Any Help About XMSS.EXE and Funny UST Scandal.avi.EXE
Fahid
XMSS.EXE
Funny UST Scandal.avi.EXE
Rey Santos
From a Philippines forum UST is University of Sto. Tomas a prestigious
Philippine universty:
http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&TopicID=28487&get=last
Some of it is in local language so I had to translate below:
Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start
menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script
[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exe
Funny UST Scandal.avi.exe(228kb) in all root drives
Registry
Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)
HOw to remove this lame virus????
-first download taskiller in http://www.rsdsoft.com/task_killer/index.php4
and install it to
your computer because you cant use taskmanager to terminate the virus(the
virus automatically close taskmanager).
-run taskiller and left click it on the system tray(the one with a skull icon)
-click processes
-to close the virus, select process and click yes to the question
(process to close)
1.killer.exe
2.lsass.exe
3.smss.exe
note: close only file that have the same icon of Funny UST Scandal.avi.exe
CMD STEPS
1-now, click "start" then "run"
2-type "cmd" without quotes
3-type "cd\" without quotes
4-type "attrib -h -s smss.exe" without quotes
5-type "attrib -h -s autorun.inf" without quotes
6-type "start c:" without quotes(a new window will open)
7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it
-if theres any drive or a partition type "d:" in command prompt without quotes
"d" is the drive letter then repeat the CMD STEPS number 4-7 above.......
-now type this on the command prompt "cd windows" without quotes(na naman!)
-type "attrib -h -s smss.exe" without quotes(uli)
-type "start c:\windows" without quotes(hay naku!)
-delete the file smss.exe
-now, goto c:\documents and settings\all users\startmenu\programs\startup
-delete lsass.exe
-click "start" then "run"
-type "regedit" without quotes then delete the registry entries above....
Note:
If you have problems opening drives in My Computer open regedit find
"\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..
--
Rey
Fahid Shehzad
I have succesfully removed the viruses with your instructions
Thanks Again
"Rey Santos" <ReyS...@discussions.microsoft.com> wrote in message
news:1DB9F302-478D-4F95...@microsoft.com...
Rey Santos
--
Rey
Plato
>
> Can Someone help about these viruses/spywares
>
> XMSS.EXE
Try some virus scanners online:
EAP...@gmail.com
problem spreading the virus...I have one question though..i'm not sure
if i followed correctly the guide but the virus is not coming back any
more. Is that good? God bless...
mohan...@gmail.com
Thanks for the info.
I have the same problem.
i managed to clear it out by this method.
Then i used House call from trend micro to cleanup and some more were
deleted.
but still i am not able to get my folder options settings of "Show
hidden and system files" back.
it switches back to "Do not show" option automatically
what to do abt it ?
mohan...@gmail.com
Trend micro
Rey Santos
http://forums.techguy.org/windows-nt-2000-xp/595940-solved-hidden-folder.html
--
Rey
bhat...@gmail.com
wrote:
> From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html
>
> From a Philippines forum UST is University of Sto. Tomas a prestigious
>
> Some of it is in local language so I had to translate below:
>
> Software used to build the virus= AutoIt V3
> drop Files- killer.exe(4084 kb) in c:\windows\
> lsass.exe(3920kb) in c:\documents and settings\all users\start
> menu\programs\startup
> smss.exe(4088kb) in all root drives and in c:\windows
> autorun.inf(1kb) in all root drives with a script
>
> [autorun]
> open=smss.exe
> shell\Open\Command=smss.exe
> shell\open\Default=1
> shell\Explore\Command=smss.exe
> shell\Autoplay\command=smss.exe
>
> Funny UST Scandal.avi.exe(228kb) in all root drives
>
> Registry
>
> HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.-exe)
>
> HOw to remove this lame virus????
>
>
> - Show quoted text -
hi geeks,
this is not related to xp but win2k server sp4.
my issue is; i have win2k server sp4 running and affected by "Funny
UST Scandal.avi.EXE" but as you mentioned the changes in Registry and
file created in root directory (.inf), not in my case.
no such files are there in Startup.
in other case, there is a sub-dir under d:\ drive. i have this virus
here.
i am surprised how do i clean this and i don't know also.
there is no Unknown service starts even, all are os related services
runs.
could you please solve this.
ANKUSH JAIN
> On Nov 24, 12:26 pm, Rey Santos <ReySan...@discussions.microsoft.com>
> wrote:
>
>
>
>
>
> > From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html
>
> > From a Philippines forum UST is University of Sto. Tomas a prestigious
> > Philippine universty:http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&Topic...
>
> > Some of it is in local language so I had to translate below:
>
> > Software used to build the virus= AutoIt V3
> > drop Files- killer.exe(4084 kb) in c:\windows\
> > lsass.exe(3920kb) in c:\documents and settings\all users\start
> > menu\programs\startup
> > smss.exe(4088kb) in all root drives and in c:\windows
> > autorun.inf(1kb) in all root drives with a script
>
> > [autorun]
> > open=smss.exe
> > shell\Open\Command=smss.exe
> > shell\open\Default=1
> > shell\Explore\Command=smss.exe
> > shell\Autoplay\command=smss.exe
>
> > Funny UST Scandal.avi.exe(228kb) in all root drives
>
> > Registry
>
> > HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.-exe)
>
> - Show quoted text -
just open this link http://www.geocities.com/six519/Remover.zip
download it and unzip it