temp2.exe and/or temp1.exe, both these two viruses irritated me for some time yesterday. While i was copying some files using flash drive, my machine got to threaten of this virus. Some anti viruses treated it as worm, though it harms seriously. Mainly it deteriorates the data flow. So its related to network security. I clearly came to evidence that temp2.exe and temp1.exe are running on my system and until i ended them, i cant be able to detach the removable devices. In addition, when i tried to open other windows partitions, they are opened as new window, even though i havnt used that option. I addition it adds autorun option in the context menu explorer.
When i digg into the details, i came to know much about the virus, how its working, and all. If we are copying from infected machine, this virus puts three files along with the data into the disk.
They are: copy.exe, host.exe and autorun.inf
autorun.inf file contains only two lines.
Steps to remove the virus:
So to remove the virus one has to be careful. First off the system restore monitoring. Then delete the three-files from root directory of each partition. Also remove copy.exe, xcopy.exe, temp1.exe, temp2.exe and svchost.exe from system32 directory. And the remaining is deleting the entries in registry. So to do that search in the registry for each of the file entries and manually delete them. After that restart your machine. So u will be out of that little dragon. a old copy of svchost.exe and xcopy.exe will be written back into your machine.
To check whether the virus got cleared or not, by observing the file properties of these two files. They must indicate the company info as 'Microsoft Corporation...'. If they are not from microsoft corporation, and anything which are residing in system32 directory must be from microsoft, else u can suspect of a malicious entry. After successful removal of the virus, u can continue by checking the system restore monitoring.
When i digg into the details, i came to know much about the virus, how its working, and all. If we are copying from infected machine, this virus puts three files along with the data into the disk.
They are: copy.exe, host.exe and autorun.inf
autorun.inf file contains only two lines.
[autorun]when we open the infected disk, autorun will invokes and virus starts acting by running the copy.exe file. It creates a dump of above three files in root directory of each partition and make a copy of copy.exe in system32 directory. Also a copy of temp1.exe and temp2.exe wlould be kept in system32. Along with it corrupts the xcopy.exe and svchost.exe files in system32.exe. It also kept registry entry.
open=copy.exe
Steps to remove the virus:
So to remove the virus one has to be careful. First off the system restore monitoring. Then delete the three-files from root directory of each partition. Also remove copy.exe, xcopy.exe, temp1.exe, temp2.exe and svchost.exe from system32 directory. And the remaining is deleting the entries in registry. So to do that search in the registry for each of the file entries and manually delete them. After that restart your machine. So u will be out of that little dragon. a old copy of svchost.exe and xcopy.exe will be written back into your machine.
To check whether the virus got cleared or not, by observing the file properties of these two files. They must indicate the company info as 'Microsoft Corporation...'. If they are not from microsoft corporation, and anything which are residing in system32 directory must be from microsoft, else u can suspect of a malicious entry. After successful removal of the virus, u can continue by checking the system restore monitoring.
Posts
28 comments:
Hello,
Thanks for the useful blog. My computer was also attacked by this virus and i was facing lot of problem now i got rid of it.
thank you
@Girish,
Thanks for ur comment!
The virus also leave entries in C:\windows\prefetch. You have to delete all of these as well.
Make sure you search the registry for the strings, "copy.exe" "autorun.inf" and "host.exe" These have to be deleted as well.
@Michael,
Thanks for ur point. But prefetch files wont make much harm i think. autorun.inf may not need to be deleted in all the entries of registry. U have to delete those entries where they belong to the effected partitions.
hi uma, in addition to these temp1 and temp2.exe, i have also a virus desktop_.ini....its causin so much annoyance....plz help me to remove all those tings.....life has become a hell due to these viruses..
@bapi,
Is it related to "desktop.ini, folder.htt" virus?
Better u delete them asap, since when u open a directory, these two files will be automatically copied in. U might find plenty of suggestions on internet.
I am unable to see the three files in my root directory, after turning off the system restore. Can anybody help me out!
@anonymous,
try to unhide operating system files. you can find that option in eplorer->..->folder options. just uncheck the hide operating system files option.
Hello all,
You can dowload and run the exe available at this link: "http://www.softpedia.com/get/Security/Secu...oval-Tool.shtml
".
It really works well in removing temp1, temp2, svchost, copy and such inf/ exe files.
I got rid of the worm in my system. gr8 work!
thankk you uma!
I am facing the same problem and again root of the problem is Flash drive. I tried to delete all those files but I am not able to delete SVCHOST.EXE. It is not letting me delete that.
I don't know what to do. Even I tried in safe mode.
My flash drive still opening in New Window and I don't know what to do to fix my flash. I have even formatted it twice but no luck.
Could somebody help me from this point.
Thanks
hi uma,
i tried deleting the three files from the root directory, but they seem to be copied back again everytime i delete. How do i stop this?
hi uma,
i tried deleting the three files from the root directory, but they seem to be copied back again everytime i delete. How do i stop this?
Hi Uma,
I came across to your blog by chance when searching the whole web for information regarding Temp2.exe after getting effected with it.
