(This Technique I found from another blog who writes like me. But it is more useful to you. This is for you.)
temp2.exe and/or temp1.exe, both these two viruses irritated me for some time yesterday. While i was copying some files using flash drive, my machine got to threaten of this virus. Some anti viruses treated it as worm, though it harms seriously. Mainly it deteriorates the data flow. So its related to network security. I clearly came to evidence that temp2.exe and temp1.exe are running on my system and until i ended them, i cant be able to detach the removable devices. In addition, when i tried to open other windows partitions, they are opened as new window, even though i havnt used that option. I addition it adds autorun option in the context menu explorer.
When i digg into the details, i came to know much about the virus, how its working, and all. If we are copying from infected machine, this virus puts three files along with the data into the disk.
They are: copy.exe, host.exe and autorun.inf
autorun.inf file contains only two lines.
[autorun]
open=copy.exe
when we open the infected disk, autorun will invokes and virus starts acting by running the copy.exe file. It creates a dump of above three files in root directory of each partition and make a copy of copy.exe in system32 directory. Also a copy of temp1.exe and temp2.exe wlould be kept in system32. Along with it corrupts the xcopy.exe and svchost.exe files in system32.exe. It also kept registry entry.
Steps to remove the virus:
So to remove the virus one has to be careful. First off the system restore monitoring. Then delete the three-files from root directory of each partition. Also remove copy.exe, xcopy.exe, temp1.exe, temp2.exe and svchost.exe from system32 directory. And the remaining is deleting the entries in registry. So to do that search in the registry for each of the file entries and manually delete them. After that restart your machine. So u will be out of that little dragon. a old copy of svchost.exe and xcopy.exe will be written back into your machine.
To check whether the virus got cleared or not, by observing the file properties of these two files. They must indicate the company info as 'Microsoft Corporation...'. If they are not from microsoft corporation, and anything which are residing in system32 directory must be from microsoft, else u can suspect of a malicious entry. After successful removal of the virus, u can continue by checking the system restore monitoring.
