W32.Sohanad.Vbs – thecoolpics.net and thecoolpics.com Removal Tool
W32.Sohanad is a worm that specifically spreads on instant messaging application. W32.Sohanad will detect running process that belongs to instant messenger. If it sense that the program is running, it instantly send a message to remote users included in the contact list of victim. The message will contain malicious URL that redirect browser to a contaminated web site. This method will extend the infection to people who visited the web site.
Some of the message uniformly sent to victims are:
- Oh my god, I’ve won a 20000 usd lottery
- Do you realize who is in this image
- Come to my house tonight for a party
- Images shot in Iraq _ the war will never end
- who is beside you in this pic
- so good-looking
- Screenshot of new windows version _ Windows Vista
W32.Sohanad.Vbs is a script created to restore the damaged registry values cause by Worm W32.Sohanad This code may be freely distributed and modified. Please use at your own risk.
How to created W32.Sohanad.VBS:
1. Open NotePad.
2. Copy the text inside the ===== below. (Do not include top and bottom =====)
3. Paste it to NotePad and SaveAs W32Sohanad.vbs
4. Reboot your computer in SafeMode and remain that no other programs are running.
5. Double click on W32Sohanad.vbs to run it.
‘This script is to restore the damaged/modified registry by the W32Sohanad Worm. This code may be freely distributed/modified.
‘Prevents errors from values that don’t exist
On Error Resume Next
Set WshShell = WScript.CreateObject(“WScript.Shell”)
‘Delete the keys that has disabled the Windows Registry Tools and Task Manager.
‘Delete the registry keys that changes your Yahoo Messenger status
WshShell.RegDelete “HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url”
WshShell.RegDelete “HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url”
‘Delete the entries which make the worm start up while booting.
WshShell.RegDelete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager”
‘Delete Disable Homepage Buttons in IE
WshShell.RegDelete “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage”
WshShell.RegWrite “HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page”, “about:blank”, “REG_SZ”
‘Reset IE Title Bar
WshShell.RegWrite “HKCU\Software\Microsoft\Internet Explorer\Main\Window Title”, “Microsoft Internet Explorer”
X = MsgBox(“Registry successfully restored from the damage made by W32Sohanad Worm”, vbOKOnly, “Success!!!”)