Any Help About XMSS.EXE and Funny UST Scandal.avi.EXE

  • Thread starter Thread starter Fahid
  • Start date Start date
From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html

From a Philippines forum UST is University of Sto. Tomas a prestigious
Philippine universty:
http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&TopicID=28487&get=last

Some of it is in local language so I had to translate below:

Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start
menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script

[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exe

Funny UST Scandal.avi.exe(228kb) in all root drives

Registry
Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)

HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)


HOw to remove this lame virus????

-first download taskiller in http://www.rsdsoft.com/task_killer/index.php4
and install it to
your computer because you cant use taskmanager to terminate the virus(the
virus automatically close taskmanager).

-run taskiller and left click it on the system tray(the one with a skull icon)

-click processes

-to close the virus, select process and click yes to the question

(process to close)
1.killer.exe
2.lsass.exe
3.smss.exe

note: close only file that have the same icon of Funny UST Scandal.avi.exe


CMD STEPS
1-now, click "start" then "run"
2-type "cmd" without quotes
3-type "cd\" without quotes
4-type "attrib -h -s smss.exe" without quotes
5-type "attrib -h -s autorun.inf" without quotes
6-type "start c:" without quotes(a new window will open)
7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it

-if theres any drive or a partition type "d:" in command prompt without quotes
"d" is the drive letter then repeat the CMD STEPS number 4-7 above.......

-now type this on the command prompt "cd windows" without quotes(na naman!)
-type "attrib -h -s smss.exe" without quotes(uli)
-type "start c:\windows" without quotes(hay naku!)
-delete the file smss.exe
-now, goto c:\documents and settings\all users\startmenu\programs\startup
-delete lsass.exe

-click "start" then "run"
-type "regedit" without quotes then delete the registry entries above....

Note:
If you have problems opening drives in My Computer open regedit find
"\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..

--
Rey


"Fahid" wrote:

> Can Someone help about these viruses/spywares
>
> XMSS.EXE
>
> Funny UST Scandal.avi.EXE
>
>
>
 
Thanks A Million Mr. Rey Santos

I have succesfully removed the viruses with your instructions

Thanks Again


"Rey Santos" <ReySantos@discussions.microsoft.com> wrote in message
news:1DB9F302-478D-4F95-B9B6-B610EFE6549C@microsoft.com...
> From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html
>
> From a Philippines forum UST is University of Sto. Tomas a prestigious
> Philippine universty:
> http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&TopicID=28487&get=last
>
> Some of it is in local language so I had to translate below:
>
> Software used to build the virus= AutoIt V3
> drop Files- killer.exe(4084 kb) in c:\windows\
> lsass.exe(3920kb) in c:\documents and settings\all users\start
> menu\programs\startup
> smss.exe(4088kb) in all root drives and in c:\windows
> autorun.inf(1kb) in all root drives with a script
>
> [autorun]
> open=smss.exe
> shell\Open\Command=smss.exe
> shell\open\Default=1
> shell\Explore\Command=smss.exe
> shell\Autoplay\command=smss.exe
>
> Funny UST Scandal.avi.exe(228kb) in all root drives
>
> Registry
> Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
>
> HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)
>
>
> HOw to remove this lame virus????
>
> -first download taskiller in http://www.rsdsoft.com/task_killer/index.php4
> and install it to
> your computer because you cant use taskmanager to terminate the virus(the
> virus automatically close taskmanager).
>
> -run taskiller and left click it on the system tray(the one with a skull
> icon)
>
> -click processes
>
> -to close the virus, select process and click yes to the question
>
> (process to close)
> 1.killer.exe
> 2.lsass.exe
> 3.smss.exe
>
> note: close only file that have the same icon of Funny UST Scandal.avi.exe
>
>
> CMD STEPS
> 1-now, click "start" then "run"
> 2-type "cmd" without quotes
> 3-type "cd\" without quotes
> 4-type "attrib -h -s smss.exe" without quotes
> 5-type "attrib -h -s autorun.inf" without quotes
> 6-type "start c:" without quotes(a new window will open)
> 7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it
>
> -if theres any drive or a partition type "d:" in command prompt without
> quotes
> "d" is the drive letter then repeat the CMD STEPS number 4-7 above.......
>
> -now type this on the command prompt "cd windows" without quotes(na
> naman!)
> -type "attrib -h -s smss.exe" without quotes(uli)
> -type "start c:\windows" without quotes(hay naku!)
> -delete the file smss.exe
> -now, goto c:\documents and settings\all users\startmenu\programs\startup
> -delete lsass.exe
>
> -click "start" then "run"
> -type "regedit" without quotes then delete the registry entries above....
>
> Note:
> If you have problems opening drives in My Computer open regedit find
> "\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..
>
> --
> Rey
>
>
> "Fahid" wrote:
>
>> Can Someone help about these viruses/spywares
>>
>> XMSS.EXE
>>
>> Funny UST Scandal.avi.EXE
>>
>>
>>
 
