Virus attack on Yahoo Messenger where it will take control of your messenger and without your knowledge sends some messages with a website links which contains the virus, to your friends list, remind you without YOUR KNOWLEDGE so be careful, There is a very bad. How to resolve this, try to do the following things to remove if your are effected. Start Menu >> Run REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f copy & paste in run & press enter REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f copy & paste in run & press enter & delete the files svhost32.exe from ur comp & temp folder after killing the process If your computer is infected with this virus " It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it. I don't know the actual target of the idiot who created it. May be to advertise his site or to steal very imp data from your computer. I resolved the problem manually from 2 infected PC's. Just go through the below steps carefully. What are those links ?: Nsl-school.org or other (Do not open this url in your browser). If you are infected with it what is going to happen ? 1: It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer. 2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore. 3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe. you can find these files in windows/ & temp/ directories. 4: It will sends the secured & protected information to attacker How to remove this manually from your computer ? 1: Close the IE browser. Log out messenger / Remove Internet Cable. 2: To enable Regedit Click Start, Run and type this command exactly as given below: (better - Copy and paste) REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f 3: To enable task manager : (To kill the process we need to enable task manager) Click Start, Run and type this command exactly as given below: (better - Copy and paste) REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f 4: Now we need to change the default page of IE though regedit. Start>Run>Regedit From the below locations in Regedit chage your default home page to google.com or other. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main Just replace the attacker site with google.com or set it to blank page. 5: Now we need to kill the process from back end. Press Ctrl + Alt + Del Kill the process svhost32.exe . ( may be more than one process is running.. check properly) 6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files. 7: Go to regedit search for svhost and delete all the results you get. Start menu > Run > Regedit > 8: Restart the computer. That’s it now you are virus free. I don’t know whether any removal patch that works for this Trojan/virus. But we can easily delete it manually. posting from: Cheers, Sureshkumar CH, Information Security Specialist. www.sureshkumar.net.