csoft32.net

there is this friend of mine whose system seems to be infected by some sort of virus that has drastically slowed down his internet connection and whenever he chats with anyone using yahoo messenger,there are links sent to his friends with wierd titles like,
sony cybershot exclusive ;csoft32.net(link)
pics,porn … csoft32.net(link)
these are not exact descriptions but they are something like it so i would like anybody to give me a solution so that i may be able to remove this virus from his system.
his specifications are,
pentium 4
windows xp pro
256 mb ram
80 gb hdd
he uses a cable connection
Please Help :slight_smile:

Hi that’s a worm that spreads through instant messenger programs including Yahoo! Instant Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.

To remove:

Click Start → Run → Type regedit and click OK

In the registry editor, Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and in the right pane, delete the value:

“Task Manager” = “%Windir%\vnn.exe”

Then, navigate to the subkey:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

and in the right pane, delete the value:

“Homepage” = “1”

Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

In the right pane, restore the original values:

  "DisableTaskMgr" = "1"
  "DisableRegistryTools" = "1"

Navigate to the subkey:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main

In the right pane, restore the following entry to its previous value:

  "Window Title" = "[http://]csoft32.net"

Navigate to the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

In the right pane, restore the following entry to its previous value:

  "Start Page" = "[http://]csoft32.net"

Navigate to the subkeys:

  HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
  HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

In the right pane, delete the value:

  "content url" = "[http://]csoft32.net"

Exit the Registry Editor.

hey JL, i really thank you for taking up this case and now i am a little unsure of asking for help as i had just recently encountered a virus attack,something called a false positive and that had caused my system to crash and now i am a little vary of stuff i try from forums,please don’t take any offence or anything but can i trust your post a hundred percent?
please give me some sort of assurance,sorry for this but i want to be a little vary and thanks once again for your trouble.

I tried to search about this virus in avast virus database but it did not result in any positive matches,does that mean even my computer is vulnerable?
and yes i have the latest version of virus database.

The steps posted by JL appear to reverse the registry changes made by this worm as outlined here

http://www.symantec.com/smb/security_response/writeup.jsp?docid=2006-120714-3935-99&tabid=2

Before changing the registry back it up, then boot into safe mode. Search for a file named vnn.exe, back it up to a CD, then delete it. Reboot and OK your way through any warning messages you get.

The registry value DisableRegistryTools = 1, if set, will prevent you from editing the registry. There is a tool to fix this here

http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

Once the registry is sorted the warning mesasages should end.

:slight_smile: Hi “Risk” :

 What security program(s), other than possibly Avast,  does your friend have on their machine ?
 A "worm" is NOT a "virus" and it would be wise to have at least one program that "specializes"
 in detecting & quarantining worms, trojans, keyloggers, etc, like AVG Antispyware/Ewido, best
 downloaded from www.filehippo.com/download_ewido/  AND/OR the FREE version of
"SUPERantispyware" from www.superantispyware.com .

Since there is no standard for naming new viruses, a simple search for that name might not reveal any hit, but avast might call it something different, that is why you also need to find aliases, a search for that virus name may reveal information about it and also give aliases. These aliases could be checked against the virus database.

However, this particular virus/worm doesn’t matter, it could be any new virus that hasn’t yet been added, a so called Day 0 (Zero) virus and you can also protect yourself from those by taking precautions to limit their effect. Multi-Application/Level approach to security, ensure your OS, firewall and security programs are up to date, etc.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.