 |  |  |  |  |  |  |  |
Startup Viruses masquerading as critical boot files
 |
•
•
Join Date: Jul 2004
Posts: 68
Reputation: 
Solved Threads: 1
Junior Poster in Training
(I really need to stop harassing you guys with my computer problems on this forum :-|)
I just discovered I have the following two variant viruses floating about in my startup module (Probably allot more thanks to this website which I haven’t thoroughly gone over with every suspicious file type in my startup processes yet. http://www.sysinfo.org/startuplist.php )
"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"
I cant seem to get rid of these imposters and Norton Antivirus seems to obliviously fly by them, even after I specified there file type in smart scan. What should I do? I cant end there process in the start menu bar as they keep claiming to be a critical system file
__________________
I just discovered I have the following two variant viruses floating about in my startup module (Probably allot more thanks to this website which I haven’t thoroughly gone over with every suspicious file type in my startup processes yet. http://www.sysinfo.org/startuplist.php )
"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"
I cant seem to get rid of these imposters and Norton Antivirus seems to obliviously fly by them, even after I specified there file type in smart scan. What should I do? I cant end there process in the start menu bar as they keep claiming to be a critical system file
__________________
-Operating System: Windows XP Home Edition
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
•
•
Join Date: Aug 2004
Posts: 277
Reputation:
Solved Threads: 5
Unverified User
Boot in safe mode to delete them. (Hit f8 repeatedly while the machine's booting up). That should work.
-Idaho
Don't look at me, I am SO out of here. Bye.
Don't look at me, I am SO out of here. Bye.
•
•
Join Date: Jul 2004
Posts: 68
Reputation:
Solved Threads: 1
Junior Poster in Training
•
•
•
•
Originally Posted by DuncanIdaho
Boot in safe mode to delete them. (Hit f8 repeatedly while the machine's booting up). That should work.
You mean run norton anti-virus scan on safe mode or end processes during safe mode
-Operating System: Windows XP Home Edition
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
•
•
Join Date: Aug 2004
Posts: 277
Reputation:
Solved Threads: 5
Unverified User
Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;
-Idaho
Don't look at me, I am SO out of here. Bye.
Don't look at me, I am SO out of here. Bye.
•
•
Join Date: Jul 2004
Posts: 68
Reputation:
Solved Threads: 1
Junior Poster in Training
•
•
•
•
Originally Posted by DuncanIdaho
Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;
Its not like they give away there directory location, and they DO masquerade as an integral system file. So I wouldnt want to delete the actual system file by mistake. How would I discover which is what?
I need to get these things off my computer. All sorts of crazy things keep happening like my symantec auto updater updating every 10 seconds. And my PF usage is through the roof. Almost at an average of 300!
-Operating System: Windows XP Home Edition
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
•
•
Join Date: Aug 2004
Posts: 277
Reputation:
Solved Threads: 5
Unverified User
Umm...
Okay, here, check this out again:
"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"
Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.
How's that?
Okay, here, check this out again:
"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"
Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.
How's that?
-Idaho
Don't look at me, I am SO out of here. Bye.
Don't look at me, I am SO out of here. Bye.
•
•
Join Date: Jul 2004
Posts: 68
Reputation:
Solved Threads: 1
Junior Poster in Training
•
•
•
•
Originally Posted by DuncanIdaho
Umm...
Okay, here, check this out again:
"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"
Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.
How's that?
Then why is it I cant end these tasks. And hypothetically if these arent the causes of my sudden spike in PF usage.. what the hell is?
-Operating System: Windows XP Home Edition
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
-Console Model & Manufacturer: COMPAQ Presario SR1030NX
-Processor: AMD Athlon XP 3000 Processor (2.17Ghz)
-RAM: 1 gig (2x 512 DDR, PC2700 chips)
-Harddrive: 160GB (7200 RPM) Ultra DMA Hard drive
-Graphics Card: Radieon 9200 (128mb)
•
•
Join Date: Aug 2004
Posts: 277
Reputation:
Solved Threads: 5
Unverified User
I couldn't tell you. There may well be more than one virus that replaces those two files, I can only work with the info you've given me, and that info was that you had those two bugs. It may be that you have other bugs that load false copies of smss and spoolsrv, or you have a recent variant with some differences (like the files being placed elsewhere), or it could be something else entirely.
It'd be my opinion you don't have those two virii specifically, judging by the fact you don't have the right fake files in the right places.
You could try searching your hard drive for files and folders, (start, search, all files and folders), search for those two files specifically, and write down any you find that are not in the right place, (both files should be in windows/system32, any you find elsewhere are suspect). (Note, you may find copies of smss.exe in c:\windows\$NTServicePackuninstall$, and c:\windows\servicepackfiles\i386, those two are legitimate)
It'd be my opinion you don't have those two virii specifically, judging by the fact you don't have the right fake files in the right places.
You could try searching your hard drive for files and folders, (start, search, all files and folders), search for those two files specifically, and write down any you find that are not in the right place, (both files should be in windows/system32, any you find elsewhere are suspect). (Note, you may find copies of smss.exe in c:\windows\$NTServicePackuninstall$, and c:\windows\servicepackfiles\i386, those two are legitimate)
-Idaho
Don't look at me, I am SO out of here. Bye.
Don't look at me, I am SO out of here. Bye.
|
Similar Threads
- computer won't startup, and bootdisk won't work. Invalid Boot.ini. (Windows NT / 2000 / XP)
- Problems With Xp Boot Loader (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: passthrough will not leave..i have tried almost everything
- Next Thread: www.lookfor.cc search still buggin me
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos domains education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
