I should know better, but I was IM'd via Skype by a friend suggesting I check out an .scr link
Then it cleverly says 'oops, i meant to send this to someone else, please don't look at this'
Or something to that effect. Well, I stupidly did, and fell for it.
Now, it promptly locks up your Skype, (probably sends the message to all your contacts) .. and also locks out msconfig and regedit, and even some websites / anti-virus software.
However, I did manage to isolate the running process as wndrivs32.exe - and when I kill the process, I can access regedit and msconfig for about 60 seconds before it reboots itself.
I did a google search on wndrivs32.exe and it is so new, that it is returning 0 results.
Hopefully this will help some people!
Right now I am using regedit to
"delete
SkypeStart from your registry in:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run"
Michael
www.MichaelSpire.com
Full Version: WARNING New Skype Virus using .scr - wndrivs32.exe
Just to update, after killing the wndrivs32.exe process, I opened Regedit and did a search there for wndrivs32.exe and removed it from the registry.
You can also find wndrivs32.exe in \windows\system32 and delete it there. I also recommend re-installing Skype.
I should know better, but I was IM'd via Skype by a friend suggesting I check out an .scr link
Then it cleverly says 'oops, i meant to send this to someone else, please don't look at this'
Or something to that effect. Well, I stupidly did, and fell for it.
Now, it promptly locks up your Skype, (probably sends the message to all your contacts) .. and also locks out msconfig and regedit, and even some websites / anti-virus software.
However, I did manage to isolate the running process as wndrivs32.exe - and when I kill the process, I can access regedit and msconfig for about 60 seconds before it reboots itself.
I did a google search on wndrivs32.exe and it is so new, that it is returning 0 results.
Hopefully this will help some people!
Right now I am using regedit to
"delete
SkypeStart from your registry in:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run"
Michael
www.MichaelSpire.com
You can also find wndrivs32.exe in \windows\system32 and delete it there. I also recommend re-installing Skype.
QUOTE(Michael Spire @ Mon Sep 10 2007, 03:17) [snapback]439439[/snapback]
I should know better, but I was IM'd via Skype by a friend suggesting I check out an .scr link
Then it cleverly says 'oops, i meant to send this to someone else, please don't look at this'
Or something to that effect. Well, I stupidly did, and fell for it.
Now, it promptly locks up your Skype, (probably sends the message to all your contacts) .. and also locks out msconfig and regedit, and even some websites / anti-virus software.
However, I did manage to isolate the running process as wndrivs32.exe - and when I kill the process, I can access regedit and msconfig for about 60 seconds before it reboots itself.
I did a google search on wndrivs32.exe and it is so new, that it is returning 0 results.
Hopefully this will help some people!
Right now I am using regedit to
"delete
SkypeStart from your registry in:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run"
Michael
www.MichaelSpire.com
You do not have to reinstall skype in order to remove this virus. It doesnt affect skype directly. The skype program doesnt stop the virus because skype thinks its a JPEG.
Once you click on the JPEG, it will contact a website ( which freind and I have reported ) run itself as a screen saver file, which is very similar to an EXE. Once it has done that it will attach itself to quite a few system files.
A freind of mine is created an EXE that will remove that virus. It was designed to affect windows XP 32bit edition. If you are running windows Vista the most it will do is give you a Blue Screen of Death. This isnt because Vista is more secure, but that the system files in XP are diffrent than Vista. So it can attach itself to much.
SO, just make sure not to download any file that has the name dsc027.
Hang tight and ill let you know when the link is ready with the fix.
Once you click on the JPEG, it will contact a website ( which freind and I have reported ) run itself as a screen saver file, which is very similar to an EXE. Once it has done that it will attach itself to quite a few system files.
A freind of mine is created an EXE that will remove that virus. It was designed to affect windows XP 32bit edition. If you are running windows Vista the most it will do is give you a Blue Screen of Death. This isnt because Vista is more secure, but that the system files in XP are diffrent than Vista. So it can attach itself to much.
SO, just make sure not to download any file that has the name dsc027.
