If your computer is infected , this is what you do
- Download the file http://www.fundazone.com/antivirus/registry/registry-enable-regedit.reg
- Copy these instructions to notepad or word or note it down. Close Internet Explorer ( and Yahoo messenger) . Double click the .reg file and click yes when it asks whether you want to merge the file to the registry. This will enable the regedit and task manager tools and restore your home page and other settings.
- Then restart the computer
- After restarting Press Ctrl + Alt + Del . Click Processes.
End the process svhost32.exe . ( may be more than one process is running ) - Start> Search > Files and folders. Search for svhost32.exe , svhost.exe and enet.exe
- Delete the files found.
- Restart for good luck.
Firefox is a fast and nice browser with tabs and RSS feeds and cool stuff.
So, the story behind this post ? Once again, another virus spread in all the computers here.
This time, it was a virus using Yahoo Messenger (tm) or MSN messenger to spread itself. (The previous one I wrote about was using a popular social networking site - www.orkut.com . Now this one uses a chatting software (chatting, file sharing, photo album sharing, video conferencing(I even used it for webcasting !), much more) Yahoo Messenger.
Now, How do you know that your computer (or yur friends') has this virus ??
It sends out messages like
(Don't try any of these links !!!)
- damn, she is so cute http://nsl-school.org?id=miss_world
- oh my god , i've won a 20000 usd lottery http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !!
- Just check out my new personal website : http://mytermex.com c0ol !!!
- check this link for me : http://nsl-school.org?id=forum . Why I cannot surf this site ???
And when you click on these links, it installs the virus in your computer too.
Here's what Suresh Kumar says. ( forums.sureshkumar.net/showthread.php?t=7790 )
I've copied it here for you.
If you are infected with it what is going to happen ?
1: It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.
2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore.
3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.
you can find these files in windows/ & temp/ directories.
4: It will sends the secured & protected information to attacker
How to remove this manually from your computer ?
1: Close the IE browser.
(IE - Internet Explorer. First copy this article into MS Word or Notepad or something )
Log out messenger / Remove Internet Cable.
2: To enable Regedit
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit. ( regedit is very dangerous if you randomly change stuff in it or delete important setting, so be careful - or make a backup before editing (file -> Export) )
Start>Run>Regedit
From the below locations in Regedit chage your default home page to google.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with google.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
( Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).( meaning there is an original svchost.exe that is part of Windows - http://support.microsoft.com/kb/314056 )
7: Go to regedit search for svhost and delete all the results you get. ( Be careful )
Start menu > Run > Regedit >
8: Restart the computer. That’s it now you are virus free.
I don’t know whether any removal patch that works for this Trojan/virus. But we can easily delete it manually.
And - use Firefox or something ! Most viruses are written for Internet Explorer ...
Don't open these URLs !!!
Possible Domains Owned by the Developer of this Trojan
http://www.nsl-school.org
http://www.giftshop.vn
http://www.myglobal-news.com
http://www.italiandirectory.com
You can block these URLs in your browser's Security settings.
A good idea for places where many users will use the same computer and inadvertently click the link.
In Internet Explorer , Tools -> Internet Options -> Security -> Restricted Sites -> Sites
Add the above sites in the list !!!
Ah, the tragedy called viruses ...
Use firefox http://www.fundazone.com/software/firefox/
Firefox is a fast and nice browser with tabs and RSS feeds and cool stuff.
5 comments:
Hi John!Thanx for the info..I just happened to noticed that there are lots of YM msgs keep on sending these viruses..i dont even know maybe my ID got infected,too..
i ll come back again and will try to follow the instruction.
thanx!!
Hi John
Thank you so much for answering my question. I clicked on the link you provided but I keep getting the message 'cannot find server'. I am very nervous to try to get rid of my virus manually as chioce # 2. If I am able to do it and I get rid of the 'nsl.blah blah blah' virus if I re-install yahoo messenger will I still have all those stupid links next to my name?
I had made some really awesome friends on yahoo IM and am very sad about having that taken away from me. I miss them terribly. I did install firefox this am but I tried to use your link and it said it couldn"t to it. I then lauched IE and tried and still nothing. Do you have anymore advice for me? I feel lost. Thank you so much.
ox - karen_barrie2000
the author,
hi, just want to thank u.. my pc is fixed and is now working properly. I removed termex manually like you said.. well thanks again for the help..
hi john...
nice to know u?
Ijust want to ask a stupid question.. how do you know that i use wasantara as my isp?
thanx ..
hey dude! i've got admin rights but this bloody trojan has disabled the registry editor too!! now ho do i enter the registry values?
Post a Comment