Xmss.exe Removal
Quick Heal: Worm.Sohanand.b
This worm does not have anything to do with the smss.exe. smss.exe is a process which is very crucial to have your system running. Its called the session manager subsystem and is responsible for starting the user sessions.
The xmss.exe is a malicious file that usually enters the system by visiting websites having unsafe content. It runs on all windows platforms except the new se7en and vista. The worm adds several executable copies of itself to all the available directories of the system with an autorun along such that whenever any drive of the system is opened, the worm gets to launch a new process. It also modifies the settings of the internet explorer. Like every other virus on the loose, this one also adds a few registry entries to launch its process at startups and to disable the Show hidden folders option. It injects its processes to explorer.exe to make sure that it is active even after you manually kill its processes from the Task Manager. When executed for long time, the worm creates new extensions unrelated to the system files. It might also ping to various sites from where several other malicious files may get a portal to enter the target's system.
Posts that might help you here:
Enabling Safe Mode booting, enabling the Registry, Enable Windows Task manager , Enable Hidden files and folders option and enabling the Command Prompt.
This worm does not have anything to do with the smss.exe. smss.exe is a process which is very crucial to have your system running. Its called the session manager subsystem and is responsible for starting the user sessions.
The xmss.exe is a malicious file that usually enters the system by visiting websites having unsafe content. It runs on all windows platforms except the new se7en and vista. The worm adds several executable copies of itself to all the available directories of the system with an autorun along such that whenever any drive of the system is opened, the worm gets to launch a new process. It also modifies the settings of the internet explorer. Like every other virus on the loose, this one also adds a few registry entries to launch its process at startups and to disable the Show hidden folders option. It injects its processes to explorer.exe to make sure that it is active even after you manually kill its processes from the Task Manager. When executed for long time, the worm creates new extensions unrelated to the system files. It might also ping to various sites from where several other malicious files may get a portal to enter the target's system.
Manual instructions to remove xmss.exe:
- Start the computer in the Safe Mode.
- Without opening any of the drives, goto Start-->Run and type "regedit" which opens the Registry Editor. In the Registry Editor, navigate to the following entries
HKLM\Software\Classes\.regHKLM\Software\Classes\.vbs
Delete the keys that go by the name "exefile" - Now go to the following keys and modify them
HKU\Software\Microsoft\Internet Explorer\Main
Double-click the Start page and add any page that you want your homepage to be. Then go toHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\Showall
Double-click "CheckedValue" and change its value to 1.
Also visitHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
and remove "xmss.exe" from the key named "Shell" on your right. - Reboot your system again in the Safe mode and DONOT open any of the drives. Goto Start-->Run and type "cmd". Using the Command Prompt, navigate to the drives. If you're not sure how to do this, just follow the steps below:
*cd\
*attrib -r -a -s -h C:\WINDOWS\autorun.inf
*del C:\WINDOWS\autorun.inf
*attrib -r -a -s -h C:\WINDOWS\xmss.exe
*del C:\WINDOWS\xmss.exe
*attrib -r -a -s -h C:\WINDOWS\Funny UST Scandal.exe
*del C:\WINDOWS\Funny UST Scandal.exe
*attrib -r -a -s -h [driveletter]\xmss.exe
*del [driveletter]\xmss.exe
*attrib -r -a -s -h [driveletter]\Funny UST Scandal.avi.exe
*del [driveletter]\Funny UST Scandal.avi.exe
*attrib -r -a -s -h [driveletter]\autorun.inf
*del [driveletter]\autorun.inf
Here, replace the [driveletter] with C,D, E and so on. - Now sit back and enjoy. You've trashed the worm.
Enabling Safe Mode booting, enabling the Registry, Enable Windows Task manager , Enable Hidden files and folders option and enabling the Command Prompt.