Disclaimer: I have cleaned up my own computer from the virus, and wrote down the instructions. I have not re-infected my computer in order to test these instructions are completely accurate, so it may be inaccurate in some way. Please write some feedback about whether it worked for you, and these instructions can be updated.

How to identify an infected computed:

1. Open the task manager (Ctrl+Shift+Escape should work, or Start->Run->taskman)
2. Look for wndrivsd32.exe: If it is running/in the list, you are infected.

How to fix/clean an infected computer:

1. Open the task manager (Ctrl+Shift+Escape should work, or Start->Run->taskman)

Inside Task Manager:
1.a. Select explorer.exe and use "End Task" (this will make the panel
and perhaps other things disappear)

1.b. Select wndrivsd32.exe and use "End Task" (this will kill the virus process)

1.c. Use File->New Task, and run "explorer" (this will restore things to normal).


2. Run regedit.exe (Note: If regedit dies/disappears after a few seconds, it means that you
haven't killed wndrivsd32.exe or explorer properly - repeat step 1, faster :-)

Inside the registry editor:
2.a. Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->Current Version->RunOnce
2.b. Delete the key in there that points to C:\Windows\System32\mshtmlsh32.exe

Then simply delete the files:
C:\Windows\System32\mshtmlsh32.exe
C:\Windows\System32\wndrivsd32.exe

And ofcourse, delete dsc027.scr whereever you put it.

Now replace C:\Window\System32\Drivers\etc\hosts with an empty file.

Now you should be clean. To verify this, you can reboot Windows, and
try to identify the virus process again, in the task manager.


Here's how the virus works:

www.fakme.org was appearantly taken over by virus maker to distribute
his virus. it redirects to either of http://www.bussines4me.net/dsc027.scr
or http://socsec.co.il/knopka/dsc027.scr to download the virus (DO NOT CLICK THE LINKS).
There may be more sites, but these are the ones I encountered.

The virus is a single executable (dsc027.scr is simply that executable).

The same executable is copied to several paths:

C:\Windows\System32\mshtmlsh32.exe (Marked as a "hidden" file, use show hidden files, or "dir /a" to see it)
C:\Windows\System32\wndrivsd32.exe

It installs a regsitry key: "Local Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce" that runs C:\Windows\System32\mshtmlsh32.exe

Once that is run at boot time, it injects hostile code into the running explorer.exe which makes explorer.exe run wndrivsd32.exe periodically - it also holds it as an open file so it cannot be deleted easily. Either at boot time, or when run, it also overwrites C:\Windows\System32\Drivers\Etc\Hosts to contain wrong entries for various virus software update addresses, so that antivirus software updates will fail.

Thanks a lot
I have two client (my friends) infected

This post has been edited by Gioxx: Mon Sep 10 2007, 14:06

You're welcome!

The question is: Did the cleanup procedure work for you?

Thanks a lot
I have two client (my friends) infected

Official statement from Skype about this: http://heartbeat.skype.com/

Thanks UberOverlord

Thanks UberOverlord

THANKS A LOT

There was a rumor going around saying that a program authorization was added for a program in the:

Tools -> Options -> Advanced -> Manage Other Programs Access To Skype

Is this True? and if so than these manual methods do not add a step to remove that authorization.

Thanks Eyal,

This seems to have worked for me!

Much appreciated.

There was a rumor going around saying that a program authorization was added for a program in the:

Tools -> Options -> Advanced -> Manage Other Programs Access To Skype

Is this True? and if so than these manual methods do not add a step to remove that authorization.

Yes, its true.
I have manually cleaned things up, and that entry was still in there. Do the automatic cleaners clean that up too?

Thanks a lot
I have two client (my friends) infected

I was infected! Now had been removed.
Thanks Eyal

Thanks a lot EYAL,

you save my life with your message at 13:21.

I followed the instruction "how to fix ..." until operation 2 and stopped at the beginning of operation 2.a because I don't know what "registry editor" means in french, my mother language.
But anyway, everything is fixed and it works now as before the virus.
Thanks again

Pierre Nangniot

Yes, its true.
I have manually cleaned things up, and that entry was still in there. Do the automatic cleaners clean that up too?

Good Question?

What are the entries you found there that need to be manually removed, please add those to your instructions ;-)

Works fine.
I did it the usual (like above) way to remove worms and spyware.

Burn in hell worm coder.

Works fine.
I did it the usual (like above) way to remove worms and spyware.

Burn in hell worm coder.

