tag:blogger.com,1999:blog-8674210957968776762012-02-16T01:17:32.450-08:00Virus Fighterhttp://www.blogger.com/profile/01404661285164757185noreply@blogger.comBlogger11100tag:blogger.com,1999:blog-867421095796877676.post-23691655837757141192007-12-18T10:36:00.000-08:002007-12-18T11:21:41.691-08:00<strong><span style="font-size:85%;">VIRUS INFO</span></strong><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Software used to build the virus= AutoIt V3</span><br /><strong><span style="font-size:85%;"></span></strong><br /><strong><span style="font-size:85%;">Dropped Files</span></strong><br /><span style="font-size:85%;">killer.exe(4084 kb) in c:\windows\</span><br /><span style="font-size:85%;">lsass.exe(3920kb) in c:\documents and settings\all users\start menu\programs\startupsmss.exe(4088kb) in all root drives and in c:\windows</span><br /><span style="font-size:85%;">autorun.inf(1kb) in all root drives with a script </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">[autorun]</span><br /><span style="font-size:85%;">open=smss.exe</span><br /><span style="font-size:85%;">shell\Open\Command=smss.exe</span><br /><span style="font-size:85%;">shell\open\Default=1</span><br /><span style="font-size:85%;">shell\Explore\Command=smss.exe</span><br /><span style="font-size:85%;">shell\Autoplay\command=smss.exe </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Funny UST Scandal.avi.exe(228kb) in all root drives<br /></span><br /><strong><span style="font-size:85%;">Registry Entries</span></strong><br /><span style="font-size:85%;">HKLM\Software\Microsoft\WindowNT\CurrentVersion\Winlogon=shell(killer.exe)</span><br /><span style="font-size:85%;">HKCU\Software\Microsoft\windows\Currentversion\Run=runonce(c:\windows\smss.exe)<br /></span><br /><span style="font-size:85%;"><strong>Manual Removal</strong> </span><br /><br /><span style="font-size:85%;">1. First download <a href="http://www.rsdsoft.com/zip/tksetup.exe">Task Killer</a> and install it to your computer because you can’t use Task Manager to terminate the virus (the virus automatically closes Task Manager). </span><br /><span style="font-size:85%;">2. Run Task Killer and left click it on the system tray(the one with a skull icon)</span><br /><span style="font-size:85%;">3. Click processes </span><br /><span style="font-size:85%;">4. To close the virus, select the processes(killer.exe, lsass.exe, smss.exe) and click yes. </span><br /><span style="font-size:85%;"><strong></strong></span><br /><span style="font-size:85%;">Note: Close only file that have the same icon of Funny UST Scandal.avi.exe </span><br /><span style="font-size:85%;"><br /><strong>CMD Steps</strong><br />1. Now, click "start" then "run"<br />2. Type "cmd" without quotes<br />3. Type "cd\" without quotes<br />4. Type "attrib -h -s smss.exe" without quotes<br />5. Type "attrib -h -s autorun.inf" without quotes<br />6. Type "start c:" without quotes (a new window will open) 7<br />. Select smss.exe, autorun.inf, Funny UST Scandal.avi.exe and delete it<br /><br />If there’s any other drive or a partition type "d:" in command prompt without quotes "d" is the drive letter then repeat the steps 4 - 7 above.......<br />Now type this on the command prompt "cd windows" without quotes.<br />Type "attrib -h -s smss.exe" (without quotes)<br />Type "start c:\windows" (without quotes)<br />Delete the file smss.exe<br />Now, go to c:\documents and settings\all users\startmenu\programs\startup<br />Delete lsass.exe<br />Click "start" then "run"<br />Type "regedit" without quotes then delete the registry entries above.<br /><span style="font-size:0;"></span></span><br /><strong>Download <a href="http://www.4shared.com/file/32405634/cc68cdf3/funny_UST_scandal_Remover.html">Removal Tool</a></strong><br /><span style="font-size:85%;"><br /><span style="font-size:0;"></span><br /></span><br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/867421095796877676-2369165583775714119?l=virusfighter.blogspot.com' alt='' /></div>Virus Fighterhttp://www.blogger.com/profile/01404661285164757185noreply@blogger.com0