Hang tight and ill let you know when the link is ready with the fix.
I have just put a free fix for the skype picture link virus on www.gui2.com - I am the founder of www.cryptic.co.uk a military virus removal company. Home users can get the full product here www.onlineaware.com
I should know better, but I was IM'd via Skype by a friend suggesting I check out an .scr link
Then it cleverly says 'oops, i meant to send this to someone else, please don't look at this'
Or something to that effect. Well, I stupidly did, and fell for it.
Now, it promptly locks up your Skype, (probably sends the message to all your contacts) .. and also locks out msconfig and regedit, and even some websites / anti-virus software.
However, I did manage to isolate the running process as wndrivs32.exe - and when I kill the process, I can access regedit and msconfig for about 60 seconds before it reboots itself.
I did a google search on wndrivs32.exe and it is so new, that it is returning 0 results.
Hopefully this will help some people!
Right now I am using regedit to
"delete
SkypeStart from your registry in:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run"
Michael
www.MichaelSpire.com
QUOTE(Michael Spire @ Mon Sep 10 2007, 03:17) [snapback]439439[/snapback]
I should know better, but I was IM'd via Skype by a friend suggesting I check out an .scr link
Then it cleverly says 'oops, i meant to send this to someone else, please don't look at this'
Or something to that effect. Well, I stupidly did, and fell for it.
Now, it promptly locks up your Skype, (probably sends the message to all your contacts) .. and also locks out msconfig and regedit, and even some websites / anti-virus software.
However, I did manage to isolate the running process as wndrivs32.exe - and when I kill the process, I can access regedit and msconfig for about 60 seconds before it reboots itself.
I did a google search on wndrivs32.exe and it is so new, that it is returning 0 results.
Hopefully this will help some people!
Right now I am using regedit to
"delete
SkypeStart from your registry in:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run"
Michael
www.MichaelSpire.com
One of the thing it does is add entries into C:\windows\system32\drivers\etc\hosts
What else?
What else?
I couldn't start taskmanager, taskmgr.exe because the trojan stopped it.
I opened search and found taskmgr.exe, copied from system32 to desktop, renamed it to skmgr.exe and then it ran.
Seeing a process, windrivs32.exe I didn'r recognize i killed it but it restarts.
So a new search finds it in system32 and in a "windows prefetch" .pf file.
After setting deny execute on the file in system32, killing the process I could delete the files.
/hh
I opened search and found taskmgr.exe, copied from system32 to desktop, renamed it to skmgr.exe and then it ran.
Seeing a process, windrivs32.exe I didn'r recognize i killed it but it restarts.
So a new search finds it in system32 and in a "windows prefetch" .pf file.
After setting deny execute on the file in system32, killing the process I could delete the files.
/hh
QUOTE(bachew @ Mon Sep 10 2007, 08:36) [snapback]439502[/snapback]
One of the thing it does is add entries into C:\windows\system32\drivers\etc\hosts
What else?
-- find wndrivs32.exe and mshtmldat32.exe in ...\windows\system32 and alter permissions - deny all for everyone (so, as no one should be able to do anything with those files)
-- find mshtmldat32 process in task manager and kill it, then the same with wndrivs32
-- find record in regedit, which provides mshtmldat32.exe running on startup and remove it
-- remove files wndrivs32.exe and mshtmldat32.exe
-- restart
if it is impossible to kill processes after altering permissions - restart and do remaining things after restart.
GOOD LUCK
QUOTE(bachew @ Mon Sep 10 2007, 08:36) [snapback]439502[/snapback]
One of the thing it does is add entries into C:\windows\system32\drivers\etc\hosts
What else?
-Affecting outlook
-Random change processes name and reduplication of wndrivs32.exe e.g. WZQKPICK.EXE
-Spread over network?
-anti virus stop functioning
i fount the virus file name "mshtmldat32.exe" in C:\windows\system32
i killed the virus by this way
1. open taskmgr.exe look for wndrivs32.exe kill stop it.
