Removal instructions of W32/ Mydoom

The shimgapi.dll file is injected into the EXPLORER.EXE process if the system has been rebooted after

the infection has occured. In this situation, a reboot and rescan is required to remove this DLL from

the system.Stinger 1.9.8 has been made available to assist in detecting and repairing this threat.

A reboot is not required after running Stinger v 1.9.8. To download Stinger, please click here. For

instructions on how to install and run Stinger please check the following link:

http://vil.nai.com/vil/stinger/

For manually removing W32/ Mydoom follow the steps given below:

To remove this virus "by hand", follow these steps (WinNT/2K/XP):

1. Terminate the process TASKMON.EXE
   
2. Delete the file TASKMON.EXE from your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Edit the registry

• Delete the "TaskMon" value from
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
• Change the (Default) value to webcheck.dll here
  • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer3

1. Terminate the process EXPLORER.EXE
2. Delete the file SHIMGAPI.DLL your WINDOWS SYSTEM directory (typically c:\windows\system32 or c:\winnt\system32)
3. Reboot the system

More details about this virus can be found on:

http://vil.nai.com/vil/content/v_100983.htm