Evading Yahoo! Messenger worms
Dealing with worm-infected Yahoo! Messengers in Windows XP is fun. Just apply the fix. Do not reformat because it is the lazy way of fixing things!
In file fix.reg
REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz] "content url"=- [HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast] "content url"=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = "http://eradicus.blogsome.com" [-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Task Manager"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Svchost"=-
If the worm disabled the Registry, Task Manager, and Run command, fire up a command prompt and do the following.
1. To reactivate the Registry
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. To reactivate the Task Manager
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Search for svchost.exe and delete the macro equivalent. Be careful! Make sure that it is the macro equivalent, not the system file!
