Evading Yahoo! Messenger worms
Dealing with worm-infected Yahoo! Messengers in Windows XP is fun. Just apply the fix. Do not reformat because it is the lazy way of fixing things!
In file fix.reg
REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000000 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr"=dword:00000000 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz] "content url"=- [HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast] "content url"=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = "http://eradicus.blogsome.com" [-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Task Manager"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Svchost"=-
If the worm disabled the Registry, Task Manager, and Run command, fire up a command prompt and do the following.
1. To reactivate the Registry
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. To reactivate the Task Manager
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Search for svchost.exe and delete the macro equivalent. Be careful! Make sure that it is the macro equivalent, not the system file!
Hi,
we tried as you suggested but we could not make it up regedit because HKEY_CURRENT_USERSoftwareYahoopagerView not there in my registry.
any help would be great!!!
Thanks
Snp
Comment by snpslm — November 2, 2007 @ 7:51 pm