'This script is to restore the damaged/modified registry by the W32Sohanad Worm. This code may be freely distributed/modified.

'Prevents errors from values that don't exist
On Error Resume Next

Set WshShell = WScript.CreateObject("WScript.Shell")

'Delete the keys that has disabled the Windows Registry Tools and Task Manager.
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
WshShell.RegDelete "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"

'Delete the registry keys that changes your Yahoo Messenger status
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_buzz\content url"
WshShell.RegDelete "HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast\content url"

'Delete the entries which make the worm start up while booting.
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Task Manager"
WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost"

'Delete Disable Homepage Buttons in IE
WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Homepage"

'Reset Homepage
WshShell.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page", "about:blank", "REG_SZ"

'Reset IE Title Bar
WshShell.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title", "Microsoft Internet Explorer"

X = MsgBox("Registry successfuly restored from the damage made by W32Sohanad Worm", vbOKOnly, "Success!!!")

taskmng.exe