Yahoo Messenger Worm

There is a very bad worm attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the worm, to your friends list, without your knowledge.

This is a worm that spreads itself by sending links to your contacts in messengers like Yahoo. It disables Registry Editor and Task Manager. It changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address.

If your computer is infected with this virus ” It will sends the url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

What are those links ?:

or other (Do not open this url in your browser).

Here are simple steps following which you can get the worm removed from your system:

1) Download this file (or you can do it manually)

2) Double click on that downloaded registry file, you will be asked wheather you’re sure to add this to registry, click yes.

3) Restart your system.

4) Delete the file svhost32.exe from your Windows folder( If it is present).

5) Delete the file svhost.exe from your Windows folder( If it is present).

6) Lastly, search for: ENET.EXE and delete it if found.

Editing registry manually


1: Close the browser. Log out messenger.

2: Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better – Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.


From the below locations in Regedit chage your default home page to or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

Start menu > Run > Regedit >

8: Restart the computer.

Thats All..

You may also like...

41 Responses

  1. Vishnu says:

    Thanks for that… 🙂

  2. Anonymous says:

    Thanks alot Arun .. You really saved my ass 🙂 . I could avert the danger of fromatting my PC because of your solution .. Thanks a million .my mail id is

  3. Tanushree says:

    hello arun,
    thanx for such an important note…

  4. Anonymous says:

    WOW !
    How Funny !

    You are very smart. On the one hand you are giving medicine to remove the yahoo messenger virus and on the other hand you are giving registry values as download. Poor user who doesn’t know anything about registry will fall prey to your trick. Once the downloaded registry file is double-clicked his browser home page will be your website…!

  5. Arun Vishnu M V (Kannan) says:

    heyyy…chng the home page is nt a big prob…i thnk evry user know dnt wry abt dat..i just gvn a home page…if u want2change ..chnge it..wat else

  6. Anonymous says:



  7. Anonymous says:

    Worked thanks!

  8. DD says:

    Hi Arun,I tried all the things yesterday except deleting the svhost.exe, as it was not allowing me to delete that.So when i restarted my computer it again disabled my regedit, task mager , and made my home page as the one u mentioned .Also i checked that in Regedit , HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run i have one entry as SVCHOST.exe whose value is c:\windows\svhost.exe. Now i don’t know whether i should delete this entry or not , as i read somewhere that thiis exe is used by windows to start the services. So can u suggest me something.

  9. Anonymous says:

    Hi Arun,

    My laptop to was affected by this virus. I tried the steps you suggested but the moment I clicked the file you asked to download, the administrator disabled this regedit process. I dint know what to do, so I restored my system to an earlier date. Though I am able to change the homepage, but am not sure whether it solved my problem completely.

  10. Arun Vishnu M V (Kannan) says:

    Hi DD
    The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

    But Svhost.exe/Svhost32.exe is Trojan/Backdoor.
    I think you forget to kill those process.So before you try to delete those process first you kill those prcss(Press Ctrl + Alt + Del then Kill the process Svhost.exe/svhost32.exe. May be more than one process is running. So kill all those processssssssss). Delete the file svhost32.exe( If it is present), Delete the file svhost.exe( If it is present). K.

    HEy anoy,,
    you must have admin power to edit the registy.. sorry dude..but check your task manager and IE homepage. if your task manager is enabled and you if can change your IE Homepage….then hmm i think u r lucky.k

  11. Anonymous says:

    Hi Guys,
    This is Puneet from Delhi, India. I am a software engineer.
    Thats true. It really works. I faced the problem as i clicked that shit link.
    I enabled all the utilities and find the source of the worm. While doing RnD on that i get to know this link and all the details given on this link is true. If u dont want to use his instruction u can also enable ur Task Manager, regedit, and run menu by Group Policy window that can be opened by running gpedit.msc command on command prompt.
    U can also go for google for futher details

  12. Anonymous says:

    Hi again,

    My task manager seems to work. But not being all that knowledgeable in this techie stuff, i really do not understand what ‘enabled task manager’ means.

