Dealing with worm-infected Yahoo! Messengers in Windows XP is fun. Just apply the fix. Do not reformat because it is the lazy way of fixing things!
In file fix.reg
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz]
"content url"=-
[HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast]
"content url"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://eradicus.blogsome.com"
[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Task Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Svchost"=-
If the worm disabled the Registry, Task Manager, and Run command, fire up a command prompt and do the following.
1. To reactivate the Registry
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
/v DisableRegistryTools /t REG_DWORD /d 0 /f
2. To reactivate the Task Manager
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
/v DisableTaskMgr /t REG_DWORD /d 0 /f
Search for svchost.exe and delete the macro equivalent. Be careful! Make sure that it is the macro equivalent, not the system file!
No comments:
Post a Comment