Subscribe to RSS feed
Follow Me on Twitter

Loading...

Remove Yahoo messenger worm - W32/Sohana-R

Monday, 26 November 2007 02:03 by krishnan
Tags:   , , ,

Your yahoo messenger is sending messages to your contacts automaticaly with a link ?

 First send a message to all your contacts that dont click on any suspecious links from you then

 I. If you are using ME or XP Disable the System Restore. Dont know how to disable ? check this link Disable System Restore
 

 II.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

  Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor, then 

   Method 1: it may or may not work because Threat may be disabled the command prompt also

    1. download,unzip and run changereg.zip (303.00 bytes) to fix


  Method 2: 

  A. download Process Explorer
   B. unzip it
   C.  run the file 
   D. kill the processes SVICHOST.exe task and SVICHOSST.exe task,
  
   now try again it will open reg edit

 4. Navigate to and delete the following entries:
    i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
           Winlogon\"Shell" = "Explorer.exe " RVHOST.exe"
    ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Run\"Yahoo Messengger" = "%System%\RVHOST.exe"
    iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Run\"Yahoo Messengger" = "%System%\system32\SSVICHOSST.exe"
    iv. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Run\"Yahoo Messengger" = "%System%\system32\SSVICHOST.exe"
     v. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Explorer\WorkgroupCrawler\Shares\"shared" = "[SHARED DRIVE]\New Folder.exe" 

 5. Restore the following registry entries to their original values, if required:
   i.  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Policies\System\"DisableTaskMgr" = "1"  to 0
   ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Policies\System\"DisableRegistryTools" = "1"  to 0
   iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
         Policies\Explorer\"NofolderOptions" = "1"  to 0

Exit the Registry Editor.

  III. 
   1.  Now goto C:\Windows or C:\WINNT (start ->Run-> Type %systemroot% and press ok)
           Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it
   2.
      Now goto System32 (start ->Run-> Type %systemroot%\system32 and press ok)
          Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it

Or you can download,unzip and run Emergency_Virus_Fix.zip (848.00 bytes) to fix all these issues, but if it is not running try to kill that processes  using step A,B,C,D  and try to run that again

 

Categories:   General | Security | Computer
Actions:   E-mail | del.icio.us | Permalink | RSS

 

Comments

December 9. 2007 19:56

Manu

The simplest fix for this worm is to...

1. Install and run Kapersky anti-virus trial version. Do a complete scan and it will remove the worm completely.

However, since the worm changes WinXP policies and disables...
- task manager,
- folder options
and registry editor

...there's still a little more to do.

2. Start > Run and type the following and click OK to enable Registry Editor instantly.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3. Start > Run and type the following and click OK to enable Task Manager instantly.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4. Start > Run and type the following and click OK to enable folder options.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NofolderOptions /t REG_DWORD /d 0 /f

5. You may need to reboot for folder options to show up.

Manu

December 10. 2007 22:28

krishnan

Spyware doctor is a good thing to remove this virus

you can get it from here
pack.google.com/.../pack_installer.html?nopers

krishnan

August 11. 2008 08:22

Lucelle

I have the same virus but its moved to my Ipod and replicated itself in each folder, how do I remove it?

Lucelle

March 10. 2009 05:52

rigs

Hi, Krishnan.
A lot of my friends have this problem on their messenger (Yahoo and MSN). The weird thing is, the virus still sends these messages even when my friends logged in using some other platform (Yahoo/MSN messenger for Mac or Blackberry).
I tried searching the internet, but cannot find occurrences of this worm in platforms other than windows.
Any idea how to remove it from Blackberry/Mac?
TIA

rigs

Post Calendar

<<  February 2010  >>
MoTuWeThFrSaSu
25262728293031
1234567
891011121314
15161718192021
22232425262728
1234567

Link Exchange

Tag Cloud