Tuesday, March 3, 2009

Yahoo messenger worm - W32/Sohana-R

Your yahoo messenger is sending messages to your contacts automaticaly with a link ?

Try this to resolve it:

1. Click Start > Run.
2. Type regedit
3. Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor, then

Method 1: it may or may not work because Threat may be disabled the command prompt also

1. download,unzip and run changereg.zip (303.00 bytes) to fix

Or Try this

A. download Process Explorer
B. unzip it
C. run the file
D. kill the processes SVICHOST.exe task and SVICHOSST.exe task,

now try again it will open reg edit

4. Navigate to and delete the following entries:
i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\"Shell" = "Explorer.exe " RVHOST.exe"
ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"Yahoo Messengger" = "%System%\RVHOST.exe"
iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"Yahoo Messengger" = "%System%\system32\SSVICHOSST.exe"
iv. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"Yahoo Messengger" = "%System%\system32\SSVICHOST.exe"
v. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\WorkgroupCrawler\Shares\"shared" = "[SHARED DRIVE]\New Folder.exe"

5. Restore the following registry entries to their original values, if required:
i. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System\"DisableTaskMgr" = "1" to 0
ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System\"DisableRegistryTools" = "1" to 0
iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\"NofolderOptions" = "1" to 0

Exit the Registry Editor.

1. Now goto C:\Windows or C:\WINNT (start ->Run-> Type %systemroot% and press ok)
Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it
Now goto System32 (start ->Run-> Type %systemroot%\system32 and press ok)
Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it

Or you can download,unzip and run Emergency_Virus_Fix.zip (848.00 bytes) to fix all these issues, but if it is not running try to kill that processes using step A,B,C,D and try to run that again

