Techno World Inc - The Best Technical Encyclopedia Online!

Virus Name: W32 Sohanad.B or W32 Sohanad.C

This is a worm that spreads itself by sending links to your contacts in Yahoo, AOL and Windows Live messengers. It disables the Registry Editor and Task Manager, changes the Internet Explorer (IE) home page and also modifies registry such that you cannot change the homepage address. For more details on this worm, read the TrendMicro virus Information.


Here are simple steps to get this worm removed from your system:

1) Download the attached file below and unzip it using Winzip or Winrar..
[Note: If u cant See the attached file, Please Login with your id]

2) Double click on the downloaded exe file, it will execute to restore from the damage done to registry by the worm.

3) Restart your system.

4) Delete the file svhost32.exe from your Windows folder( If it is present).

5) Delete the file svhost.exe from your Windows folder( If it is present).


And the silly worm's story ends!!!
You can now use the Yahoo messenger peacefully.

By the way, I have a suggestion for you: Use Firefox (http://firefox.technoworldinc.com) browser to avoid such worm attacks in future. It is much more secure than the Microsoft Internet Explorer.

Source: TechnoWise (http://technowise.blogspot.com/2006/10/removing-yahoo-aol-msn-messenger-virus.html)

This Yahoo messenger virus attack is one of the most powerful Trojan /virus.. If your computer is infected with this virus; It will sends the nsl-school.org url to all of your friend list in yahoo messenger using your ID . So with in few hours many of your friends will get infected with it.

To solve this problem, Just go through the below steps carefully.

What are those links ?:

Nsl-school.org or other (Do not open this url in your browser).

If you are infected with it what is going to happen ?

1: It sets your default IE page to nsl-school.org, you can’t even change it back to other page. If you open IE from your comp some malicious code will automatically executed into your computer.

2: It will disables the Task manager / reg edit. So you can’t kill the Trojan process anymore.

3: Files that are gonaa installed by this virus are svhost.exe , svhost32.exe , internat.exe.

You can find these files in windows/ & temp/ directories.

4: It will sends the secured & protected information to attacker

How to remove this manually from your computer ?

1: Close the IE browser. Log out messenger / Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to google.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with google.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

great info..