Yahoo Messenger / Facebook Pic Virus Link

A friend sent me a link in Yahoo Messenger indicating that there was a picture of me on facebook, I went to the link and now I have a virus. One issue is a message that keeps asking questions to confirm I am not a robot. Other times it comes up on any site I go to indicated that I am not human since I did not answer the questions. I have rebooted a number of times… currently running a scan with Avast virus. The virus is also sending the link with same message to all that are in my yahoo messenger list.

Any tips on how to get rid of this?

hello yes i have a tip run the microsoft free online scanner http://onecare.live.com/site/en-us/default.htm

This is a common tactic to get you to click on a link, not to mention it may well not have been from your friend at all. This is a yahoo messenger issue either an account hacked and compromised sends out to all on their friends list and bingo curiosity killed the cat so to speak. This then perpetuates the cycle.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Once have this under control, I would suggest that you change your yahoo messenger password to something stronger at least 8 (more is better) upper, lower case and numeric characters.

This Yahoo messenger virus attack is one of the most powerful Trojan/virus… If your computer is infected with this virus; It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

To solve this problem, Just go through the below steps carefully.

What are those links ?:
Nsl-school.org or other (Do not open this url in your browser).

IPB Image

If you are infected with it what is going to happen ?

1:It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.

2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore.

3:Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.
You can find these files in windows/ & temp/ directories.

4: It will sends the secured & protected information to attacker

How to remove this manually from your computer ?

1: Close the IE browser. Log out messenger / Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to hackgyan.com or other

Code: HKEY_CURRENT_USERSOFTWAREMicftInternet ExplorerMain
HKEY_ LOCAL_MACHINESOFTWAREMic
ftInternet ExplorerMain
HKEY_USERSDefaultSoftwareMic*ftInternet ExplorerMain

Just replace the attacker site with hackgyan.com or set it to blank page.

5:Now we need to kill the process from back end. For this, Press “Ctrl + Alt + Del”
Kill the process svhost32.exe . ( may be more than one process is running… check properly)

6:Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp… delete those files.

7: Go to regedit search for svhost and delete all the results you get
Code: Start>Run>Regedit

8: Restart the computer. That’s it now your system is virus free

I have used the onecare.live.com twice and it cannot remove a few of the virus items.

I have also tried the bleepingcoputer.com/malware bytes link and it also cannot remove some items.

I also tried the steps in the 3rd reply, however when I past the code it does not take it and gives an error message indicating I do not have permission.

Any other tips on how to clean this off my computer.

I no longer have the robot message popping up, however it did come up once last night on one sight, and my computer has been slow now.

Thanks

Why can’t the items be removed (full text please) ?
What is the file name, location and malware name, etc. of the detections?

That is why we ask to post the results as it gives us an idea what you might be up against.

Have you done as suggested and changed your yahoo messenger password ?

Have you checked the yahoo support pages as I’m pretty sure you aren’t the first to suffer this problem ?

Try using restore points if you can’t remove with the tools provided by DavidR. Also you can try in safe mode.

I have reset my yahoo password a few times.

The restore point does not seem to clear the issues. When I search for things online and select one of the links I get redirected to strange search engine type pages.

I tried the steps again, I used run, Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

and the error message I get is " Windows cannot access the specified device path or file. You may not have the app. permission to access."

Any help is appreciated…thank you.

If you get that on a registry key you have to a) be using a user account with administrator privileges and b) take ownership of the keys you are trying to change. Manually find the reg key, right click on it and select Permissions, select the User account you are using and ensure you check the Allow, Full Control box.

I don’t know if that is the problem you are experiencing with permissions, but it is my best guess.

Unless you are using Vista and UAC could be getting in on the act, in which case you would have to use the ‘run as administrator’ method, I don’t use Vista so I don’t know how you go about that.

I am on XP. I have no idea where to find the reg edit / permission screen.

I have been running the windows one scan again, and it is taking forever.

When I search or try to access a link windows internet explorer takes me to ononeweb.com

I tried to find the schost32.exe, all I found was svhost.exe and I backed out of those in task manager.

I know I am not the most literate on the virus fixes and computers… so bear with me.

ANy help is appreciated…

Thanks

The clue is in the image just use regedit and follow the path as if it were explorer.

However, given your comment on schost32.exe not being found I haven’t a great deal of confidence that your problem is the same as outlined by ‘danieljsza.’

Also looking at the run commands to create a new registry item, I have to admit I have never seen anything like this used before and the actual command looks strange

REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

So I would certainly hold fire on that idea without help.

Why can't the items be removed (full text please) ? What is the file name, location and malware name, etc. of the detections?

That is why we ask to post the results as it gives us an idea what you might be up against.

Have you checked the yahoo support pages as I’m pretty sure you aren’t the first to suffer this problem ?

You didn’t answer these or post the logs, the information might help us get a better understanding.

That’s me for the night, 4:15am here.

These are the 4 viruses on my computer:

PWS:Win32/Bankash.gen

Trojan:Java/Bytverify

TrojanDropper.Java/Beyond.C

Virus:Win32Ahureon

I noted the viruses and then my net connection went out. I ran OneCare again, but we had some rough storms so power was out 2 hours.

It seems like I am stuck with the viruses.

:o

The log is too long to post, I will post in pieces. When I run live one care it still still I have 4 viruses that cannot be removed.
alwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 11:18:37 PM
mbam-log-2010-07-24 (23-18-37).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 317825
Time elapsed: 4 hour(s), 22 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 150
Registry Values Infected: 10
Registry Data Items Infected: 1
Folders Infected: 19
Files Infected: 64

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) → No action taken.

log part 2 deleted

Log part 3
deleted

It is easier to attach the log file to the post if the log is a large one.

  • When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image.

Ok here is the file. Thanks for telling me to post the file rather than pasting. Not sure what I was thinking…

Everytime I use search engine, I am redirected to bogus sites. I can’t pull up any of the links that a search produces.

Is posible that you have an infected BHO (Browser Helper Object) that cause the redirections. Try installing or change a new sarch engine. (Bing, Google, Yahoo, etc.)