Congratulations Fahid. Glad to be of help.
--
Rey


"Fahid Shehzad" wrote:

> Thanks A Million Mr. Rey Santos
>
> I have succesfully removed the viruses with your instructions
>
> Thanks Again
>
>
> "Rey Santos" <ReySantos@discussions.microsoft.com> wrote in message
> news:1DB9F302-478D-4F95-B9B6-B610EFE6549C@microsoft.com...
> > From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html
> >
> > From a Philippines forum UST is University of Sto. Tomas a prestigious
> > Philippine universty:
> > http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&TopicID=28487&get=last
> >
> > Some of it is in local language so I had to translate below:
> >
> > Software used to build the virus= AutoIt V3
> > drop Files- killer.exe(4084 kb) in c:\windows\
> > lsass.exe(3920kb) in c:\documents and settings\all users\start
> > menu\programs\startup
> > smss.exe(4088kb) in all root drives and in c:\windows
> > autorun.inf(1kb) in all root drives with a script
> >
> > [autorun]
> > open=smss.exe
> > shell\Open\Command=smss.exe
> > shell\open\Default=1
> > shell\Explore\Command=smss.exe
> > shell\Autoplay\command=smss.exe
> >
> > Funny UST Scandal.avi.exe(228kb) in all root drives
> >
> > Registry
> > Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
> >
> > HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)
> >
> >
> > HOw to remove this lame virus????
> >
> > -first download taskiller in http://www.rsdsoft.com/task_killer/index.php4
> > and install it to
> > your computer because you cant use taskmanager to terminate the virus(the
> > virus automatically close taskmanager).
> >
> > -run taskiller and left click it on the system tray(the one with a skull
> > icon)
> >
> > -click processes
> >
> > -to close the virus, select process and click yes to the question
> >
> > (process to close)
> > 1.killer.exe
> > 2.lsass.exe
> > 3.smss.exe
> >
> > note: close only file that have the same icon of Funny UST Scandal.avi.exe
> >
> >
> > CMD STEPS
> > 1-now, click "start" then "run"
> > 2-type "cmd" without quotes
> > 3-type "cd\" without quotes
> > 4-type "attrib -h -s smss.exe" without quotes
> > 5-type "attrib -h -s autorun.inf" without quotes
> > 6-type "start c:" without quotes(a new window will open)
> > 7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it
> >
> > -if theres any drive or a partition type "d:" in command prompt without
> > quotes
> > "d" is the drive letter then repeat the CMD STEPS number 4-7 above.......
> >
> > -now type this on the command prompt "cd windows" without quotes(na
> > naman!)
> > -type "attrib -h -s smss.exe" without quotes(uli)
> > -type "start c:\windows" without quotes(hay naku!)
> > -delete the file smss.exe
> > -now, goto c:\documents and settings\all users\startmenu\programs\startup
> > -delete lsass.exe
> >
> > -click "start" then "run"
> > -type "regedit" without quotes then delete the registry entries above....
> >
> > Note:
> > If you have problems opening drives in My Computer open regedit find
> > "\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..
> >
> > --
> > Rey
> >
> >
> > "Fahid" wrote:
> >
> >> Can Someone help about these viruses/spywares
> >>
> >> XMSS.EXE
> >>
> >> Funny UST Scandal.avi.EXE
> >>
> >>
> >>
>
>
>
 
tnx for the info...i got that virus this day...i wonder what is their
problem spreading the virus...I have one question though..i'm not sure
if i followed correctly the guide but the virus is not coming back any
more. Is that good? God bless...
 
Hi

Thanks for the info.
I have the same problem.
i managed to clear it out by this method.
Then i used House call from trend micro to cleanup and some more were
deleted.
but still i am not able to get my folder options settings of "Show
hidden and system files" back.
it switches back to "Do not show" option automatically

what to do abt it ?








On Nov 25, 10:37 am, EAP...@gmail.com wrote:
> tnx for the info...i got that virus this day...i wonder what is their
> problem spreading the virus...I have one question though..i'm not sure
> if i followed correctly the guide but the virus is not coming back any
> more. Is that good? God bless...
 
