Yesterday my friend came to my room, he complaint about virus on his computer, then ask me to clean it. He bring his usb memory with full infected documents in it. With no suspicious, I plugged in it on My lovely computer. I'm no worries at all, because I have scan it with Norton antivirus (with virus def. update on 13/6/08) before. No malware found so I'm sure that it is clean and save. Well until lastnight, I didn't realize that I am infected too. major change in my computer make me distrustful, so I began to use Ice Sword to monitor what processes were running. I use it because usually the virus proceses do not appear on the list. Then I found it, the process called smss.exe but with Word icon. This is weird, cause the real smss process is not with word icon. Until this, I realize that I've been infected.
So I wanna to share my experience, how to remove the virus and get back your hidden documents. First we need this tools :
1. Ice Sword, to monitor the processes, the virus won't recognize it, cause the title was randomly change.
3. Toggle hidden explorer stuff, a vbscript, good tool to show system files with super hidden attribute or You can set the DWORD value to 1 of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden in registry. Note, some antivirus will block this script, just allow it.
2. Attribute Changer, great tool to change files attribute, even with super hidden attribute. You need to install this tool first.
thats it all we need, you can get them on my blog Download box (on right sidebar) or just google them.
Now lets do the best thing,
- Fire up Ice sword, find processes called smss with word icon and kill them. Remember only processes with word icon!
- after that, use the toggle show super hidden file script to show all the system file. Go to C:\Windows\System32 and find folder named LoLOxz (or some thing like that). Inside the folder is smss.exe and msvbm60.dll. Just delete the folder. Now You have removed the virus procesess.
- to get back your hidden documents, just find out the documents, select all hidden documents and right click. Select Change Attributes from menu appear, uncheck the Hidden and System. Now you document back to normal.
- This virus also create the msvbm60.dll in same folder with the infected files, and autorun.inf in every drive which command the JoniEzz.exe in every drive. Remove both files too.
Just for information, this virus only infected files in first level directory. So if you files located deep in directory, You dont have to be worry. Maybe this is only remove the main virus and the processes, I really have no idea how much the virus create other files in Windows directory or somewhere else. I think it is wiser for you to back up all your important data and update your antivirus definition file right now. If you have any information about this virus, fell free for comment.. thats all. I hope this is useful..
1 comment:
thank you very much
i managed to get rid of the virus now :D
excellent step by step tutorial!
james
Post a Comment