Start Menu Shows 2 EXEs.But Internet Search Finds Nil

[JeanetteM]

Have "sysdrv32.exe" and "zhervcx.exe" in the start up in msconfig. Can get no info on the "zh...." one at all. And only a snipit on the "sys..." one. Nothing helpfull though.

Have deleted the actuall files from C: as well as used the jv16 to remove them from the registry and the start menu but it still exists.

When going into regedit and searching they are found but I dont know how or what keys to alter or delete to remove these things.

Any ideas on this ? Has anyone else even heard of these things.

BTW...Have McAfee Internet Security suite 2004. Its no longer finding any viruses but I still dont like these things hangin in my registry.

Any help would be great !!!

For all your virtual administrative needs visit

http://www3.sympatico.ca/lanceandjeanette

 

[bcastner]

Hijack This! can help, but see the comprehensive malware cleaning steps suggested in faq608-4650

 

[linney]

http://www.esecurityplanet.com/alerts/print.php/3096241

W32/Dafly-B is a prepending virus which infects Windows executable files. W32/Dafly-B copies itself to the Windows system folder with the filenames SysDrv32.exe and Enjoy.exe and then sets the following registry entries to point to itself so that it is executed every time one of those filetypes is run (though a bug means that it may crash):
HKCR\batfile\shell\open\commandHKCR\comfile\shell\open\commandHKCR\exefile\shell\open\commandHKCR\piffile\shell\open\commandHKCR\scrfile\shell\open\command\

W32/Dafly-B infects all files in the folder and subfolders pointed to by the following registry entries:
HKCU\Software\Widcomm\BTConfig\Services\0005\root
HKLM\Software\Kazaa\CloudLoad\ShareDir

W32/Dafly-B will also copy itself to the folders pointed to by these entries with the filenames Matrix2.scr and Terminator3.scr.

Find out more about this worm at this Sophos page.

http://www.sophos.com/virusinfo/analyses/w32daflyb.html