dont know.. i just follow what u say..i just copy the regedit comment and past it on run..when i click ok it give erro msg..that is (cannot find the file “REG” (or one of this its components)..make sure the path and that all required libraries are available)…hmm i dont know what to do..pls help me to remove this…plssssss.reply me soon as posbile..
Comment by Rajes — November 10, 2006 #
hi fren i have problem..i cant remove the virus..its give some error msg..i dont know.. i just follow what u say..i just copy the regedit comment and past it on run..when i click ok it give erro msg..that is (cannot find the file “REG” (or one of this its components)..make sure the path and that all required libraries are available)…hmm i dont know what to do..pls help me to remove this…plssssss.reply me soon as posbile.. pls mail me at rajes_raj07@hotmail.com..
Comment by Rajes — November 10, 2006 #
yes same problem here. the virus make my hard disk read only thats why i cant delete the svhost32.exe.
Comment by Giovanni — November 15, 2006 #
Hello there,
i have downloaded svchost32-removal.zip and have executed but still that adware unable to remove,,,regedit got disable,,taskmanager got disable,, its not executing thru run command any feedback will be greateful to you
Comment by iftekhar khan — November 20, 2006 #
Wow mohnish, That pretty tool did the work.
I did a full Scan (3 hrs) using Norton But did n’t help.
Your tool has done it in 2 mins!!!
Thanx a Lot.
Comment by Pravin — November 23, 2006 #
http://bmains.info/youtube/movie.php?movie_id=40762
Comment by Buchakko — April 21, 2007 #
Dear Ch
Thanks for given this kind of information because i save my computer
Comment by Zia — May 4, 2007 #
hello guys anyone can help me` my friend download some files then after that he try to install then start menu the drive c and d are being disable then how can i kill this virus??? please help me
here`s my email add
haranaya@gmail.com
thank you so much
Comment by ceric — August 30, 2008 #