0

(I really need to stop harassing you guys with my computer problems on this forum :-|)

I just discovered I have the following two variant viruses floating about in my startup module (Probably allot more thanks to this website which I haven’t thoroughly gone over with every suspicious file type in my startup processes yet. http://www.sysinfo.org/startuplist.php )

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!
Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

I cant seem to get rid of these imposters and Norton Antivirus seems to obliviously fly by them, even after I specified there file type in smart scan. What should I do? I cant end there process in the start menu bar as they keep claiming to be a critical system file :(
__________________

2
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by DuncanIdaho
0

Boot in safe mode to delete them. (Hit f8 repeatedly while the machine's booting up). That should work.

You mean run norton anti-virus scan on safe mode or end processes during safe mode :?:

0

Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;

0

Are you saying they are running processes when you run in safe mode? They shouldn't be, at least to my knowledge, but then, if they are virii, I guess unexpected behavior shouldn't be...well...unexpected. Sorry if my advice was useless. ^^;

k well assuming they "werent" running processes, how would I go about deleting them?

Its not like they give away there directory location, and they DO masquerade as an integral system file. So I wouldnt want to delete the actual system file by mistake. How would I discover which is what?

I need to get these things off my computer. All sorts of crazy things keep happening like my symantec auto updater updating every 10 seconds. And my PF usage is through the roof. Almost at an average of 300!

0

Umm...

Okay, here, check this out again:

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!

Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).

Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.

How's that? ;)

0

Umm...

Okay, here, check this out again:

"smss.exe: Added as a result of the FLOOD.F VIRUS! Note - this is not the legitimate Smss.exe system file should normally NOT figure in Msconfig/Startup!

Simply put, if the file is starting in MSCONFIG's startup pane, it's not the real one. Run msconfig, (start/run/msconfig), look on the startup page, is smss.exe there? If so, it will show the path to it, write it down. Now you'll know one path. (If you don't find smss.exe listed in msconfig's startup window, then this is not the virus you have).

Spoolsv: X Spoolsv.exe Added as a result of the CIADOOR.121 VIRUS! Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not in System32, like the legitimate Spoolsv.exe system file"

Well, it tells you where this one is. If you have a copy of spoolsrv.exe located in your winnt or windows folder, that's a fake one. The real one is always in your windows/system32 folder.

How's that? ;)

Ok well It turns out I cant find spoolsrv.exe in my windows folder (And I cant find a winnt folder) and the smss.exe does not show up in my msconfig startup. So does this mean that I dont have these files?

Then why is it I cant end these tasks. And hypothetically if these arent the causes of my sudden spike in PF usage.. what the hell is?

0

I couldn't tell you. There may well be more than one virus that replaces those two files, I can only work with the info you've given me, and that info was that you had those two bugs. It may be that you have other bugs that load false copies of smss and spoolsrv, or you have a recent variant with some differences (like the files being placed elsewhere), or it could be something else entirely.

It'd be my opinion you don't have those two virii specifically, judging by the fact you don't have the right fake files in the right places.

You could try searching your hard drive for files and folders, (start, search, all files and folders), search for those two files specifically, and write down any you find that are not in the right place, (both files should be in windows/system32, any you find elsewhere are suspect). (Note, you may find copies of smss.exe in c:\windows\$NTServicePackuninstall$, and c:\windows\servicepackfiles\i386, those two are legitimate)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.