  13. Lady Hawke says:

    Thank U very much, Arun. It took care of the YM virus & partially took care of some of the registry problems. Now, I am buying a registry repair from eBay 4 $2.00 & free S&H. Hopefully it will take care of some of the problems in the total registry. I am also getting me a new FireWall since the virus rendered my Windows Fire Wall totally beyond repair.

    I have been @ this problem 4 an entire week now. I am surprised my computer did not completely crash since it disabled my Task Manager, Register, Key Board & Mouse (not all @ the same time).

    Some guy got mad @ me since I refused 2 date him as he was already married. I complained about him 2 some of my friends & even the police since he kept harassing me.

    1 of my friends e-mailed him 2 leave me alone & let him know the police is aware of some of his activities. That is when he said I am going 2 pay 4 my insolence, hacked in2 my computer & introduced all sorts of spyware, malware, hacker’s tools, trojans, worms & viruses!!!

    I called up tech support, chatted w/ them online, they were all useless!!! Called up PC Doctors, they were swamped, so I researched all of the free disinfections, scans, containments, & partial cures. @least, I have diminished from over 400 problems 2 just 232 last scan & count. I guess, U might say, what really slowed me down is I am no techno geek, so instructions were a bit difficult 4 me 2 follow since people skipped processes in their advice.

    4 instance, when 1 said 2 go to Systems Restore, I did not know that U R supposed 2 go 2 start, programs, accessories, system tools, b4 U can finally arrive @ systems restore!!!

    So, I kept searching 4 instructions that made sense 2 me. I also looked up several defenitions such as registry. W/ all of the technical babble, I finally understood that registry means the brains of the computer!!! Yikes!!! LOL… now I know & I can’t believe that I have learned more w/in a week’s time than I have ever done in several year’s time!!! Does that mean I am becoming a techno geek as well??? ;o)

    Anyhow, I am glad some1 like U is around 2 help fix some problems!!! Your Registry repair helped fixed my access 2 IE (Internet Explorer) which I only access 4 Yahoo Games & nothing more. I normally make use of Netscape Navigator 4 everything else. The Sonahat U Virus disabled and locked the schoolgirl website in place so that I cannot change it. Your brilliant solution took care of that as well.

    I went back 2 many of my online chatters who knew I don’t ever make use of expletives nor send explicit sexual materials online. Still, I apologized 2 them. I also explained 2 them that I have only half the solution since I have the ammunition (Anti-Virus, Anti-Spyware, Anti-Adware) 2 combat the attacks, but not the fortress or castle 2 house my computer (FireWall). I also explained that I am looking 4 the medicine (Registry Repair) 2 help heal & help my computer slowly recuperate so that it can work 2 @ least near efficiency if not completely.

    4matting or killing the patient is not an option yet since it is the most radical 4m of solution there is!!! We shall C!!! Thank U 4 taking the time 2 help others like me who has no clue otherwise on what 2 do.

    Most Sincerely Written,

    Lady Hawke

  14. Lady Hawke says:

    Hello anonymous,

    2 enable task manager simply means pressing the buttons Ctrl + Alt + Delete so that U can delete a non functioning (or frozen open windows) such as when U closed a website, but is not responding @ all… or simply 2 delete a file , etc… if your entire computer refuses 2 do anything (freeze frame) then Ctrl + Alt + Delete can restart U’r computer safely.

    When a virus disables your task manager by saying that task manager is disabled by the administrator, then enable it according 2 Arun’s instructions. Once U have access 2 Ctrl + Alt + Delete, then press the processes tab & search 4 those viruses Arun spoke of. I know, cuz it was the easiest way 4 me 2 delete them via the windows task manager box that opened.

    All I did was highlight each virus, then pressed the end process button @ the bottom. Simple as that & nothing more. Like U, I am no techno geek.

