View Single Post
  #4 (permalink)  
Old 11-10-2008, 02:08 PM
lurkswithin's Avatar
lurkswithin lurkswithin is offline
Senior Member
 
About:
Join Date: Jan 2008
Location: Texas
Posts: 1,233
lurkswithin has a spectacular aura aboutlurkswithin has a spectacular aura aboutlurkswithin has a spectacular aura about

Default


'smss.exe' is a windows program and has to run. This good file is located in the C:\windows\system 32 folder.

'smss.exe' also known as the Flood F trojan or by the W32/SOBER-can be safely removed by first locating the malicious file and stopping the proccess and then removing the files from the computer.
look for it in the C:\Windows\msagent\system\smss.exe for the bad files but remember it can have other stsrt up applications as well! Do not remove the files yet
************************************************** ******
If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps.

Download and extract the Autoruns program by Sysinternals to C:\Autoruns

AutoRuns for Windows


Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.


Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.


When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.


Include empty locations


Verify Code Signatures


Hide Signed Microsoft Entries


Then press the F5 key on your keyboard to refresh the startups list using these new settings.


The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove.


Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.


Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this :
control panel > folder options > view tab and locate the show all folders and put a tic in the box and then find the hide all folders and remove the tic from the box.



Reply With Quote