WORM/SOHANAD.NAK

Salut

télécharge HijackThis ici:
http://telechargement.zebulon.fr/138-hijackthis-1991.html

Dézippe le dans un dossier prévu à cet effet.
Par exemple C:\hijackthis < Enregistre le bien dans c : !
Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/Hijenr.gif

Lance le puis:
clique sur "do a system scan and save logfile" (cf démo)
faire un copier coller du log entier sur le forum

Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/demohijack.htm

Bon courage

A+ "J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

M. Regis59 pouvez vous m'indiquer comment remedier au problème des commandes 'Excuter' (regedit,msconfig,gestionnaire des taches) elles sont toutes désactivées le message 'votre administrateur a désactivé ....' s'affiche comment faire
un ami m'a parler d'un code à fusionner au registre
as tu ce code
en fait le virus est neutralisé mais ces effets persistent
svp aide moi

Hello;

Par Démarrer/Exécuter... (Windows+R), saisir gpedit.msc
# Développer le dossier Configuration Utilisateur - Modèles d'administration - Système
# Dans le volet droit, double-cliquer sur l'entrée Empêcher l'accès aux outils de modifications du Registre
S'assurer que l'option Non défini est cochée.

OU télécharge ceci:
http://www.d2i.ch/pn/telechargement/vbs/DesactiveRestriction­sRegistre.vbs
Double clik dessu

a+ "J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Je vais essayer ça
merci bcp M. Regis59

Oui c'est bon
j'ai reglé mes probs
mais il me reste un : 'Option de dossier' dans l'explorateur et aussi dans le panneau de configuration est disparu.
pouvez vous me donner une astuce pour le recupérer
merci d'avance M. Regis59

Hello

On peut vérifier que tout est ok avant?

Télécharge HijackThis ici:
http://telechargement.zebulon.fr/138-hijackthis-1991.html

Dézippe le dans un dossier prévu à cet effet.
Par exemple C:\hijackthis < Enregistre le bien dans c : !
Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/Hijenr.gif

Lance le puis:
clique sur "do a system scan and save logfile" (cf démo)
faire un copier coller du log entier sur le forum

Démo : (Merci a Balltrap34 pour cette réalisation)
http://pageperso.aol.fr/balltrap34/demohijack.htm

Bon courage

A+
"J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Bjr

J'ai chopé un virus nommé W32/IMWorm.CT , appelé également SOHANAD.NAK, l'antivirus F-PROT le détecte et le delete, mais invraisemblable que cela puisse paraitre, il revient à chaque fois.Je demande à toute la communauté de m'aider à m'en débarrasser, car il comence à me faire tourner en bourrique et je pense que même , il est entrain de désintégrer mon système et mes données.
Je lance un SOS urgent à toute personne qui posséderai un kit de désinfection de m'en faire part.
Merci

Salut

Tu recevras une aide si tu as crée ton propre poste !

bonne chance :)

A+ "J'avais rêvé d'un monde meilleur...Sans différence de couleurS...Egalité..."-MLK-

Type
Virus:sohanad
SubType:Worm
Discovery Date:05/15/2007
Length:varies
Minimum DAT:5031 (05/15/2007)
Updated DAT:5031 (05/15/2007)
Minimum Engine:5.1.00
Description Added:05/15/2007
Description Modified:05/16/2007


Overview -:
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares

Aliases:
IM-Worm.Win32.Sohanad.t (Kaspersky)
W32.Yautoit (Symantec)
W32/Sohana-R (Sophos)
Win32/YahLover.AO (CA)

Worm/Sohanad.NAK (Antivir)

Characteristics -:
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares


Upon execution the worm drops the following files:
%WINDIR%\SSVICHOSST.exe -> Worm Component
%SYSDIR%\SKCVHOSThk.dll -> Keylogger Component
%SYSDIR%\SKCVHOST.exe -> Keylogger Component
%SYSDIR%\SKCVHOSTr.exe -> Keylogger Component

Creates the following registry keys to hook at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” =” Explorer.exe SSVICHOSST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Run\
“Yahoo Messengger” = “%SYSDIR%\ SSVICHOSST.exe”

The worm creates a job file (At1.job) which schedules to execute itself everyday at 09:00 hrs.

Modifes the following registry keys to hide folder options and disable the taskmanager, registry editing etc.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Policies\Explorer\
"NofolderOptions"= “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Policies\System\
"DisableTaskMgr"=”1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Policies\System\
"DisableRegistryTools"=”1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedul­e\
"AtTaskMaxHours" =”0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Explorer\WorkgroupCrawler\Shares\
"shared"="\\[SHARES]\New Folder.exe"

Symptoms -:
Ends the following processes and closes applications if the window title has:
[FireLion]
Bkav2006
System Configuration
Registry
Windows Task
cmd.exe

Attempts to delete following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion­\Run="BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\­Run=”IEProtection"

Downloader Component:
The worm connects to the following domains to download updated variants of itself and additional malware.

http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/


At the time of writing this description, variants of KeyLog-Perfect.dll, Keylog-Perfect and Generic ProcKill.c were observed to be downloaded.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection -

The worm spreads through passing any of the above links pointing to a hosted copy of the worm to all users listed in infected person’s yahoo buddy list.

Victims typically get infected when they download and execute the spammed copy of the worm.

It also spreads via network shares and removable drives.
Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
*Since We have a lot of Visitis related to remove Hakaglan, We will provide you all posible solutions to clean this Malware.

- W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
- Aliases: IM-Worm.Win32.Sohanad.t (Kaspersky) W32.Yautoit (Symantec) W32/Sohana-R (Sophos) Win32/YahLover.AO (CA) Worm/Sohanad.NAK (Avira)

- Removal method:
1. Check your AntiVirus (which one is, is it updated and did you make full scan of your PC (after update).

2. If you can't clean worm with this way, reinstal your AV and download & instal one off this AV: McAfee or Kaspersky (here at SCForum.info we provide you link to latest downloads, just check right section) and go again at step 1.

3. Don't forget to turn off System Restore at your PC.

4. Also here is a solution for "handy" cleaning this Malware:

"Enabling The Registry Editor and Task Manager

This malware disables the Registry Editor. To restore the said system tool, perform the following instructions:

Open Notepad. Click Start>Run, type Notepad, then press Enter.
Copy and paste the following:
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe­rsion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe­rsion\Policies\System\DisableTaskMgr"
shl.RegDelete

Save this file as C:\RESTORE.VBS.
Click Start>Run, type C:\RESTORE.VBS, then press Enter.
Click Yes at the prompt of the message box.
Terminating the Malware Program

This procedure terminates the running malware process.

Open Windows Task Manager.
• On Windows 98 and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, XP, and Server 2003, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
RVHOST.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

------------------------------------------------------------­--------------------
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.
On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry:

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry

Removing the autostart entry from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

Open Registry Editor.
Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>Cur­rentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = "%System%\RVHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
Removing Other Entry from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>Cur­rentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = "1"
Restoring Modified Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe RVHOST.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Service­s>Schedule
In the right panel, locate the entry:
NextAtJobId = "2"
Right-click on the value name and choose Modify. Change the value data of this entry to:"1"
Close Registry Editor.

Deleting the Malware File(s):

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
AT1.JOB
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.

Important Windows ME/XP Cleaning Instructions:

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Configuration: Windows XP
Firefox 2.0.0.6

Merci pour le copier/coller.

Configuration: Windows XP
Firefox 2.0.0.6