The trojan is called w32/Sdbot-DIQ by sophos and TROJ_AUTORUN.AHP by
Trend micro



On Nov 27, 1:21 pm, mohanra...@gmail.com wrote:
> Hi
>
> Thanks for the info.
> I have the same problem.
> i managed to clear it out by this method.
> Then i used House call from trend micro to cleanup and some more were
> deleted.
> but still i am not able to get my folder options settings of "Show
> hidden and system files" back.
> it switches back to "Do not show" option automatically
>
> what to do abt it ?
>
> On Nov 25, 10:37 am, EAP...@gmail.com wrote:
>
> > tnx for the info...i got that virus this day...i wonder what is their
> > problem spreading the virus...I have one question though..i'm not sure
> > if i followed correctly the guide but the virus is not coming back any
> > more. Is that good? God bless...
 
See this link if it would help:

http://forums.techguy.org/windows-nt-2000-xp/595940-solved-hidden-folder.html
--
Rey


"mohanraj.k@gmail.com" wrote:

> Hi
>
> Thanks for the info.
> I have the same problem.
> i managed to clear it out by this method.
> Then i used House call from trend micro to cleanup and some more were
> deleted.
> but still i am not able to get my folder options settings of "Show
> hidden and system files" back.
> it switches back to "Do not show" option automatically
>
> what to do abt it ?
>
>
>
>
>
>
>
>
> On Nov 25, 10:37 am, EAP...@gmail.com wrote:
> > tnx for the info...i got that virus this day...i wonder what is their
> > problem spreading the virus...I have one question though..i'm not sure
> > if i followed correctly the guide but the virus is not coming back any
> > more. Is that good? God bless...
>
>
 
On Nov 24, 12:26 pm, Rey Santos <ReySan...@discussions.microsoft.com>
wrote:
> From Sophos: http://www.sophos.com/security/analyses/w32sdbotdiq.html
>
> From a Philippines forum UST is University of Sto. Tomas a prestigious
> Philippine universty:http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&Topic...
>
> Some of it is in local language so I had to translate below:
>
> Software used to build the virus= AutoIt V3
> drop Files- killer.exe(4084 kb) in c:\windows\
> lsass.exe(3920kb) in c:\documents and settings\all users\start
> menu\programs\startup
> smss.exe(4088kb) in all root drives and in c:\windows
> autorun.inf(1kb) in all root drives with a script
>
> [autorun]
> open=smss.exe
> shell\Open\Command=smss.exe
> shell\open\Default=1
> shell\Explore\Command=smss.exe
> shell\Autoplay\command=smss.exe
>
> Funny UST Scandal.avi.exe(228kb) in all root drives
>
> Registry
> Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(kill-er.exe)
>
> HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.-exe)
>
> HOw to remove this lame virus????
>
> -first download taskiller inhttp://www.rsdsoft.com/task_killer/index.php4
> and install it to
> your computer because you cant use taskmanager to terminate the virus(the
> virus automatically close taskmanager).
>
> -run taskiller and left click it on the system tray(the one with a skull icon)
>
> -click processes
>
> -to close the virus, select process and click yes to the question
>
> (process to close)
> 1.killer.exe
> 2.lsass.exe
> 3.smss.exe
>
> note: close only file that have the same icon of Funny UST Scandal.avi.exe
>
> CMD STEPS
> 1-now, click "start" then "run"
> 2-type "cmd" without quotes
> 3-type "cd\" without quotes
> 4-type "attrib -h -s smss.exe" without quotes
> 5-type "attrib -h -s autorun.inf" without quotes
> 6-type "start c:" without quotes(a new window will open)
> 7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it
>
> -if theres any drive or a partition type "d:" in command prompt without quotes
> "d" is the drive letter then repeat the CMD STEPS number 4-7 above.......
>
> -now type this on the command prompt "cd windows" without quotes(na naman!)
> -type "attrib -h -s smss.exe" without quotes(uli)
> -type "start c:\windows" without quotes(hay naku!)
> -delete the file smss.exe
> -now, goto c:\documents and settings\all users\startmenu\programs\startup
> -delete lsass.exe
>
> -click "start" then "run"
> -type "regedit" without quotes then delete the registry entries above....
>
> Note:
> If you have problems opening drives in My Computer open regedit find
> "\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..
>
> --
> Rey
>
>
>
> "Fahid" wrote:
> > Can Someone help about these viruses/spywares
>
> > XMSS.EXE
>
> > Funny UST Scandal.avi.EXE- Hide quoted text -
>
> - Show quoted text -

hi geeks,

this is not related to xp but win2k server sp4.
my issue is; i have win2k server sp4 running and affected by "Funny
UST Scandal.avi.EXE" but as you mentioned the changes in Registry and
file created in root directory (.inf), not in my case.
no such files are there in Startup.
in other case, there is a sub-dir under d:\ drive. i have this virus
here.
i am surprised how do i clean this and i don't know also.
there is no Unknown service starts even, all are os related services
runs.
could you please solve this.
 
