Author Topic: Yahoo Messenger / Facebook Pic Virus Link  (Read 24220 times)

0 Members and 1 Guest are viewing this topic.

jpenguinwi

  • Guest
Yahoo Messenger / Facebook Pic Virus Link
« on: July 21, 2010, 09:48:10 PM »
A friend sent me a link in Yahoo Messenger indicating that there was a picture of me on facebook, I went to the link and now I have a virus.  One issue is a message that keeps asking questions to confirm I am not a robot.  Other times it comes up on any site I go to indicated that I am not human since I did not answer the questions.  I have rebooted a number of times... currently running a scan with Avast virus.  The virus is also sending the link with same message to all that are in my yahoo messenger list. 

Any tips on how to get rid of this?

Offline Coolmario88

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
  • Bronies make the web go round
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #1 on: July 21, 2010, 10:01:24 PM »
A friend sent me a link in Yahoo Messenger indicating that there was a picture of me on facebook, I went to the link and now I have a virus.  One issue is a message that keeps asking questions to confirm I am not a robot.  Other times it comes up on any site I go to indicated that I am not human since I did not answer the questions.  I have rebooted a number of times... currently running a scan with Avast virus.  The virus is also sending the link with same message to all that are in my yahoo messenger list. 

Any tips on how to get rid of this?
hello yes i have a tip run the microsoft free online scanner http://onecare.live.com/site/en-us/default.htm   
OS: Windows 11 64-bit
Webbrowser: Mozilla Firefox
PC Specs: Intel i5-12400f, Nvidia RTX 3050, 16gb ram, 1.5TB SSD(s).

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #2 on: July 21, 2010, 10:07:57 PM »
This is a common tactic to get you to click on a link, not to mention it may well not have been from your friend at all. This is a yahoo messenger issue either an account hacked and compromised sends out to all on their friends list and bingo curiosity killed the cat so to speak. This then perpetuates the cycle.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Once have this under control, I would suggest that you change your yahoo messenger password to something stronger at least 8 (more is better) upper, lower case and numeric characters.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

danieljsza

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #3 on: July 22, 2010, 04:42:19 AM »
This Yahoo messenger virus attack is one of the most powerful Trojan/virus.. If your computer is infected with this virus; It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

To solve this problem, Just go through the below steps carefully.

What are those links ?:
Nsl-school.org or other (Do not open this url in your browser).

IPB Image

If you are infected with it what is going to happen ?

1:It sets your default IE page to nsl-school.org, you can't even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.


2: It will disables the Task manager / reg edit. So you can't kill the Trojan process anymore.

3:Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.
You can find these files in windows/ & temp/ directories.


4: It will sends the secured & protected information to attacker


How to remove this manually from your computer ?

1: Close the IE browser. Log out messenger / Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to hackgyan.com or other

Code: HKEY_CURRENT_USERSOFTWAREMic*ftInternet ExplorerMain
HKEY_ LOCAL_MACHINESOFTWAREMic*ftInternet ExplorerMain
HKEY_USERSDefaultSoftwareMic*ftInternet ExplorerMain

Just replace the attacker site with hackgyan.com or set it to blank page.

5:Now we need to kill the process from back end. For this, Press "Ctrl + Alt + Del"
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)


6:Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.


7: Go to regedit search for svhost and delete all the results you get
Code: Start>Run>Regedit

8: Restart the computer. That's it now your system is virus free

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #4 on: July 23, 2010, 04:50:33 PM »
I have used the onecare.live.com twice and it cannot remove a few of the virus items.

I have also tried the bleepingcoputer.com/malware bytes link and it also cannot remove some items.

I also tried the steps in the 3rd reply, however when I past the code it does not take it and gives an error message indicating I do not have permission.

Any other tips on how to clean this off my computer. 

I no longer have the robot message popping up, however it did come up once last night on one sight, and my computer has been slow now.

Thanks

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #5 on: July 23, 2010, 05:35:22 PM »
Why can't the items be removed (full text please) ?
What is the file name, location and malware name, etc. of the detections?

That is why we ask to post the results as it gives us an idea what you might be up against.

Have you done as suggested and changed your yahoo messenger password ?

