New Worm/Trojan/Adware doing the rounds of Yahoo Messenger via IM offliners

**XTerminator** · 04-11-06, 02:34 PM

Hi Everyone,

Incase you get a message from me or anyone else on Yahoo Instant Messenger with similar text and links as below:

Code:

"check out my new personal website : h t t p : / / mytermex .com c0ol !!! "

OR

Code:

"there's going to be a meteor shower tonight : h t t p : / / nsl-school .org / ?i d=18388 << "

OR

Code:

"check this link for me : h t t p : / / nsl-school . org /? i d=forum . Why I cannot surf this site ??? "

PLEASE PLEASE DONOT CLICK ON THE LINKS

THIS IS A Backdoor trojan/worm/adware WHICH INFECTED MY COMPUTER SOMEHOW and has infected many others too. Asked around to a few friends and it seems it has infected loads of people.

INCASE YOU HAVE ALREADY CLICKED, it will disable you from using the start-Run command Or any registry editing command. Apart from this it will also disable your Task Manager or the ctrl+alt+delete function.

Incase this has happened, please run Spybot Search and Destroy to remove the infection.

It will add

Code:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Task Manager"="C:\\WINDOWS\\svhost32.exe"

and

Code:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Svchost"="C:\\WINDOWS\\svhost.exe"

To your start up procedure.

Besides disabling the RUN command, Registry Editing tools and the Taskbar for an active user as well as for other users using the same system.

Incase you want to re enable the run, regedit and task manager please post here. It involves editing the registry and can prove ill for people who dont know their way around the registry.

Thanks.

**Striker10** · 04-11-06, 02:44 PM

yea man , my friend had his status message like that once(4-5 days back I think) , I clicked on it (ZoneAlarm asked me if I wanted to let one "project1" access the internet , I denied it but somehow my system got infected . So I quickly ran Spybot in safe mode cleared out some things and used Hijack-This to remove the start-up entries . this took me some time =@ and system was back to normal. and yes I removed him from my list

LOL .

I thought he did this purposely , now I will add him back

**chic_magnet** · 04-11-06, 03:12 PM

yeah my stupid college friends wouldnt listen to that thier comp is infected. so i block em.. now everyone is katti with me, cause i blocked em for no apparent reason.. stupid fools..

..

**FaH33m** · 04-11-06, 03:34 PM

man ..i have been getting the same msgs from all my friends in yahoo messenger for the past 4-5 days..in the starting i clicked on one of them and ALAS !!! my pc was infected and everything screwed up ..also it started infecting all my files on the pc ...and i had to do a format .as Zone alarm as well as avast could not repair the files.(only delete them).....

GUYS -also note that if infected by such trojan/virus all u r administrative rights will also be gone..it had even disabled my anti virus and zone alarm..

then u need to clean system in safe mode.

i hope there is some sollution soon and this things stops..

ALSO should i keep any other antispyware/stinger etc. along with zone alarm and avast ?any recommendations to keep PC completely away from such viruses/spyware/adware/trojans etc ?

**XTerminator** · 04-11-06, 03:44 PM

I got infected dunno when....probably due to someone else using my comp...

I generally use run and type notepad to open notepad...but the run command gave me an error that you donot have the right!!!

I was shocked...tried again..and same problem...So i immediately disconnected from the internet, ran spybot s&d followed by Adaware SE. A total of 6 objects were removed. Then used Regcleaner to see the startup files, saw two suspecious entries, removed them from start up, booted into safe mode, removed the two files manually from the hdd, restarted, ran anti-virus, then checked for the entries for the Enable Run and Regedit from the internet and used a .reg file to fix the same. After that the comp has not given me any problems so far...but i am still on the alert as to what or how it came in.

When I recieved this message from my friend...and instantly knew it was the root cause.

**FaH33m** · 04-11-06, 03:49 PM

actly we cant blame our frnds...cauz i asked few of my frnds if they had sent me such msgs all of them said NO ! and it is being sent automatically...from their name.to their contact list.

**XTerminator** · 04-11-06, 04:02 PM

Yep...so it is.

So you cannot blame anyone for this but u have to be careful yourself.

Thats all.

**pisen** · 05-11-06, 04:39 AM

well this virus has infected many friends of mine too, not from my PC

but still their messages can be really irritating and tempting

**ComradE_BeaN** · 05-11-06, 07:08 AM

NOD32 caught it:hap2:....happened from 2 frnds..

**greenhorn** · 05-11-06, 07:47 AM

happens if you have IE set as default... at least this helped me get a few more n00bs to convert to Firefox

**iosoft** · 05-11-06, 09:45 AM

Yes, I also got this type of messages. It was actually sent from a local friend's a/c. didn't clicked as the address was too odd.

Thanks for the warning.

**greenhorn** · 05-11-06, 09:53 AM

shouldnt be a problem if you're on firefox, especially if you have noscript installed.

damn thing changes your IE home page to one of its own, which is filled with google ads for some rare form of cancer, which is a high priced ad word.

btw, besides spamming links, it changes the status messages of infected users and puts the links in there too