Thanks for the information.
rapra7349@yahoo.com
Hello everyone
PRT Perlovga Removal Tool v1.0.2
Download links:
Sergiwa.com
http://www.sergiwa.com/en/modules/mydownloads/singlefile.php?cid=2&lid=4
Softpedia.com
http://www.softpedia.com/get/Security/Security-Related/PRT-Perlovga-Removal-Tool.shtml
Download.com
http://www.download.com/PRT-Perlovga-Removal-Tool-/3640-2239_4-10668818.html
Developer: Issam Sergiwa - iSergiwa Software
License: Freeware
Price: FREE
OS: Windows XP
Size: 32 KB
What does this tool do?
This tool removes the so called temp2.exe virus and friends "copy.exe, host.exe"... it removes it from all your hard drive partitions including floppy disks and USB flash disks (those must be write enabled during the scan process)
It also removes the leftovers of this virus by removing the 'autorun.inf' files and cleaning up you system registry, so you wont see the 'autoplay' item anymore.
Moreover, this tool has been downloaded thousands of times and found works not only with this virus but with many other viruses that share the same behavior!
How to use it?
Start your computer in Safe mode and run this tool. if you have infected floppy/flash disks you can insert them and click start. you can repeat this for every disk you have.
For bugs & problems, please contact me, or leave your comment here.
I designed this tool and published it FOR FREE for every one need to use it, if you found it useful please let me know, Thanks.
Issam Sergiwa
www.sergiwa.com
hey issam, d tool wurkd perfctly 4 al my drivs bt d thumd driv. it wurks 5n wid it first. bt, wen i restrt d sys, d first 2 options on d rt-clk cums in sum othr language, n apparently d first option opens d folder pertaining 2 d thumb driv on a separate window. vat's d problem? i tried re-formatting my thumb driv a couple of times, bt 2 no avail! nebody hu nos abt dis, pl hlp me out! n b4 runin d tool, i did maks sure dt it ws rt-enabld.
does this thing leave behind any kind of junk files, some one said it is supposed to be a spyware, is there log files that can be deleted as well that may be sucking up space?
also i have just downloaded that little app to remove this crap, does it clean network mapped drives as well?
To show hidden files, if your computer is infected, you need to:
1. Open register editor: Start->Run->regedit
2. Find: HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Set key CheckedValue value to 1.
NOTE: this is a DWORD key
Now you should be able to see the hidden autorun.ini files in your partition roots
To prevent AutoRun to run, change the following regestry:
1. Open register editor: Start->Run->regedit
2. Find: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Exploer
3.In the right pane, get value
NoDriveTypeAutoRun = 9D,00,00,00
This will stop AutoRun to kick in when opening partitions. Now you can right click a partition and use Open to open the folder. Remove autorun.ini and other files that shouldn't be there.
Hi Uma,
I followed all your suggestions to delete temp1.exe and temp2.exe. I was not able to delete temp1.exe and due to this after restarting my PC, temp2.exe appeared again in system32 folder. Could you please suggest me on how to delete temp1.exe permanently from my system?
Thanks
Ravi
@Ravi,
Did u removed copy.exe and xcopy.exe along with temp1.exe and temp2.exe? If you don't do that. Since even if u delete temp1.exe/temp2.exe, but left copy.exe/xcopy.exe; they will be created automatically from time to time. If you did it; I think, I might need more info regarding why temp1.exe can't be deleted. Pls check whether u followed all my suggestions or missing any.
wish i cud remuv u virus.
tool has virus. me os-x dead. blog sucks.
i hav flu.duz tool werk for dat????
i fro namibi,nid fud.
i have too files called temp1.out and temp2.out which are messing with me like many other do.
There is also a .basrc file which seems to work like the autorun.inf..
Could you tell me how to resolve this bug ?
hi,shanker ;) nice blog.
I have a client with this bug.
Manually removing the trojan is the best option.On a 2003 server standard edition these had been obsrved.
when the system starts u get message that temp2.exe went nasty and rport to ms pops up.
details are:
temp2.exe went nasty.
module:temp2.exe. fault has houseno 0x000126e
that happens two times. and when you click don't send .system restarts.
u have to rightclick & refresh three times... (true..!) immediatly after the desktop shows.or else REBOOOOT.. F5 doesn't work.
the apart from that you can't shut down the sytem.If you try it simply restarts....
the pc has other trojans and worms too.this guy ran his system without antivirus for 2 years( !!!!)
Hope ur li'll trick works.
hi all...
my pen drive has caught the virus "host.exe" and i guess a few others, all together.. no antivirus seems to be catching them..can any of u plssss tell me how to get rid of these sick viruses... i'm very tensed as my work's all got hung bcos of them....
reply ASAP...
neha
Hey All
I had the same problem as you all.. i downloaded the AVG free version and it sorted out the virus on my flash drive as well as my hdd
Its the best the virus is some brontok trojan or somethin anyway ciao and good luck
DOWNLOAD AVG ANTI VIRUS FREE, IT SOLVES THE PROBLEM
Post a Comment
Drop your message here to get in touch with me