2. open regedit and search mshtmldat32.exe kill it and F3 search next and kill
3. kill C:\windows\system32\mshtmldat32.exe
i killed the virus by this way
1. open taskmgr.exe look for wndrivs32.exe kill stop it.
2. open regedit and search mshtmldat32.exe kill it and F3 search next and kill
3. kill C:\windows\system32\mshtmldat32.exe
QUOTE(pukaspar @ Mon Sep 10 2007, 09:29) [snapback]439520[/snapback]
-- find wndrivs32.exe and mshtmldat32.exe in ...\windows\system32 and alter permissions - deny all for everyone (so, as no one should be able to do anything with those files)
-- find mshtmldat32 process in task manager and kill it, then the same with wndrivs32
-- find record in regedit, which provides mshtmldat32.exe running on startup and remove it
-- remove files wndrivs32.exe and mshtmldat32.exe
-- restart
if it is impossible to kill processes after altering permissions - restart and do remaining things after restart.
GOOD LUCK
i also found mshtmldat32.exe in registry as above mentioned.
im not sure whether it is virus or not.
after restart, it prompt to run mshtmldat32.exe but i rejected to run or open.
in windows, i tried into registry. The entries i found earlier is disappeared.
Later, I found the system still infected with duplicate processes.
So, make sure that removal of the following entries:
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/Run
HKCurrentUser/Software/Microsoft/Windows/CurrentVersion/Run
QUOTE(UserKoi @ Mon Sep 10 2007, 09:38) [snapback]439526[/snapback]
i fount the virus file name "mshtmldat32.exe" in C:\windows\system32
i killed the virus by this way
1. open taskmgr.exe look for wndrivs32.exe kill stop it.
2. open regedit and search mshtmldat32.exe kill it and F3 search next and kill
3. kill C:\windows\system32\mshtmldat32.exe
Better way:
cmd
taskkill /f /im skype.exe
taskkill /f /im wndrivs32.exe
taskkill /f /im mshtmldat32.exe
after stopping processes, try to locate the file specified and also check registry.
I found mshtmldat32.exe in registry as startup commands but no sign of wndrivs32.exe in registry.
Both files found and deleted in system32 and as windows prefetch.
Hostfile had ~1100 entries diverting any connections to almost any antivirus sites.
So there is a lot of chatsync dirs under skype, created around the time of the trojan hit. Are these cached chats to contacts in skype, waiting to go out when unsuspicious users come online?
In what way is Outlook affected?
/hh
Both files found and deleted in system32 and as windows prefetch.
Hostfile had ~1100 entries diverting any connections to almost any antivirus sites.
So there is a lot of chatsync dirs under skype, created around the time of the trojan hit. Are these cached chats to contacts in skype, waiting to go out when unsuspicious users come online?
In what way is Outlook affected?
/hh
I have also been infected with this skype virus downloaded dave dukes removal tool it just says it can't extract the skype virus removal tool to its temporary location, did close the win32 process it doesn't come up again
QUOTE(aidj @ Mon Sep 10 2007, 09:36) [snapback]439524[/snapback]
-Affecting outlook
-Random change processes name and reduplication of wndrivs32.exe e.g. WZQKPICK.EXE
-Spread over network?
-anti virus stop functioning
Found new entries
HKLocalMachine/Software/Microsoft/Windows/CurrentVersion/RunOnce
remove Start Service2 with value MSHTMLSH32.EXE in Safe Mode
8 people in our company got tricked by the message and got their PCs infected. So this is what I do to remove the virus.
1. Go to C:\windows
2. Click search to search for wndrivs32.exe
3. Go to security properties of wndrivs32.exe, click advance, uncheck "Allow inheritable...", click copy or remove. Back to security window, remove all users.
4. Open task manager and end process wndrivs32.exe, because there's no permissions, the process won't be able to restart itself.
5. Delete the files (1 or 2 files) found in step 2.
6. Go to C:\windows again, search for mshtmldat32.exe and delete it if present.
7. Run regedit (start > run > type regedit), edit > find > type in wndrivs32.exe, delete found registry. Remember to find next and delete untill there's no more left.
