W32.Sohanad.Vbs – thecoolpics.net and thecoolpics.com Removal Tool
W32.Sohanad is a worm that specifically spreads on instant messaging application. W32.Sohanad will detect running process that belongs to instant messenger. If it sense that the program is running, it instantly send a message to remote users included in the contact list of victim. The message will contain malicious URL that redirect browser to a contaminated web site. This method will extend the infection to people who visited the web site.
W32.Sohanad sends messages containing links.
Some of the message uniformly sent to victims are:
- Oh my god, I’ve won a 20000 usd lottery
- Do you realize who is in this image
- Come to my house tonight for a party
- Images shot in Iraq _ the war will never end
- who is beside you in this pic
- so good-looking
- Screenshot of new windows version _ Windows Vista
About W32.Sohanad.Vbs
W32.Sohanad.Vbs is a script created to restore the damaged registry values cause by Worm W32.Sohanad This code may be freely distributed and modified. Please use at your own risk.
Operating System:
Windows 2000/XP
How to created W32.Sohanad.VBS:
1. Open NotePad.
2. Copy the text inside the ===== below. (Do not include top and bottom =====)
3. Paste it to NotePad and SaveAs W32Sohanad.vbs
4. Reboot your computer in SafeMode and remain that no other programs are running.
5. Double click on W32Sohanad.vbs to run it.
==========
‘This script is to restore the damaged/modified registry by the W32Sohanad Worm. This code may be freely distributed/modified.
‘Prevents errors from values that don’t exist
On Error Resume Next
Set WshShell = WScript.CreateObject(“WScript.Shell”)
‘Delete the keys that has disabled the Windows Registry Tools and Task Manager.
WshShell.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
WshShell.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”
WshShell.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
WshShell.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”
‘Delete the registry keys that changes your Yahoo Messenger status
WshShell.RegDelete “HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url”
WshShell.RegDelete “HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url”
‘Delete the entries which make the worm start up while booting.
WshShell.RegDelete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager”
WshShell.RegDelete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost”
‘Delete Disable Homepage Buttons in IE
WshShell.RegDelete “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage”
‘Reset Homepage
WshShell.RegWrite “HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page”, “about:blank”, “REG_SZ”
‘Reset IE Title Bar
WshShell.RegWrite “HKCU\Software\Microsoft\Internet Explorer\Main\Window Title”, “Microsoft Internet Explorer”
X = MsgBox(“Registry successfully restored from the damage made by W32Sohanad Worm”, vbOKOnly, “Success!!!”)
==========
uday
Aug 23, 2007 @ 15:19:01
tried the procedure but getting script error pl help