On Nov 29, 4:28 am, bhattu...@gmail.com wrote:
> On Nov 24, 12:26 pm, Rey Santos <ReySan...@discussions.microsoft.com>
> wrote:
>
>
>
>
>
> > From Sophos:  http://www.sophos.com/security/analyses/w32sdbotdiq.html
>
> > From a Philippines forum UST is University of Sto. Tomas a prestigious
> > Philippine universty:http://www.pcx.com.ph/forum/display_topic_threads.asp?ForumID=3&Topic...
>
> > Some of it is in local language so I had to translate below:
>
> > Software used to build the virus= AutoIt V3
> > drop Files- killer.exe(4084 kb) in c:\windows\
> >      lsass.exe(3920kb) in c:\documents and settings\all users\start
> > menu\programs\startup
> >             smss.exe(4088kb) in all root drives and in c:\windows
> >      autorun.inf(1kb) in all root drives with a script
>
> >  [autorun]
> >  open=smss.exe
> >  shell\Open\Command=smss.exe
> >  shell\open\Default=1
> >  shell\Explore\Command=smss.exe
> >  shell\Autoplay\command=smss.exe
>
> >     Funny UST Scandal.avi.exe(228kb) in all root drives
>
> > Registry
> > Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(kill­-er.exe)
>
> > HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.­-exe)
>
> > HOw to remove this lame virus????
>
> > -first download taskiller inhttp://www.rsdsoft.com/task_killer/index.php4
> > and install it to
> > your computer because you cant use taskmanager to terminate the virus(the
> > virus automatically close taskmanager).
>
> > -run taskiller and left click it on the system tray(the one with a skullicon)
>
> > -click processes
>
> > -to close the virus, select process and click yes to the question
>
> > (process to close)
> > 1.killer.exe
> > 2.lsass.exe
> > 3.smss.exe
>
> > note: close only file that have the same icon of Funny UST Scandal.avi.exe
>
> > CMD STEPS
> > 1-now, click "start" then "run"
> > 2-type "cmd" without quotes
> > 3-type "cd\" without quotes
> > 4-type "attrib -h -s smss.exe" without quotes
> > 5-type "attrib -h -s autorun.inf" without quotes
> > 6-type "start c:" without quotes(a new window will open)
> > 7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it
>
> > -if theres any drive or a partition type "d:" in command prompt without quotes
> > "d" is the drive letter then repeat the CMD STEPS number 4-7 above........
>
> > -now type this on the command prompt "cd windows" without quotes(na naman!)
> > -type "attrib -h -s smss.exe" without quotes(uli)
> > -type "start c:\windows" without quotes(hay naku!)
> > -delete the file smss.exe
> > -now, goto c:\documents and settings\all users\startmenu\programs\startup
> > -delete lsass.exe
>
> > -click "start" then "run"
> > -type "regedit" without quotes then delete the registry entries above.....
>
> > Note:
> > If you have problems opening drives in My Computer open regedit find
> > "\smss.exe" then erase values like: "c:\smss.exe", "d:\smss.exe" etc..
>
> > --
> > Rey
>
> > "Fahid" wrote:
> > > Can Someone help about these viruses/spywares
>
> > > XMSS.EXE
>
> > > Funny UST Scandal.avi.EXE- Hide quoted text -
>
> > - Show quoted text -
>
> hi geeks,
>
> this is not related to xp but win2k server sp4.
> my issue is; i have win2k server sp4 running and affected by "Funny
> UST Scandal.avi.EXE" but as you mentioned the changes in Registry and
> file created in root directory (.inf), not in my case.
> no such files are there in Startup.
> in other case, there is a sub-dir under d:\ drive. i have this virus
> here.
> i am surprised how do i clean this and i don't know also.
> there is no Unknown service starts even, all are os related services
> runs.
> could you please solve this.- Hide quoted text -
>
> - Show quoted text -

just open this link http://www.geocities.com/six519/Remover.zip
download it and unzip it
 
Back
Top