8. Repeat step 7 with mshtmldat32.exe
9. Open C:\windows\system32\drivers\etc\hosts, remove all entries and save.
10. Restart computer and hope this 10 steps can completely remove the virus
1. Go to C:\windows
2. Click search to search for wndrivs32.exe
3. Go to security properties of wndrivs32.exe, click advance, uncheck "Allow inheritable...", click copy or remove. Back to security window, remove all users.
4. Open task manager and end process wndrivs32.exe, because there's no permissions, the process won't be able to restart itself.
5. Delete the files (1 or 2 files) found in step 2.
6. Go to C:\windows again, search for mshtmldat32.exe and delete it if present.
7. Run regedit (start > run > type regedit), edit > find > type in wndrivs32.exe, delete found registry. Remember to find next and delete untill there's no more left.
8. Repeat step 7 with mshtmldat32.exe
9. Open C:\windows\system32\drivers\etc\hosts, remove all entries and save.
10. Restart computer and hope this 10 steps can completely remove the virus
Better way: and only to be save in case you got the brand new virus
1.) start > run >cmd
than type and press enter in the black screen
taskkill /f /im skype.exe
taskkill /f /im wndrivs32.exe
taskkill /f /im mshtmldat32.exe
after stopping processes, try to locate the file specified and also check registry.
type regedit and press enter
than go with your mouse in the regedit window to my computer
than select edit
than select finde
then enter
"mshtmldat32.exe" when you have found this than select it and delete it
than press f3 fro search continue
it will find it at one point with the explorer. in one line select in this cas only the mshtmldat32.exe
repide this steps for
wndrivs32.exe
mshtmldat32.exe
mshtmldat32.exe
for your own savety
go to start
than search
than select search for all files and folder
and searche for
wndrivs32.exe
mshtmldat32.exe
mshtmldat32.exe
WNDRIVS32.EXE-2F91B010.pf
you will need also your host file
c:\windows\system32\drivers\etc\hosts
open itwit the notepad and remove all and than enter this
127.0.0.1 localhost #localhost
than save it
if found delete it
than you will be clean
1.) start > run >cmd
than type and press enter in the black screen
taskkill /f /im skype.exe
taskkill /f /im wndrivs32.exe
taskkill /f /im mshtmldat32.exe
after stopping processes, try to locate the file specified and also check registry.
type regedit and press enter
than go with your mouse in the regedit window to my computer
than select edit
than select finde
then enter
"mshtmldat32.exe" when you have found this than select it and delete it
than press f3 fro search continue
it will find it at one point with the explorer. in one line select in this cas only the mshtmldat32.exe
repide this steps for
wndrivs32.exe
mshtmldat32.exe
mshtmldat32.exe
for your own savety
go to start
than search
than select search for all files and folder
and searche for
wndrivs32.exe
mshtmldat32.exe
mshtmldat32.exe
WNDRIVS32.EXE-2F91B010.pf
you will need also your host file
c:\windows\system32\drivers\etc\hosts
open itwit the notepad and remove all and than enter this
127.0.0.1 localhost #localhost
than save it
if found delete it
than you will be clean
QUOTE(dave duke @ Mon Sep 10 2007, 04:41) [snapback]439449[/snapback]
I have just put a free fix for the skype picture link virus on www.gui2.com - I am the founder of www.cryptic.co.uk a military virus removal company. Home users can get the full product here www.onlineaware.com
I have downloaded this file on www.gui2.com.
But I can't run it. An exception occurs : Error 1252 Error extracting C:\Docume~1\MY_USER\LOCAL~1\Temp\_is16
It cant extract data to install in LOCAL~1\Temp\_is16. Help me pls
Thnks alot
QUOTE(SkyPerson @ Mon Sep 10 2007, 10:58) [snapback]439594[/snapback]
I have downloaded this file on www.gui2.com.
But I can't run it. An exception occurs : Error 1252 Error extracting C:\Docume~1\MY_USER\LOCAL~1\Temp\_is16
It cant extract data to install in LOCAL~1\Temp\_is16. Help me pls
Thnks alot
It would be much appreciated if someone can help with this installation file as i have the same problem
For the Others:
Virus warning!!
