I had tried all the options provided in yahoo link of Mr. Suresh, I cannot any process with name svhost32.exe, nor any file with such name in temp folder. One more thing if i set yahoo as my default web page also, Iexplore is not allowing to edit this. I think still this spyware or virus is there in my system. Could some one help me on this.
2006-10-06 05:22:00 · 6 answers · asked by Venky 1 in Computers & Internet ➔ Security
Don't worry, it is probably not spyware.
Up in the menu bar, go to the "Tools" menu and click "Internet Options..." Under the "General" tab, there is a box that ssays "Home Page." Type in the web address that you want for your home page, and you should be good to go.
2006-10-06 05:25:48 · answer #1 · answered by John C. 4 · 0⤊ 0⤋
Well opening nsl-school.org drops svchost.exe and svchost32.exe (made in VB and UPXed) in ur windows directory.
If you open the page in mozilla / opera, its full of adbrite ads.
It can be considered a good case of social engineering by bgohil7@yahoo. com
as he wrote nsl-school.org as a link in his post. Reading this post many woulr open up nsl-school.org and get infected if they use IE.
nice one dude.
Some details that i figured out :
it uses msinet.ocx and web browser control for communicating with websites or downloading more file.
the programmer of this malware has these folders -
E:\Lucky\My Document\Visual basic 6.0\Downloader\
the VB project was saved as termex.vbp
it also drops taskkill.exe in windows\system32 folder
taskkill is used by program to end programs like Antiviruses etc.
It kills all anti trojan and anti virus tools.
makes a script c:\killav.bat to kill antiviruses
It accesses http://giftshop.vn/update.txt where the malware writer will put commands or url from which trojan would update itself.
Its spreading well - http://www.alexaholic.com/nsl-school.org
besides it disables taskmgr and regedit too
it accesses myglobal-news.com and probably autoclicks ads
the Module1.bas has subroutines like KillAV() and Killenemy()
it downloads italiandirectory.com/termex/host2.exe which is renamed as svchost32.exe
also downloads italiandirectory.com/termex/host.exe
the malware author also has registered the domain mytermex.com
I think the malware should be named "Termex" as far as the programmer wished.
I will post more if i find about this. We can easily nab this criminal as he left the names of websites/domains he bought.
more coming soon
happy hacking
lobbyshake
2006-10-08 12:47:53 · answer #2 · answered by abhishek 1 · 0⤊ 0⤋
1: Close the IE browser. Log out messenger / Remove Internet Cable.
2: To enable Regedit
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to google.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with google.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get.
Start menu > Run > Regedit >
8: Restart the computer. That’s it now you are virus free.
It worked for me!!!
2006-10-09 11:13:21 · answer #3 · answered by Sam 1 · 0⤊ 0⤋
Download and use windows defender...that would take care of the spyware for you
then change the settings on IE...it should work once the bad stuff is outta your comp
2006-10-06 12:23:54 · answer #4 · answered by cuteniceprty 2 · 0⤊ 0⤋
You can change your default page through regedit..
Please go through this post carefully.. U can easily remove it from your comp:
http://forums.sureshkumar.net/showthread.php?t=7790
First you need to enable Regedit & next you can change the default page.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to google.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with google.com or set it to blank page.
2006-10-08 14:33:51 · answer #5 · answered by Sureshkumar CH 2 · 0⤊ 0⤋
it is the bad virus name nsl-school.org
please click on this link and download the zip file and extact and you will find the .BAT file click on that.
http://www.khandoon.com/yahoo_virus/
this site is persian site so please click the 2nd option to download file
thanks
mahboob
2006-10-09 07:05:12 · answer #6 · answered by mahboob_waziry 1 · 0⤊ 0⤋