Technology, Smartphones, Games


Remove Yahoo messenger worm - W32/Sohana-R

General, Security

Your yahoo messenger is sending messages to your contacts automaticaly with a link ?

 First send a message to all your contacts that dont click on any suspecious links from you then

 I. If you are using ME or XP Disable the System Restore. Dont know how to disable ? check this link Disable System Restore
 

 II.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

  Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor, then 

   Method 1: it may or may not work because Threat may be disabled the command prompt also

    1. download,unzip and run changereg.zip (303.00 bytes) to fix


  Method 2: 

  A. download Process Explorer
   B. unzip it
   C.  run the file 
   D. kill the processes SVICHOST.exe task and SVICHOSST.exe task,
  
   now try again it will open reg edit

 4. Navigate to and delete the following entries:
    i. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
           Winlogon\"Shell" = "Explorer.exe " RVHOST.exe"
    ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Run\"Yahoo Messengger" = "%System%\RVHOST.exe"
    iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Run\"Yahoo Messengger" = "%System%\system32\SSVICHOSST.exe"
    iv. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Run\"Yahoo Messengger" = "%System%\system32\SSVICHOST.exe"
     v. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Explorer\WorkgroupCrawler\Shares\"shared" = "[SHARED DRIVE]\New Folder.exe" 

 5. Restore the following registry entries to their original values, if required:
   i.  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Policies\System\"DisableTaskMgr" = "1"  to 0
   ii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
           Policies\System\"DisableRegistryTools" = "1"  to 0
   iii. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
         Policies\Explorer\"NofolderOptions" = "1"  to 0

Exit the Registry Editor.

  III. 
   1.  Now goto C:\Windows or C:\WINNT (start ->Run-> Type %systemroot% and press ok)
           Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it
   2.
      Now goto System32 (start ->Run-> Type %systemroot%\system32 and press ok)
          Search for SVICHOSSST.exe and SVICHOST.exe if found Delete it

Or you can download,unzip and run Emergency_Virus_Fix.zip (848.00 bytes) to fix all these issues, but if it is not running try to kill that processes  using step A,B,C,D  and try to run that again