If you receive a Skype chat message from anyone with a clickable link to what looks like a .jpg image file, please do not click to follow this link.
This is Virus that is spreading through Skype contacts.
The chat message will look like this:
“hey
[09:27:40] xxxxxxxxxxx says: your photos looks realy nice
[09:27:45] xxxxxxxxxxxxxxxxxxxx says:
[09:27:50] xxxxxxxx says: haha lol
[09:27:55] xxxxxxxxxx says: xxxxxxxxxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[09:28:04] xxxxxxxxxx: this (happy) sexy one
[09:28:08] xxxxxxxx: “
Or:
“"[10:45:26] xxxxx says: how are u ?
[10:45:31] xxxxx says: how are u ?
[10:45:45] xxxxx says: where I put ur photo
[10:45:47] xxxxx says: look what crazy photo Tiffany sent to me,looks cool
[10:45:50] xxxxx says: xxxxxxxxxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[10:45:52] xxxxxxx says: (devil)
[10:45:59] xxxxxxx says: really funny
[10:45:59] xxxxxxx says: (devil)
[10:46:05] xxxxxx says: xxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[10:46:15] xxxxxx says : u happy ?
[10:46:21] xxxxxxx says:
Never open any unknown file you receive. Not via Skype or any other source!!
Virus warning!!
If you receive a Skype chat message from anyone with a clickable link to what looks like a .jpg image file, please do not click to follow this link.
This is Virus that is spreading through Skype contacts.
The chat message will look like this:
“hey
[09:27:40] xxxxxxxxxxx says: your photos looks realy nice
[09:27:45] xxxxxxxxxxxxxxxxxxxx says:
[09:27:50] xxxxxxxx says: haha lol
[09:27:55] xxxxxxxxxx says: xxxxxxxxxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[09:28:04] xxxxxxxxxx: this (happy) sexy one
[09:28:08] xxxxxxxx: “
Or:
“"[10:45:26] xxxxx says: how are u ?
[10:45:31] xxxxx says: how are u ?
[10:45:45] xxxxx says: where I put ur photo
[10:45:47] xxxxx says: look what crazy photo Tiffany sent to me,looks cool
[10:45:50] xxxxx says: xxxxxxxxxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[10:45:52] xxxxxxx says: (devil)
[10:45:59] xxxxxxx says: really funny
[10:45:59] xxxxxxx says: (devil)
[10:46:05] xxxxxx says: xxxxxxx/erotic-gallerys/usr5d8c/dsc027.jpg
[10:46:15] xxxxxx says : u happy ?
[10:46:21] xxxxxxx says:
Never open any unknown file you receive. Not via Skype or any other source!!
You can also go to manage api access control bottom left of your skype browser double click on it and remove the .jpg file. this also stops your skype from sending to everyone
Hi,
I got infeceted but deleted the registry entries and deleted the 2 files wndrivs32.exe and mshtmldat32.exe.
Now everything works.
Question: should i change the skype password ?
Best regards
Javier
I got infeceted but deleted the registry entries and deleted the 2 files wndrivs32.exe and mshtmldat32.exe.
Now everything works.
Question: should i change the skype password ?
Best regards
Javier
Here is my solution (compilation of the above actually)
Reboot windows and enter in safe mode, (press F8 before windows starts to load)
then search for the following files:
sdrivew32.exe
winlgcvers.exe
wndrivs32.exe
mshtmldat32.exe
These files are hidden and are marked as system files, don't worry about that, delete them
then run regedit and search for:
sdrivew32
winlgcvers
wndrivs32
mshtmldat32
and delete every entry that references any of the previous entries.
Open the file:
C:\WINDOWS\system32\drivers\etc\hosts
delete everything inside and copy/paste the following line inside
127.0.0.1 localhost localhost.localdomain
save the changes.
Reboot windows.
Open skype and go to tools -> options -> advanced -> Manage other program's access to skype
Remove everything there just to be safe.
The problem should be fixed.
