Yahoo Messenger Worm
There is a very bad worm attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the worm, to your friends list, without your knowledge.
This is a worm that spreads itself by sending links to your contacts in messengers like Yahoo. It disables Registry Editor and Task Manager. It changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address.
If your computer is infected with this virus ” It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.
What are those links ?:
or other (Do not open this url in your browser).
Here are simple steps following which you can get the worm removed from your system:
1) Download this http://arunmvishnu.googlepages.com/RepairRegistry.reg file (or you can do it manually)
2) Double click on that downloaded registry file, you will be asked wheather you’re sure to add this to registry, click yes.
3) Restart your system.
4) Delete the file svhost32.exe from your Windows folder( If it is present).
5) Delete the file svhost.exe from your Windows folder( If it is present).
6) Lastly, search for: ENET.EXE and delete it if found.
Editing registry manually
1: Close the browser. Log out messenger.
2: Click Start, Run and type this command exactly as given below: (better – Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better – Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit.
From the below locations in Regedit chage your default home page to http://arunmvishnu.siteburg.com or other.
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Just replace the attacker site with http://arunmvishnu.siteburg.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get.
Start menu > Run > Regedit >
8: Restart the computer.