    But I learned since it is my 1 & only computer, so since I am in the medical field, I made sure I programmed my brain 2 think like this is a medical problem, my Computer is my Patient, the FireWall is the safe fortress or Hospital, the Anti-Virus, Anti-SpyWare, Anti-Adware were all inoculations & the Repair Registry was the medication 2 help heal the sick Patient.

    This kind of thinking helped me deal w/ how 2 proceed & understand as much as I can 2 help the patient recover instead of killing it (re4matting).

    LOL… it is how I described it 2 my other chatters since computers R so darned complicated!!! But once they understood the simplification process, then all the explanations did not seem intimidating @ all!!! Hope I helped U understand all of this.

    Lady Hawke

  15. Arun Vishnu M V (Kannan) says:

    Hey…Lady Hawke..thanks yar…really a big comment..hhehhee..anyway im happy 2know dat my post helped you ppl to remove that worm. but lots of such viruss,worms etc are trying to catch our when you gt a link make sure dat it is not a virus/worm site..hmm we cant predict whether it contains those..but read the message carefully…from the lanuguage and style you can understand if the link is send by your friend or by worms.k..

  16. Jason says:

    Hi Arun,

    I have this worm, and I can’t go to Step 2, since running the downloaded file didn’t enable the regedit. I can’t make the regedit to work.

    Any advise?


  17. Anonymous says:

    Dear Arun,

    My I receive this message whenever i go to any site in internet explorer

    ” A runtime error has occured. Do you wish to Debug?
    Line: 1
    Error: Invalid Character

    similarly another ..

    “A runtime error has occured. Do you wish to Debug?
    Line: 875
    Error: ‘cqanswer’is undefined

    please advise

  18. Anonymous says:

    Hi Arun,
    Thanks Mate!!!

    Hi Jason,
    The second point under the heading “Editing registry manually”
    Can help you to activate your REGEDIT.EXE


  19. Arun Vishnu M V (Kannan) says:

    hi jason,i think the problem is because you clicked “No” buttton insted of of yes when yu asked wheather you’re sure to add this to yes. this will solve your problem. prabhu told…u you can try the second method, editing manually.
    Prabhu, thanks.

    hi nayeemkhan, i think the problem is not with ur browser, but the website. anyway you try those sites in firefox or any other browser. if you are not using IE7, try to upgrade ur IE to IE7. k

  20. Anonymous says:

    Hi man
    I m gettin problem. A virus affected my pc from my friend’s message from msn. The ie homepage is set to and disable to change the ie homepage. And also my run option on start menu and Task Manager are disabled too. when I press ctrl+alt+delete the error message comes “Task Manager has been disabled by your administrator”. hope to get the right solution


  21. Anonymous says:

    Please help… downloading the file and running it say “Registry Editing has been disabled by your administrator”. What to do now???

  22. Anonymous says:

    Hi Vishnu,

    Thanks for the guidance. But I’m having another problem : my “Run” is missing. How to re-enable it? Is it in the registry?


  23. Tanha DiL says:

    I hav kinda advanced problem than NSL one..
    I cannot access Run, Task Manager, Internet Options, Folder Options, or RegEdit.
    Nor I can add anything to the Registry.
    The homepage is set to http://
    wat can u suggest?
    plz drop me a line at if u dont mind!

  24. Ebenezer says:

    Hi Arun,

    In Yahoo messenger i clicked a message with a link and it was a exe file, it is sending chat messages when ever i login to yahaoo messenger. I tried your guidelines on how to remove that trogen back door virus, but my task manager is opening but nothing is showing up under the process tab and applications tab regedit is only blinking not showing up. Please help

  25. Anonymous says:

    It now says that Registry editing has been disabled by administrator.
    I cannot run the link you provided. Also I cannot find Run on the start menu or in search. I cannot find Start – Settings! What should I do!

  26. Anonymous says:

    I hav kinda advanced problem than NSL one..
    I cannot access Run, Task Manager, Internet Options, Folder Options, or RegEdit. and even cant run ur given file.
    Nor I can add anything to the Registry.
    The homepage is set to http://
    wat can u suggest?
    plz drop me a line at if u dont mind!

