I got a virus today. Someone contacted me and said "is this you? : <some link with my email on it>" Anyhow, it suckered me and screwed my puter up. However I fixed it. Here are the instructions i wrote to pass to people i accidentally infected. You will need HijackThis but I cant post that here so find that yourself. I hope google picks this up to help others with the problem. To fix the Brodia (i think it's a variant of this) Worm ---------------------- ------------- There is an evil file on your system. | This manual will tell you how to beat it. | Follow the instructions 1 - 27. | | I recommend you READ IT before following | the instructions. | ------------- First of all for those who have XP or Home or dont usually do technical stuff you need to change a few options to be able to find the file. This is because the worm pretends it's a system file and Windows XP (by default) doesn't let you see those. To be able to view all files, follow these instructions. 1. Go To "My Computer" 2. From the menu at the top of the box that appears select "Tools" 3. Select "Folder Options" Now you should have a new form appear. There are some tabs. 4. Select the "View" tab. Now you should see a list of options with icons. 5. There are 2 options that need to be specifically set. A) "SHOW hidden files and folders" - should be CHECKED B) Hide protected operating system files - should be UNCHECKED (XP only) Now you can see all the files so now the virus can hide no more. :P. Let's hunt it down! Unfortunately because it is currently running we cant shut it down, but lets have a look at it anyway. 6. Go to "My Computer" 7. Go to C:\ (or whichever drive windows is installed if it's not installed on C:\) 8. Go to either: A) "C:\Windows\System32" - for XP OR B) "C:\WINNT\System32" - for 2000 or NT 9. Now have a look at the FOLDERS that have a ghostly appearance (the ghost thing means they're "hidden" items) I can't tell you the name of the folder the file is in, because it's different for everyone. The virus randomly makes a folder name. It should be a random combination of letters. LIKE qwifffyoin OR hjkaovbntr Basically it shouldn't make much sense. Remember, you wont be able to see it if you havent followed options 1 - 5. 10. Go into the folder and you will see the worm. Its called: svshost.exe 11. WRITE DOWN THE NAME OF THE PATH OF WHERE THE WORM IS LOCATED (in a notepad maybe) ---------------- NOTE: there is an actual System file called svchost.exe (see it starts "svC" the virus starts"svS") you probably wont come across it, but you should know this anyway. ---------------- To fully remove this file we have to do two things: A) Delete the file B) Remove the registry references to the file. To fix issue A we need to go into SAFE mode. To fix issue B we need the program HijackThis.exe. 12. Get HijackThis.exe from the person who gave you this tutorial. Please understand that HijackThis.exe is a powerful tool for editing values in the registry. You can damage your windows install with it IF YOU FIX THE WRONG OPTIONS - So be careful when you use it. Just fix the right options, it's not hard but don't play around with the program. ok? ---------------------- NOTE: If you use XP home you might new to "Unblock" the HiJackThis.zip when you get it. Right Click on the file, check all the options, there is one that says "Unblock" or something. You need to check that. ---------------------- Okay lets go into safe mode. 13. RESET the PC (Start->ShutDown->Select Restart and OK) 14. Now we have to redirect ourselves into SAFE mode. This means interrupting the usual way windows loads. Basically you have to hit the F8 Key (hit it lot of times :) ) just before you see the Windows screen. 15. If you suceed you should get a black screen and a bunch of options. 16. Select the "Start in SAFE Mode option". and press ENTER. You should be in safe mode in a minute or so. Okay, first off, yes it's ugly, this is 16 colour windows! However the benefit is that the worm wont be running (it relies on higher level stuff). We will now be able to delete it. 17. First of all go to HiJackThis.exe and run it. 18. Press SCAN 19. Look at the information. You need to find 2 entries. The entries your looking for should have 2 identifiable features. A) They will START: "O4 - HKLM\..\Run: [SVCHost]" B) They will END with the path of the worm: "C:\WINDOWS\SYSTEM32\....svshost.exe" 20. Select the entries 21. Make SURE no other entries are checked 22. Select "FIX CHECKED" 23. Close HiJackThis.exe Okay now the registry entries are dead. 24. Go to "My Computer" 25. Go to where you found the virus previously (instructions 6 - 11). 26. DELETE THE FILE AND THE FOLDER. 27. Restart 27. JUMP FOR JOY! It should be fixed now. to check if it's fixed. Press CTRL+ALT+DEL -> Task Manager -> Processes -> Press ImageName (puts them in alphabetical order) look for the process svshost.exe (NOT svchost.exe, svShost.exe). If you cant find it, it's gone! 28. Get Linux. :) Hope that sorts it out for you. Kind Regards Uchiha~Jax

Is this information copyrighted by you? i_XpUser

Hi, To start with, I'm not into computer tech. But, I got, what seems to be a variant of this virus through messenger. I follwed these instructions and found the folder in Sys32.. HOWEVER, the program files are "smss.exe" and "crss.exe".. Also, I can't find any registry entries using the Hijackthis program. This virus has also disabled my Norton antivirus 2005 as well :( Any help out there for me? Thanks.

Hey all, I also received this virus, however cannot find any hidden folders under the windows/system32 folder (am running XP). Is there any place else I can look? It seems to be resetting my selection of 'show hidden folders', however I still could not find any hidden folders when I restarted in safe mode.

Ok guys, I just did it, dont' bother with hijack this, just use regedit. crss.exe and smss.exe are protected, if you try to kill the processes in taskman, it won't let you. just view hidden and system files, delete the randomish directry in the system32 folder that have 3 files (crss.exe crss.ini and smss.exe) and search regedit for crss.exe and smss.exe and del any keys that have that path in them. probably best to do this in safe mode. --DarthVcdr

Argh, I was totally dumb and clicked the link from a person on my buddy list. I unhid all the system folders/files and searched for svshost.exe, crss.exe, and smss.exe. The only one I found was smss.exe. I went into Safe Mode and deleted the registry entries found with regedit. I then went into Task Manager, only to find that smss.exe *was* running in Safe Mode! It wouldn't let me shut it down: "This is a critical system process. Task Manager cannot end this process." And because it was running, I couldn't delete the program in /sys32. I have no idea what to do now that the worm runs in Safe Mode.

(Sorry for double post.) Um, crap. I just found out smss.exe in /sys32 is a legitimate program used by WinXP. The worm I'm looking for must be somewhere else... On that note, I'm really hoping I didn't mess up my computer by deleting those entries. http://www.neuber.com/taskmanager/process/smss.exe.html