Mytermex.com, Nsl-school.org – Yahoo Messenger Virus

Vaish called me last evening to figure out if ‘I’ was sending her those messages on Yahoo messenger. I had no idea what she was talking about. Nothing made sense initially, till I figured there was a ‘bad worm’ that had attacked my Yahoo Messenger and had taken complete control of it without my knowledge.

It was sending random messages to everyone on my list with a link embedded in the message. Kinda self sustaining parasite, which multiplied itself and infected everyones comp. The damage it was causing was extremely large in amount.

I tried to find the root cause of the worm and kill it, but darn the smart thing had disabled/restricted my access to Registry Editor and Task Manager. It also had modified the default URL of my home page on IE to some “un-ethical sites” and had left no option for me to change it. So any one who tries to access IE on my comp wud be greeted by sites like :

What are those links ?:
mytermex(dot)com
Nsl-school(dot)org

Now don’t try opening these sites, even if you choose to, its at your own risk you’d be inviting trouble.

How to get rid of ‘mytermex(dot)com’,’Nsl-school(dot)org’ Yahoo messenger Virus ?
Now here’s how you can get rid of this ‘worm’ if your system.

1> Download this Registry file on to your system. This is recommended for computer dummies, if you are a veteran I have some steps laid down for you as well, scroll down for ’em.

2> Double click on that downloaded registry file, you will be asked wheather you’re sure to add this to registry, click yes.

3> Restart your system.

4> Delete the file svhost32.exe from your Windows folder, if found.

5> Delete the file svhost.exe from your Windows folder, if found.

6> Lastly, search for: ENET.EXE and delete it if found.

Editing registry manually
——————————

1> Close all the browsers. Log out of Yahoo Messenger.

2> Click Start, Run and type this command exactly as given below: (Just copy and paste it as it makes it easier)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3> To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (Just copy and paste it as it makes it easier)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4> Now we need to change the default page of IE though regedit.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to http://arunmvishnu.siteburg.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Replace the foul url with blank page.

5> Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6> Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7> Go to regedit search for svhost and delete all the results you get.

8> Restart the computer.

If you still have problems, in some rare cases you might have, do leave a comment, we can try and find a solution.