Saturday, November 24, 2007

Funny UST Scandal, smss Virus

What a lame virus......peace...!!!!! MABUHAY ANG LIPA(Lipa City Public College)F.E.S
Before I teach you how to remove this... first... this is the information
of that virus....

Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script

[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exe

Funny UST Scandal.avi.exe(228kb) in all root drives

Registry Entries-HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)
HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)


HOw to remove this lame virus????

-first download taskiller in http://www.rsdsoft.com/task_killer/index.php4 and install it to
your computer because you cant use taskmanager to terminate the virus(the virus automatically close taskmanager).

-run taskiller and left click it on the system tray(the one with a skull icon)

-click processes

-to close the virus, select process and click yes to the question

(process to close)
1.killer.exe
2.lsass.exe
3.smss.exe

note: close only file that have the same icon of Funny UST Scandal.avi.exe


CMD STEPS
1-now, click "start" then "run"
2-type "cmd" without quotes
3-type "cd\" without quotes
4-type "attrib -h -s smss.exe" without quotes
5-type "attrib -h -s autorun.inf" without quotes
6-type "start c:" without quotes(a new window will open)
7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete it

-if theres any drive or a partition type "d:" in command prompt without quotes
"d" is the drive letter then repeat the CMD STEPS number 4-7 above.......

-now type this on the command prompt "cd windows" without quotes(na naman!)
-type "attrib -h -s smss.exe" without quotes(uli)
-type "start c:\windows" without quotes(hay naku!)
-delete the file smss.exe
-now, goto c:\documents and settings\all users\startmenu\programs\startup
-delete lsass.exe

-click "start" then "run"
-type "regedit" without quotes then delete the registry entries above....

-thats all!!!!!! MABUHAY ANG LIPA(6519)


Note:
Magtatagalog na ako.. hirap na akong mag english......
Kapag nagkaproblema kau sa pagoopen ng drives sa mycomputer open
nyo lang uli ang regedit tpos find nyo lang ang "smss.exe"
tpos burahin nyo ung mga value na katulad nito--->>"c:\smss.exe","d:\smss.exe" etc.....
ok?????



Credits to :fs6519 thanx Man

2 comments:

jean said...

shop, yiii, mehawa ya ing pc mi king makanyan a virus. dinownload ko na yung remover. ewan ko if may virus pa nyan. kasi may nag prompt na "patayin ang tangahing virus" and "burahin ang tangahing virus"... tapos kinlick kula mu detang "yes"... o, atchu ya pa ba kanita ing virus? ali ke kasi balung gawan itang king blog mu eh. balu mu naman, mass comm ku ali ku computer science...hehehe...

MObpac said...

Thanks for this info dude! Really helpful, I haven't tried this method yet... I didn't even know that there was a "autorun.ini" file in the root of the drive, I stopped the processess using security task manager and deleted the .exe files but when I restarted my computer, the normal "logging-in" screen appears and then "Logging-out" screen appeared and I was locked out of my system!!
I couldn't even log in using the 'safe-mode'!! I had to re-install windows!
A pathetic virus created by some low life scumbag!!!