Have you checked the yahoo support pages as I'm pretty sure you aren't the first to suffer this problem ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

iRonzel

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #6 on: July 23, 2010, 06:40:12 PM »
I have used the onecare.live.com twice and it cannot remove a few of the virus items.

I have also tried the bleepingcoputer.com/malware bytes link and it also cannot remove some items.

I also tried the steps in the 3rd reply, however when I past the code it does not take it and gives an error message indicating I do not have permission.

Any other tips on how to clean this off my computer. 

I no longer have the robot message popping up, however it did come up once last night on one sight, and my computer has been slow now.

Thanks

Try using restore points if you can't remove with the tools provided by DavidR. Also you can try in safe mode.

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #7 on: July 24, 2010, 12:17:54 AM »
I have reset my yahoo password a few times.

The restore point does not seem to clear the issues.  When I search for things online and select one of the links I get redirected to strange search engine type pages.

I tried the steps again, I used run,  Code: REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

and the error message I get is " Windows cannot access the specified device path or file. You may not have the app. permission to access."

Any help is appreciated...thank you.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #8 on: July 24, 2010, 01:26:03 AM »
If you get that on a registry key you have to a) be using a user account with administrator privileges and b) take ownership of the keys you are trying to change. Manually find the reg key, right click on it and select Permissions, select the User account you are using and ensure you check the Allow, Full Control box.

I don't know if that is the problem you are experiencing with permissions, but it is my best guess.

Unless you are using Vista and UAC could be getting in on the act, in which case you would have to use the 'run as administrator' method, I don't use Vista so I don't know how you go about that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #9 on: July 24, 2010, 04:21:45 AM »
I am on XP.  I have no idea where to find the reg edit / permission screen. 

I have been running the windows one scan again, and it is taking forever. 

When I search or try to access a link windows internet explorer takes me to ononeweb.com

I tried to find the schost32.exe, all I found was svhost.exe and I backed out of those in task manager.

I know I am not the most literate on the virus fixes and computers... so bear with me.

ANy help is appreciated...

Thanks

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #10 on: July 24, 2010, 05:15:06 AM »
The clue is in the image just use regedit and follow the path as if it were explorer.

However, given your comment on schost32.exe not being found I haven't a great deal of confidence that your problem is the same as outlined by 'danieljsza.'

Also looking at the run commands to create a new registry item, I have to admit I have never seen anything like this used before and the actual command looks strange

REG add HKCUSoftwareMic*ftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

So I would certainly hold fire on that idea without help.

Quote from: DavidR
Why can't the items be removed (full text please) ?
What is the file name, location and malware name, etc. of the detections?

That is why we ask to post the results as it gives us an idea what you might be up against.
<snip>
Have you checked the yahoo support pages as I'm pretty sure you aren't the first to suffer this problem ?

You didn't answer these or post the logs, the information might help us get a better understanding.

That's me for the night, 4:15am here.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #11 on: July 24, 2010, 06:22:24 PM »
These are the 4 viruses on my computer:

PWS:Win32/Bankash.gen

Trojan:Java/Bytverify

TrojanDropper.Java/Beyond.C

Virus:Win32Ahureon

I noted the viruses and then my net connection went out.  I ran OneCare again, but we had some rough storms so power was out 2 hours. 

It seems like I am stuck with the viruses.


memyself

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #12 on: July 25, 2010, 01:13:11 AM »
 :o
« Last Edit: August 05, 2010, 11:12:58 PM by memyself »

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #13 on: July 26, 2010, 02:20:12 AM »
The log is too long to post, I will post in pieces.  When I run live one care it still still I have 4 viruses that cannot be removed.  
alwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4345

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 11:18:37 PM
mbam-log-2010-07-24 (23-18-37).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 317825
Time elapsed: 4 hour(s), 22 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 150
Registry Values Infected: 10
Registry Data Items Infected: 1
Folders Infected: 19
Files Infected: 64

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> No action taken.

jpenguinwi

  • Guest
Re: Yahoo Messenger / Facebook Pic Virus Link
« Reply #14 on: July 26, 2010, 02:21:32 AM »
log part 2    deleted
« Last Edit: July 26, 2010, 02:30:26 AM by jpenguinwi »