Reboot windows and enter in safe mode, (press F8 before windows starts to load)
then search for the following files:
sdrivew32.exe
winlgcvers.exe
wndrivs32.exe
mshtmldat32.exe
These files are hidden and are marked as system files, don't worry about that, delete them
then run regedit and search for:
sdrivew32
winlgcvers
wndrivs32
mshtmldat32
and delete every entry that references any of the previous entries.
Open the file:
C:\WINDOWS\system32\drivers\etc\hosts
delete everything inside and copy/paste the following line inside
127.0.0.1 localhost localhost.localdomain
save the changes.
Reboot windows.
Open skype and go to tools -> options -> advanced -> Manage other program's access to skype
Remove everything there just to be safe.
The problem should be fixed.
QUOTE(bachew @ Mon Sep 10 2007, 10:44) [snapback]439570[/snapback]
8 people in our company got tricked by the message and got their PCs infected. So this is what I do to remove the virus.
1. Go to C:\windows
2. Click search to search for wndrivs32.exe
3. Go to security properties of wndrivs32.exe, click advance, uncheck "Allow inheritable...", click copy or remove. Back to security window, remove all users.
4. Open task manager and end process wndrivs32.exe, because there's no permissions, the process won't be able to restart itself.
5. Delete the files (1 or 2 files) found in step 2.
6. Go to C:\windows again, search for mshtmldat32.exe and delete it if present.
7. Run regedit (start > run > type regedit), edit > find > type in wndrivs32.exe, delete found registry. Remember to find next and delete untill there's no more left.
8. Repeat step 7 with mshtmldat32.exe
9. Open C:\windows\system32\drivers\etc\hosts, remove all entries and save.
10. Restart computer and hope this 10 steps can completely remove the virus
My Skype has been attacked too. This steps helped. Thanks. However, when I reinstalled skype again - it sent the messages again among my contact list. Not sure if this won't repeat in future...
QUOTE(R00KIE @ Mon Sep 10 2007, 12:32) [snapback]439665[/snapback]
Here is my solution (compilation of the above actually)
Reboot windows and enter in safe mode, (press F8 before windows starts to load)
then search for the following files:
sdrivew32.exe
winlgcvers.exe
wndrivs32.exe
mshtmldat32.exe
I had just wndrivs.exe (no "32") and it was behaving the same way. When I noticed it was blocking antivirus sites and the skype domain (which prevented me from seeing this forum), I downloaded LINX (text browser) which is not affected by the virus, so I could read the instructions.
I suggest you people who managed to heal the virus to write on your personal message something like "DON'T OPEN THE LINK I SENT YOU, IT'S A VIRUS". I have 300+ contacts and many have already thanked be as they'd have clicked otherwise.
PLEASE VISIT HERE FOR A FIX. IT WILL TAKE YOU TO A DOWNLOAD THAT WILL REMOVE THE VIRUS.
http://forum.skype.com/index.php?showtopic...mp;#entry439670
http://forum.skype.com/index.php?showtopic...mp;#entry439670
QUOTE(Chris from California @ Mon Sep 10 2007, 12:57) [snapback]439677[/snapback]
PLEASE VISIT HERE FOR A FIX. IT WILL TAKE YOU TO A DOWNLOAD THAT WILL REMOVE THE VIRUS.
