the registry autorun entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<Microsoft Services><msmpserv.exe>
the running process:
C:\WINDOWS\system32\msmpserv.exe
Hijackthis log :
O4 - HKLM\..\Run: [Microsoft Services] msmpserv.exe
======================================================
removal case :
that every time you reboot it regenerates because the virus is in your autorun entry,just like “MsnMsgr.Exe” when your windows startup ,the MSN will be running .the key process “msmpserv.exe” is the boss of the MSN worm,and you don’t delete it ,it will regenerate others.
the case link:http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html
Removal Instructions:
1. delete malware files
those files are malware files,you can use “unlocker” or “killbox” to delete them.
c:\windows\system32\tphklock.dll
c:\windows\system32\notifyf2.dll
c:\windows\system32\ssqqjkcv.dll
C:\WINDOWS\system32\msmpserv.exe
c:\windows\system32\tuvwqqqn.dll
2. delete the autorun entry in the registry,you can use “msconfig”
how to do :http://dasherxxx.blogspot.com/2008/03/msn-myphoto-viruse-disableremoval.html
or the software:SRENG that you using scan the srenglog
how to do:open SRENG—Boot Items–registry ,find those entries.
[WinlogonNotify: tphotkey] <tphklock.dll>
[WinlogonNotify: tpfnf2] <notifyf2.dll>
[WinlogonNotify: ssqQjKCv] <ssqQjKCv.dll>
[Microsoft Services] <msmpserv.exe>
or you can download the fix reg file
the name “Microsoft Services” pretend to puzzle people think it’s normal windows entry,the author of MSN worm is crafty