  27. Parvinder says:

    Hi Arun,
    I am facing the same problem as Anony… can you please let us know the solution as nothing is working.. no run command, no cntrl+alt+del and not even your reg edit file.

    Parvinder Singh

  28. Anonymous says:

    Hii Arun, i facing the same problem. The Run option in start menu is missing, also i cant access the registry edit or the task manager. Also i cant turn off the system restore option, My Home page has also been Hijacked to, Please help me out of this problem. Regards


  29. Anonymous says:

    Hi That virus also disables the Run and Registary also so how can I change those values without opens it. Thankyou

  30. Arun Vishnu M V (Kannan) says:

    Hi friends.. I got lots of comments and mails regarding virus problems. The main problem is disabled rededit and Windows Task manager. So here is a method to enable task manager and regedit. Please try this. And don’t forgot to post your comments. Download and run these files.

    1. Download this for enabling regedit->

    2. Download this for enabling Windows task Manager

  31. Sumeet says:

    Good work.
    to remove this worm from your system update your anti-virus and also download and install ad-aware SE. the homepage problem gets solved on the first scan itself. then just repair the system registery according to instructions posted above.

  32. Nishit says:

    pl Help!!!

    i have a virus problem, which says that your taskmanager/Run has been disabled by system administrator also when i have login as Administrator account it has allowed…
    Also with GPEDIT.msc there is no enabled items…

  33. Anonymous says:

    hi there – got similar problem. 24th july 2007 – got link from yahoo messenger user – in hurry i opened and extracted files. now i have 3 dial pop ups all the time showing C:\svchost.exe as dialing program. my task manager box opens but it will not show the Applications, Processess or Users. Plus i cannot use yahoo messenger with out sending the virus to everyone else. i have tried all your stuff here and links etc. it seems to be that – this is a copy cat or upgraded virus / trojan to what originally started in this forum for discussion. im about to wipe the whole laptop, but thought would give one last cry out for help please ? i have searched all day for a fix etc. the problem i am having is with out task manager being operative as such – i cant kill any of the dial up boxes. why do they do these viruses – its no fun. regards – chris

  34. Anonymous says:

    hi there. i sorted it out today using a AVG antispyware software via sorted the whole lot out – seems ok. try it out guys – im a novice and its helped me out of real sticky situation. plus ITS FREE !!! cheers. christian.

  35. Anonymous says:

    Hi Arun,
    I downloaded the registry stuff but when I tried to run …a msg displayed that registry editing is disabled by administrator. RUN option and the folder options is also not showing up!! Unable to change Homepage too..!
    Plz help me in this regard..

  36. Anonymous says:

    Please help , admistrative access regedit.exe is eatten by virus , i cannot do anything please help

    please contact me

  37. Arun Vishnu M V says:

    Visit this post to know how you can enable task manager and REGEDIT

  38. khaye says:

    hei.. uhmm..i really nid help.. there is this virus.. it changes my status message, sends urls with languages i dont understand like this..”ni thiao nang ho dien” to my friends in groups and i cant run my task manager, and my homepage is unitedreporters blahblah.. i download somethng on the internet so i can solve the problem and when i run it, it only changed the homepage, but still when i open my ym, it still sends those stupid messages to my friends. please i really nid help, this virus is 1month now. what virus is this? i installed firefx google toolbar.. i thought that this virus is a sohanad worm.. what is it and how can i solve it? heres my email ad too.

  39. Anonymous says:

    when i opened it, a command prompt appeard and said… repairregstry is not a valid win32 application.. what must i do? tnx..

  40. Anonymous says:

    ARUN! please help! i’ve got this stupid worm virus in my ym, changing my status message in some unreadable vietnamese messages. i did what you said but it kept on coming back. can you please help? my mail ID is

  41. ShaX2 says:

    Thanks for your help!

Leave a Reply

Your email address will not be published. Required fields are marked *