http://forum.skype.com/index.php?showtopic...mp;#entry439670
Every time I try to extract I got: 1152 Error extracting.... message
100% working fix with hands
1. quit Skype
2. find wndrivs32.exe
3. deny Read&Execute in security
4. kill process wndrivs32.exe
taskkill /f /im explorer.exe
taskkill /f /im wndrivs32.exe
taskkill /f /im mshtmldat32.exe
run explorer.exe
5. delete:
sdrivew32.exe
winlgcvers.exe
wndrivs32.exe
mshtmldat32.exe
6. delete from registry all about:
sdrivew32
winlgcvers
wndrivs32
mshtmldat32
7. also you may delete those files:
lkav32.exe
netstdll.exe
rdatasys.exe
(This blockers for regedit and Process Explorer, maybe something else)
8. delete or edit your C:\WINXP\system32\drivers\etc\hosts because now it trash
open it with the notepad and remove all and than enter this
127.0.0.1 localhost #localhost
9. run Skype
1. quit Skype
2. find wndrivs32.exe
3. deny Read&Execute in security
4. kill process wndrivs32.exe
taskkill /f /im explorer.exe
taskkill /f /im wndrivs32.exe
taskkill /f /im mshtmldat32.exe
run explorer.exe
5. delete:
sdrivew32.exe
winlgcvers.exe
wndrivs32.exe
mshtmldat32.exe
6. delete from registry all about:
sdrivew32
winlgcvers
wndrivs32
mshtmldat32
7. also you may delete those files:
lkav32.exe
netstdll.exe
rdatasys.exe
(This blockers for regedit and Process Explorer, maybe something else)
8. delete or edit your C:\WINXP\system32\drivers\etc\hosts because now it trash
open it with the notepad and remove all and than enter this
127.0.0.1 localhost #localhost
9. run Skype
As explained in: http://forum.skype.com/index.php?showtopic=96634
The problem killing those processes and the respawning is done by explorer.exe. I believe on-disk, explorer.exe did not change, and that runtime code injection or another method (someone mentioned a prefetch file?) was used to make explorer.exe respawn the wndrivsd32.exe process, and also hold its exe as an open file, making it difficult to delete (even after its killed).
To fix this, I simply killed explorer.exe and respawned it, and then it allowed me to delete wndrivsd32.exe.
Hi,
I got infeceted but deleted the registry entries and deleted the 2 files wndrivs32.exe and mshtmldat32.exe.
Now everything works.
Question: should i change the skype password ?
Best regards
Javier
The problem killing those processes and the respawning is done by explorer.exe. I believe on-disk, explorer.exe did not change, and that runtime code injection or another method (someone mentioned a prefetch file?) was used to make explorer.exe respawn the wndrivsd32.exe process, and also hold its exe as an open file, making it difficult to delete (even after its killed).
To fix this, I simply killed explorer.exe and respawned it, and then it allowed me to delete wndrivsd32.exe.
QUOTE(Javier Grijalba @ Mon Sep 10 2007, 11:44) [snapback]439637[/snapback]
Hi,
I got infeceted but deleted the registry entries and deleted the 2 files wndrivs32.exe and mshtmldat32.exe.
Now everything works.
Question: should i change the skype password ?
Best regards
Javier
Official statement from Skype about this: http://heartbeat.skype.com/
QUOTE(stanfycom @ Mon Sep 10 2007, 12:46) [snapback]439667[/snapback]
My Skype has been attacked too. This steps helped. Thanks. However, when I reinstalled skype again - it sent the messages again among my contact list. Not sure if this won't repeat in future...
You should check the date of the message "you" sent, it's probably sent before the virus was removed, sometimes Skype message arrives late.
Eyal,
That's why the security settings at step 6 is performed to prevent the exe from restarting itself.
It doesn't work on my computer!! Oh wait, I'm running Kubuntu Linux...
27 PCs in my company got infected.
I did this for a successful fix :
- uninstalled skype
- Killed wndrivs32.exe from the Task Manager.
- Ran AVG update, and scanned the complete system (We were lucky to have AVG installed)
- Replaced the host file with a clean 1 from an uninfected system, as it blocked almost all the anti-virus websites, resulting in update & scan block too. (This changed file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine)
- AVG healed/deleted and moved the sdrivew32.exe, winlgcvers.exe, wndrivs32.exe, mshtmldat32.exe & dsc027.scr to the virus vault
- Restarted the system & installed Skype
Prevention : Regular anti-virus updates & Scan can save us from this!!
I did this for a successful fix :
- uninstalled skype
- Killed wndrivs32.exe from the Task Manager.
