Removing dmxxx.exe & msserv.exe Viruses

Home
What's New
AI Products
Alzheimer's, beat it
Android Eyes
Android Fingers
Android Hands
Animatronic Products
Animatronic Sites
Asimov's Laws
Baby Androids
Bipedal Projects
Books
Business Plan
Competitions
Conferences
Digital Gyro Board
Domestic robots
Education
Engineers Recommended
Entertainment robots
Future of Androids
Global Warming Fix
Globes of planets
Greatest Android Projects
Gyro/Accelerometer board
Haptic Sensor
Head Projects
Historical Projects
In the Movies
Kill Viruses/Trojans
Live to 100
Mecha Projects
NASA Projects
Planetary Globes
Personal projects
Philosophy of Androids
PRODUCTS
Robo-prize $5M
Robotics Sites
Secret Projects
Smaller projects
Sub-assembly projects
Superintelligence
Suppliers Recommended
Tactile Sensor
Touch Sensor
Valerie Android
Video cameras (smallest)
What's New
Home

These two viruses send tons of email from your PC.

The first thing to do is unplug your internet cable.

  • 1. What does this thing do?
    • b) It sends tons of emails from your machine which of course contain copies of the virus
      • to email addresses it finds on your machine - i.e. to your friends.
    • a) It installs a local service which monitors its own health.
      • The service is installed in your registry at the following key:
      •         HKCU \Software\Microsoft\Windows\CurrentVersion\Run\     or
      •         HKCU \Software\Microsoft\Windows\CurrentVersion\RunOnce \     or
      •         HKLM\Software\Microsoft\Windows\CurrentVersion\Run\     or
      •         HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce \
      • It starts the service every time you reboot your machine.
      • Hence this entry (and possibly others) must be removed from the registry.
    • b) For Windows XP or Vista
      • It puts exe files into the C:\Windows\system32\  directory.
    • c) This virus has OLD dates on the entries in system32. This is a new
      • problem because now you can't just delete files that have been installed
      • in the last week or two because these files have OLD dates.
    • c) Many of the files have names like dmxxx.exe where "xxx" can be any 3
      • letters.  The virus makes many copies of the file under many names.
      • You will need to delete them all.

           The following files are GOOD files on Windows XP and should NOT be deleted.  These are ALL the files in Windows XP which start with "dm".

  • dmadmin.exe
  • dmband.dll
  • dmcompos.dll
  • dmconfig.dll
  • dmdlgs.dll
  • dmdskmgr.dll
  • dmdskres.dll
  • dmime.dll
  • dmintf.dll
  • dmloader.dll
  • dmocx.dll
  • dmremote.dll
  • dmscript.dll
  • dmserver.dll
  • dmstyle.dll
  • dmsynth.dll
  • dmusic.dll
  • dmutil.dll
  • dmview.ocx

           All other files of the form dmxxx.exe should be removed.   Examples of these BAD filenames are:

  • dmbnf.exe      dmdto.exe     dmvjo.exe     dmcky.exe      dmsye.exe     dmzni.exe
  • dmzzh.exe      dmrzv.exe      dmjgf.exe       dmcjh.exe      dmeqw.exe   dmnza.exe
  • dmrjp.exe       dmkgf.exe     dmdoy.exe    dmqfh.exe     dmgks.exe     dmszh.exe
  • dmdia.exe      dmows.exe    dmqhs.exe    dmmzs.exe     dmlnz.exe      dmbpe.exe
  • dmbwl.exe     dmsbo.exe     dmbku.exe    dmhcc.exe     dmvwj.exe     dmliz.exe
  • dmbrk.exe      dmtmp.exe    dmtlt.exe       dmclg.exe       dmxom.exe    dmkny.exe
  • dmcwe.exe     dmenz.exe     dmwvu.exe   dmvuu.exe     dmqfx.exe      dmgbg.exe
  • dmbos.exe      dmepp.exe     dmijo.exe     dmyey.exe     dmlwh.exe    dmkdq.exe
  • dmxdk.exe     dmklm.exe     dmayd.exe    dmxre.exe     dmdou.exe     dmdof.exe
  • dmzgj.exe      dmmkv.exe    dmqkp.exe    dmkfz.exe     dmckz.exe     dmspp.exe
  • dmcng.exe     dmnym.exe    dmqdw.exe   dmdqi.exe     dmdct.exe      dmlhs.exe
  • dmajj.exe

    •        Obviously you need to remove "msserv.exe" also, if it is present.

    • 2. Outline of how to get rid of these viruses .
      • Disconnect your internet cable
      • Turn off your email program (Outlook Express for example or MS Outlook )
      • Turn off "system restore" (if it is on) using #4 below.
      • If "msserv.exe" is running, stop it.
        • Hit <cntrl><alt><del> to open the Task Manager window
        • Click the top of the left column to sort the entries alphabetically
        • Scan down the list to find "msserv.exe "
        • If you find it, click "End Process"
      • Use explorer to find all copies of the "msserv.exe" file.
        • Write down the full paths if you can't delete them.  
        • Rename them if you can't delete them
        • call them  xxxmsserv.exe - that way you can find them easily.
      • Use explorer to find all copies of the "dmxxx.exe" files.
        • You only need to look in the C:\Windows\system32\   directory.
        • Write down the full paths if you can't delete them.  
        • Rename them if you can't delete them
        • call them xxxdmxyz.exe etc so you can still find them easily.
      • Delete as many of the BAD executables as you can.
      • You will need to reboot in "Safe mode" to delete those executables which you could not delete in normal mode.
      • When in "safe mode" navigate to each directory and delete the files which you could not delete in normal mode.
      • Next you will need to clean up your registry. Follow #5 below.
      • Go to your Recycle bin and empty it.
      • Plug your internet cable back in and turn on your email program on to see if the virus is gone.
      • If it is gone, you can turn "system restore" back on.
    • 3. Rundll32 may be running.  If so, stop it.
      • Finding (and stopping) it .
        • Hit <cntrl><alt><del> to open the Task Manager window
        • Click the top of the left column to sort the entries alphabetically
        • Scan down the list to find "rundll32"
        • Rundll32 is a system service and should NOT run constantly
        • click "End Process"
    • 4. Turning off "system restore"
      • click "start" (bottom left of your screen)
      • select "control panel"
      • select "system"
      • right click & open
      • select "system restore" tab
      • check "turn off system restore on all drives"
      • click "apply"
      • click "ok"
      • close "control panel"
    • 5. Cleaning up your registry.
      • To open your registry do the following:
        • click "start" (bottom left of your screen)
        • select "Run"
        • type "regedit"
        • ok
      • You need to fix the following things:
        • You need to remove all references to all executables in the lists you made in step #2 .
        • You need to make sure the virus is removed from these keys in your registry
        •         HKCU \Software\Microsoft\Windows\CurrentVersion\Run\     or
        •         HKCU \Software\Microsoft\Windows\CurrentVersion\RunOnce \     or
        •         HKLM\Software\Microsoft\Windows\CurrentVersion\Run\     or
        •         HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce \
        • For each of the above 4 links, look for any program which is run from the directory
        • C:\windows\system32  and make sure it is not one of the executables you want removed.
        • If it is, then obviously you delete it.
      • To remove any name from the entire registry do the following
        • Drag the scroll bar to the top
        • Click on "my computer" - this points you to the top
        • Edit & Find the name you want to delete.
        • delete or fix the entry
        • press F3 to find the next occura nce of the same name.
        • repeat until no further occura nces are found.

    Comments? Email me at crwillis@androidworld.com