Member Avatar for Omni

(I really need to stop harassing you guys with my computer problems on this forum :-|)

I just discovered I have the following two variant viruses floating about in my startup module (Probably allot more thanks to this website which I haven’t thoroughly gone over with every suspicious file type in my startup processes yet. http://www.sysinfo.org/startuplist.php )

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

I cant seem to get rid of these imposters and Norton Antivirus seems to obliviously fly by them, even after I specified there file type in smart scan. What should I do? I cant end there process in the start menu bar as they keep claiming to be a critical system file :(
__________________

  • 2 Contributors
  • 7 Replies
  • 176 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by DuncanIdaho

Recommended Answers

All 7 Replies

Member Avatar for DuncanIdaho

Boot in safe mode to delete them. (Hit f8 repeatedly while the machine's booting up). That should work.

Member Avatar for Omni

Boot in safe mode to delete them. (Hit f8 repeatedly while the machine's booting up). That should work.

You mean run norton anti-virus scan on safe mode or end processes during safe mode :?:

Member Avatar for DuncanIdaho

Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;

Member Avatar for Omni

Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;

k well assuming they "werent" running processes, how would I go about deleting them?

Its not like they give away there directory location, and they DO masquerade as an integral system file. So I wouldnt want to delete the actual system file by mistake. How would I discover which is what?

I need to get these things off my computer. All sorts of crazy things keep happening like my symantec auto updater updating every 10 seconds. And my PF usage is through the roof. Almost at an average of 300!

Member Avatar for DuncanIdaho

Umm...

Okay, here, check this out again:

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!

Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).

Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.

How's that? ;)

Member Avatar for Omni

Umm...

Okay, here, check this out again:

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!

Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).

Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.

How's that? ;)

Ok well It turns out I cant find spoolsrv.exe in my windows folder (And I cant find a winnt folder) and the smss.exe does not show up in my msconfig startup. So does this mean that I dont have these files?

Then why is it I cant end these tasks. And hypothetically if these arent the causes of my sudden spike in PF usage.. what the hell is?

Member Avatar for DuncanIdaho

I couldn't tell you. There may well be more than one virus that replaces those two files, I can only work with the info you've given me, and that info was that you had those two bugs. It may be that you have other bugs that load false copies of smss and spoolsrv, or you have a recent variant with some differences (like the files being placed elsewhere), or it could be something else entirely.

It'd be my opinion you don't have those two virii specifically, judging by the fact you don't have the right fake files in the right places.

You could try searching your hard drive for files and folders, (start, search, all files and folders), search for those two files specifically, and write down any you find that are not in the right place, (both files should be in windows/system32, any you find elsewhere are suspect). (Note, you may find copies of smss.exe in c:\windows\$NTServicePackuninstall$, and c:\windows\servicepackfiles\i386, those two are legitimate)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.