Symptoms 1. 2. 3. 4. 5. 6.

CLTR+ALT+DEL is not working Folder Options is missing from your TOOLS menu Registry Editor (RegEdit) is not working Your system is slowing down gradually There seems to be a lot of hard drive activity even if you are doing nothing You have a New Folder.exe in every folder and in each sub folder

Preparation This is the actual procedure I did when the worm infiltrated my PC. Before you start on the procedure, you have to download this file from Symantec. UnHookExec.inf (click to go to the website and the download link). The file will enable RegEdit and other commands disabled by the virus. Save this file in your desktop. Now lets start. Removing the virus FIRST: You have to stop the virus from running in the first place. If your system is already infected, it is already running in the background. You must restart your computer then run it in safe mode. 1. Restart your PC 2. Press F8 as soon after the BIOS boots. If you dont know what that is, just keep pressing F8 until a menu appears. 3. Select Safe Mode from the menu 4. On your desktop, right click on the file UnHookExec.inf then select install. You wont see any prompt or confirmation so dont worry about it. 5. By now, CTRL+ALT+DEL is already working so open up your Task Manager. End task the following programs/processes: o SSCVIHOST.exe o blastclnnn.exe o New Folder.exe SECOND: Delete the virus files from your PC. There are two ways to do this, via windows shell or command prompt (DOS) shell. Since Folder Options has been disabled by the virus, you cannot switch to show hidden files and system files. Well you can edit it in your Registry, but lets just do it the DOS-way. Follow this carefully. 1. Select Run from your start menu, then type cmd. Press enter. The paths differ depending on your operating system, but in this procedure lets assume you are using Windows XP

2. At the command prompt go to your system32 folder (this may differ if you are using NT/2000 or XP). For the sake of this procedure lets assume you are using XP. Type cd\windows\system32 3. On this path (c:\windows\system32>) type the following commands in order: o attrib -h -r -s SSCVIHOST.exe o del SSCVIHOST.exe o attrib -h -r -s blastclnnn.exe o del blastclnnn.exe o attrib -h -r -s autorun.ini o del autorun.ini o cd\windows\ (this will move you to the windows prompt c:\windows) o attrib -h -r -s SSCVIHOST.exe o del SSCVIHOST.exe THIRD Clean up the registry. Your RegEdit is already running because of the file weve downloaded from Symantec. On your run box (from the Start menu) type regedit. WARNING: Be careful on what you edit here, because a single mistake may screw up your system. Just follow the paths that are mentioned here so you wont get lost. Make sure you edit only what mentioned in this procedure. Navigate to the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell = Explorer.exe SSCVIHOST.exe (edit and remove the word SSCVIHOST.exe leaving only Explorer.exe, if you screw this up windows shell wont show on your next boot) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger = %System%\SSCVIHOST.exe (delete this entry) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wor kgroupCrawler\Shares\ shared = [SHARE NAME]\New Folder.exe (delete this entry) Restore the following registry entries to their original values, if required: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Syste m\ DisableTaskMgr = 1 (set to zero (0) to enable) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Syste m\

DisableRegistryTools = 1 (set to zero (0) to enable) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explo rer\ NofolderOptions = 1 (set to zero (0) to enable) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskM axHour (Remove an entry here that has a name with blastclnnn.exe, or just remove all entries here) FOURTH Clean again after cleaning. Restart your PC, again in Safe Mode (remember to press F8). This time we will remove all other files that have been created by the virus. Folder options in your Tools menu is already working so open that up. Then select Show Hidden files and folders and uncheck Hide protected operating system files. Then search your whole hard disk (using windows search from the start menu) and SHIFT+DEL all these files. Also cleanup your recycle bin after this.

SSCVIHOST.exe blastclnnn.exe New Folder.exe (these are the garbage files created by the worm it will create thousands upon thousands of these in your hard drive)

FIFTH Check your autoruns. On your run box at the start menu, type msconfig. Look at the startup tab for any suspicious files that are related to the virus and disable (you can also remove it in the registry) it. Thats it. Reboot your system normally and check your Task Manager (CLTR+ALT+DEL) if there are running processes that arent supposed to be running. For more information and/or reference to the virus check out these sites: Trendmicro Sophos Symantec/Norton UPDATE 2008.01.23: For an easier removal of the SSCVIHOST.exe (Sohana D) worm virus, you can get a tool to remove it at sergiwa.com Download SRT Sohanad Removal Tool to remove the virus and its accompanying files Download RRT Remove Restrictions Tool to enable RegEdit, Folder Options, Task Manager, etc.

Agency Name : PRIME MANPOWER RESOURCES DEVELOPMENT INC. POEA License No. : 108-LB-091206-R Address : 15/F Bankmer Bldg, 6756 Ayala Ave. Makati City Metro Manila Tel. No. : 878-2730