- Ran AVG update, and scanned the complete system (We were lucky to have AVG installed)
- Replaced the host file with a clean 1 from an uninfected system, as it blocked almost all the anti-virus websites, resulting in update & scan block too. (This changed file is loaded into memory (cache) at startup, then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local machine)
- AVG healed/deleted and moved the sdrivew32.exe, winlgcvers.exe, wndrivs32.exe, mshtmldat32.exe & dsc027.scr to the virus vault
- Restarted the system & installed Skype
Prevention : Regular anti-virus updates & Scan can save us from this!!
I have read that this virus does not affect VIsta, however, my Vista system was infected and the message was sent on to ALL my contacts... I have run Kasperski with the latest updates and it has come up with nothing... Cant find any of the suspicious files mentioned either...
Any ideas?
Any ideas?
QUOTE(fgarcea @ Tue Sep 11 2007, 09:07) [snapback]440080[/snapback]
I have read that this virus does not affect VIsta...
From what I hear, it will run/infect in Vista, but fails to set itself to be started on reboot, so a restart should leave you clean - no idea if it's failing to put the files somewhere or failing to write to the registry, though.
You are right, it will not affect Vista after a reboot. THe reason for this, is because the system files in Vista are named diffrent than in XP. Although its stilll a good idea to have your virus scanner to do a boot scan.
Hi!
I never clicked the links sent, but - my friends are receiving the virus message, that, as I understand, means I am infected.
I did not find any of files mentioned above in my PC, so - is there any ideas what to do?
I never clicked the links sent, but - my friends are receiving the virus message, that, as I understand, means I am infected.
I did not find any of files mentioned above in my PC, so - is there any ideas what to do?
QUOTE(hellman @ Mon Sep 10 2007, 10:10) [snapback]439547[/snapback]
So there is a lot of chatsync dirs under skype, created around the time of the trojan hit. Are these cached chats to contacts in skype, waiting to go out when unsuspicious users come online?
I'd raised a support issue about how to purge these queued msgs, but the support droid first gave me a pre-scripted reply about queued authorisation requests, then a pre-scripted reply about using a virus checker (McAfee were way behind the curve, by the way) but no info about these, whereas looking through some with a hex editor show some of the 'bad' urls, so now wiped them all.
Also check the root of any portable drives you have mounted, as it put a (system, hidden) autorun.inf and exe (game.exe on one, and something else on another) on ones here - AVG detects it, though.
I have computers at my company where users have clicked on the link and their skype is sending to all in their contact list. But I am unable to find any of the above mentioned exe files on the mashines? I see the host file has been massivly populated, so I have deleted the entries there and readded localhost. But I cant find any other signs (in regedit or in Windows) that refer to mshtmldat32.exe or the other files...? Any ideas on what I should be looking for?
edited
I have computers at my company where users have clicked on the link and their skype is sending to all in their contact list. But I am unable to find any of the above mentioned exe files on the mashines? I see the host file has been massivly populated, so I have deleted the entries there and readded localhost. But I cant find any other signs (in regedit or in Windows) that refer to mshtmldat32.exe or the other files...? Any ideas on what I should be looking for?
Hi I am not an expert but I had this virus the other day and AVG removed it after the update that they put out, but also I found that in the bottom left hand corner of skype there are two arrows going in opposite directions if you double click on that it will open "Manage API Access Control" and delete anything in there that looks suspicious. That should keep it recurring in the messages. Hope my very simple understanding of computers helps. smile.png
QUOTE(JustinThor @ Thu Sep 13 2007, 15:51) [snapback]440985[/snapback]
I have computers at my company where users have clicked on the link and their skype is sending to all in their contact list. But I am unable to find any of the above mentioned exe files on the mashines? I see the host file has been massivly populated, so I have deleted the entries there and readded localhost. But I cant find any other signs (in regedit or in Windows) that refer to mshtmldat32.exe or the other files...? Any ideas on what I should be looking for?
Hi I am not an expert but I had this virus the other day and AVG removed it after the update that they put out, but also I found that in the bottom left hand corner of skype there are two arrows going in opposite directions if you double click on that it will open "Manage API Access Control" and delete anything in there that looks suspicious. That should keep it recurring in the messages. Hope my very simple understanding of computers helps. smile.png
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.