One of the computers in my house was just infected by a virus that is spreading through Skype. Since I wasn’t the one using the computer at that time, I do not know exactly what or how it happened. All I know is that there was a message received by one of the people in the contact list with some message and a file. My guess is that the file name should be dsc027.scr (I could be wrong). The computer is infected once the file is opened.
Some of the symptoms that I experienced include:
- Unable to open skype even though the program is already running
- Internet browser closes automatically when entering certain websites (especially skype forums)
After checking the list of processes running from the task manager, I managed to identify an alien process — wndrivsd32.exe. Sure enough, that was the culprit. Below are the steps I took to remove the virus.
- Open up task manager (right click on the taskbar and select “Task Manager”)
- Select the “Processes” tab
- Click on the process name called “wndrivsd32.exe” and click on the “End Process” button
- Quickly run the regedit program (Start menu .. Run .. type “regedit” and click the OK button)
- If the Registry Editor closes automatically, you need to repeat step 3 again. Do it quicker this time.
- Go through the folders HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->Current Version->RunOnce
- Delete the key that holds the value C:\Windows\System32\mshtmlsh32.exe
- Open up this file C:\Window\System32\Drivers\etc\hosts with a word editor like notepad. It will be filled with “garbage” inside. Just empty the whole file (delete everything in the file) and save it.
- Delete this file (if it exist) C:\Windows\System32\wndrivsd32.exe.
- Restart the computer and run Skype again. Play around with your computer. If everything is normal (including Skype), the virus is gone.
I found two other sources that helped me removed the virus that has slightly different steps. Some of the files they instructed to remove don’t exist in my computer. If they exist in yours, remove them as well. Check them out.
hi, everyone
today i was infected by this virus; from the early beginning i found suspicious that my friend is sending a picture to me with .src extention; nevertheless, i saved the file, scanned it with NOD32 antivirus and found nothing (!) so i opened it; shortly after it my brother came to me from his room and told me that he received a message from my contact with virus (NOD on his PC reacted appropriately)
first thing i did is disconnected myself from the network to stop sending fake messages to my contact list
that i rebooted my laptop in safe moad (in regular mode i couldn’t open any executable program)
in safe mode i ran utility called “combofix”, using this utility I was able to find a suspecious executable in regestry path which is supposed to be empty (runonce)
i performed all steps described in this article (many thanks to author) and also checked links suggested by author – source 1 and source 2; on skype site i found reference to some other executables that should be deleted from system32 directory, so goto source 1 link for complete instruction
that’s it, thanks for attention and never open pictures sent from your friends
??? how come i can’t find the mshtmlsh32.exe file??
i can find the wndrivsd32.exe file but when i try to delete it, it does NOTHING?
what am i doing wrong?? my computer freezes all the time now and this little thing flashes on the task bar ??
someone pls reply…please, i am no computer whiz so i need alll the help i can get :-/
also..i deleted the “hosts” file..but i just checked now and it delted the WHOLE “etc” file folder?! eek! is this a bad thing??
and when i look in my Recycle Bin it has the icon that there is “junk” in it but there is nothing? and NOW a windows picture file of the “bubbles” icon pops up??
oh lordy…
Many thanks for this topic.
I have sent this topic to my friends.
I hope this topic will be necessary for other victims.
Thanks,
@john
Hehe. Well, most of us learn not to open suspicious files after the first time we get infected by a virus/trojan. Hope everything is ok now.
@Duong Nguyen
Welcome. Glad it helped. Thanks for spreading it to your friends.
@surfsUPbrah
Sounds like you are having some problems there. Don’t worry about the mshtmlsh32.exe file. The two articles I referenced requested we delete a few files that I can’t find it my computer. As long as they are not there, you should be ok. If they are there, just delete them.
You should go through Steps 1 to 3 again. The wndrivsd32.exe file automatically regenerates itself every now and then. If you “end task” it but it is generated again later, it will interrupt your cleaning process.
Another method is to restart your computer and enter “safe mode”. When your computer is starting up, press the F8 key. A menu will come up and just select to run in safe mode. Do your cleaning process there and restart.
hi!! thank you so much for your input! i FINALLY figured it out, only took me 4 hours
YES i am NOT a computer whiz at all but i once i start something i must finish! LOL! 
thank you so much for you help! i found your SOURCE 1 link the most helpful
thank you kindly!!! i’m so happy i FINALLY got rid of it! well atleast i think i did!
again, mucho gracias!
@surfsUPbrah
Welcome. Glad it helped
hai this balaa from auroville. Actually i was also affected by the same skype virus. But i referred your instructions to clear up those exe files in registry. i was unable to do that and also i was unable to find those files and even in taskman. i made in safemode also. but i was helpless……… also tried in find option but it didnt work out
so pls kindly help how to get rid of this virus in my laptop.
TRY THIS LINK BALA
http://forum.skype.com/index.php?showtopic=96634
and you have to do BOTH steps and the part where it says
C:\Window\System32\Drivers\etc\hosts with an empty file.
this is where i went wrong..you have to OPEN the folder etc then open the FILE “hosts” it will ask you what you want to open it with..open it with NOTEPAD once its’ open there is all this weird wording/numbers etc…so do this: ctrl+a and delete it ALL then SAVE it after you delete everything….
just remember do do all steps…let me know if that works
@bala
The only file you need to remove from task manager is “wndrivsd32.exe”. Once you have removed this file, proceed with the other steps. You need to make sure that the “wndrivsd32.exe” file does not get regenerated and show in the task manager list because it is regenerated periodically. Some of the files mentioned in source 1 and 2 may not exist in your system (some of them did not exist in mine as well). Just delete those that are available.
@surfsUPbrah
Thanks for helping out
I have opened task manager but have not been able to find the wndrivsd32.exe file, however I do get the bubbles picture on my desktop at boot up. I cannot find any of the other files mentioned in the fix however my computer does freeze up and crawl at a snails pace, and virus software programs are unable to be downloaded. Any thoughts, anyone?
@Nick Sincere
I did not experience the things that you have mentioned. I think you are probably infected with other virus. Try looking for any clues. Look into the processes at the task manager. Try to identify any suspicious process that is running. Do a search at Google for it. See if there is any articles written about it that states it is a virus/worm.
hi all, i am mari from georgia. yesterday my friend sent me a file in skype. i receive it and sudenly i saw that this file sent itself to my contacts. i guesed that it was virus. please help me. how i can delete this?