Removal of WORM_SOHAND.MY

As this is the worm that auto-executes and comes from different means we may need to be cautious while clicking on any link on the internet and in instant messaging.

Removal Steps: 

• Disable System Restore
• Use process explorer to find the files loaded by WORM_SOHAND.MY that are running as processes kill their processes.
• Enable registry Editor, Task Manager, and Folder options 
• Delete the registry value
• HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run 

                Yahoo Messengger = "C:\windows\gphone.exe" or "Users\Desktop" in Vista

• HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>WorkgroupCrawler> Shares    shared = "\New Folder.exe"

• HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule          AtTaskMaxHours = "0"
  

• Restore the registry value to

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

• From: Shell = "Explorer.exe gphone.exe"
• To: Shell = "Explorer.exe" 

Locate the file AutoRun.INF in all the drives, open it with notepad and if you find the lines 

• [AutoRun]
• Open=gphone.exe
• Shellexecute=gphone.exe
• Shell\Open\command=gphone.exe
• Shell=Open 

Delete the file from all the folders.

Also delete the files   

• %User Temp%\log_{time stamp}.txt
• {install path}\setting.ini 
• {install path}\setting.ini.old 

Select My computer from the drop down list and shift delete them to delete permanently. 

Delete the scheduled task

• System%\{malware file name}.exe

Posted in: PC Support,Removal of WORM_SOHAND.MY,Technical Support,TechSupp 247,Virus Removal Expert