Please be aware, you may addtionally need to check your approved programs that work with Skype:

Tools -> Options -> Advanced -> Manage Other Programs That Access Skype

If you see something that looks strange REMOVE it.

thks alot, i found out file wndrivs32.exe and tried to stop by using Task Manager but fail. I think this app was called by another program b/c it's come back 5s after I stop its task. Why can not scan file dsc027.scr by antivirus...?
Now all clear, thks

I have also found a file named game.exe in the root of my flash disk that was connected to a USB port at time of infection, as well as a hidden file zjbs.exe with a different date and time stamp. both these files appears to be the same as mshtmlsh32.exe or mshtmlsh32.exe. I expect that the virus looks for removable media and tries to make copys of itself onto the media.

I have also found a file named game.exe in the root of my flash disk that was connected to a USB port at time of infection, as well as a hidden file zjbs.exe with a different date and time stamp. both these files appears to be the same as mshtmlsh32.exe or mshtmlsh32.exe. I expect that the virus looks for removable media and tries to make copys of itself onto the media.

Please be aware, you may addtionally need to check your approved programs that work with Skype:

Tools -> Options -> Advanced -> Manage Other Programs That Access Skype

If you see something that looks strange REMOVE it.

I followed the instructions. Seemed to work, however...
I was not able to find these files:

mshtmlsh32.exe
dsc027.scr
mshtmldat32.exe
winlgcvers.exe
sdrivew32.exe

In fact, the only file I did find and delete was wndrivsd32.exe
also deleted the reg entry and the 'Manage Other Programs Access To Skype' entry

searched the entire hd for the other files (hidden and system) with no success.

so far so good. we will see if it acts up again.

Toda, thanks a lot Eyal, this virus was sent to me by a friend, Skype sent it to a few friends of mine, but thanks to your instructions I could heal my computer. I had to read them of course on my 2nd computer, because on the infected one it was impossible to have Firefox!

Yehoshua

Disclaimer: I have cleaned up my own computer from the virus, and wrote down the instructions. I have not re-infected my computer in order to test these instructions are completely accurate, so it may be inaccurate in some way. Please write some feedback about whether it worked for you, and these instructions can be updated.

How to identify an infected computed:

1. Open the task manager (Ctrl+Shift+Escape should work, or Start->Run->taskman)
2. Look for wndrivsd32.exe: If it is running/in the list, you are infected.

How to fix/clean an infected computer:

1. Open the task manager (Ctrl+Shift+Escape should work, or Start->Run->taskman)

Inside Task Manager:
1.a. Select explorer.exe and use "End Task" (this will make the panel
and perhaps other things disappear)

1.b. Select wndrivsd32.exe and use "End Task" (this will kill the virus process)

1.c. Use File->New Task, and run "explorer" (this will restore things to normal).
2. Run regedit.exe (Note: If regedit dies/disappears after a few seconds, it means that you
haven't killed wndrivsd32.exe or explorer properly - repeat step 1, faster :-)

Inside the registry editor:
2.a. Go to HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->Current Version->RunOnce
2.b. Delete the key in there that points to C:\Windows\System32\mshtmlsh32.exe

Then simply delete the files:
C:\Windows\System32\mshtmlsh32.exe
C:\Windows\System32\wndrivsd32.exe

And ofcourse, delete dsc027.scr whereever you put it.

Now replace C:\Window\System32\Drivers\etc\hosts with an empty file.

Now you should be clean. To verify this, you can reboot Windows, and
try to identify the virus process again, in the task manager.
Here's how the virus works:

www.fakme.org was appearantly taken over by virus maker to distribute
his virus. it redirects to either of http://www.bussines4me.net/dsc027.scr
or http://socsec.co.il/knopka/dsc027.scr to download the virus (DO NOT CLICK THE LINKS).
There may be more sites, but these are the ones I encountered.

The virus is a single executable (dsc027.scr is simply that executable).

The same executable is copied to several paths:

C:\Windows\System32\mshtmlsh32.exe (Marked as a "hidden" file, use show hidden files, or "dir /a" to see it)
C:\Windows\System32\wndrivsd32.exe

It installs a regsitry key: "Local Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce" that runs C:\Windows\System32\mshtmlsh32.exe

Once that is run at boot time, it injects hostile code into the running explorer.exe which makes explorer.exe run wndrivsd32.exe periodically - it also holds it as an open file so it cannot be deleted easily. Either at boot time, or when run, it also overwrites C:\Windows\System32\Drivers\Etc\Hosts to contain wrong entries for various virus software update addresses, so that antivirus software updates will fail.

You're welcome!

If you deleted the files, but did not perform step 2, you should be okay.
However, if you also skipped deleting the files, the virus will be back as soon as you reboot.

By "run regedit.exe" I simply meant that you should use: Start->Run, and type "regedit.exe".

Toda, thanks a lot Eyal, this virus was sent to me by a friend, Skype sent it to a few friends of mine, but thanks to your instructions I could heal my computer. I had to read them of course on my 2nd computer, because on the infected one it was impossible to have Firefox!

Yehoshua