Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Exe files changing to .USS 1
- Thread starter Hainley
- Start date
mattjurado
MIS
The only reference I could find to a uss extension was a ulead imaging software.
I would update to the latest definitions, then run a full scan in safe mode. Make sure you turn off system restore if you are running XP or ME.
Post back with the name of the virus, or look it up yourself, for info on removing registry entries, etc...
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
I would update to the latest definitions, then run a full scan in safe mode. Make sure you turn off system restore if you are running XP or ME.
Post back with the name of the virus, or look it up yourself, for info on removing registry entries, etc...
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
- Thread starter
- #3
Matt,
Virus Defs are current....ran full system scan in safe mode...quarantined, deleted......
Yet, it still comes back whenever I open an application (Outlook, Ad Aware, MSN Messenger...anything)
Norton is calling it a Bloodhound VBS Worm (Bloodhound being Norton's heuristic).....seems that the actual 'worm' is called: Ussashohhdi.vbs
Cheers!
John
Virus Defs are current....ran full system scan in safe mode...quarantined, deleted......
Yet, it still comes back whenever I open an application (Outlook, Ad Aware, MSN Messenger...anything)
Norton is calling it a Bloodhound VBS Worm (Bloodhound being Norton's heuristic).....seems that the actual 'worm' is called: Ussashohhdi.vbs
Cheers!
John
mattjurado
MIS
So that's the name of the executable it created. Open Norton, go to Reports, check out the virus history section, post back any specific name listed.
And when you say it "comes back" what does this mean?
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
And when you say it "comes back" what does this mean?
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
- Thread starter
- #5
When it comes back, Norton will identify it again..
Earlier today I deleted the file that was infected...also, I ran a search for *.USS...and deleted all 80 of the files I found
Something, somewhere is re-generating this.
I'll go double check the history info and post it here shortly.
Earlier today I deleted the file that was infected...also, I ran a search for *.USS...and deleted all 80 of the files I found
Something, somewhere is re-generating this.
I'll go double check the history info and post it here shortly.
- Thread starter
- #6
mattjurado
MIS
Again try safe mode.
Clearly Norton didn't eradicate this the first time, or somehow the system is getting reinfected.
If it is XP, let's turn off the system restore too.
And post back with Norton Version, OS Version.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
Clearly Norton didn't eradicate this the first time, or somehow the system is getting reinfected.
If it is XP, let's turn off the system restore too.
And post back with Norton Version, OS Version.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
- Thread starter
- #8
mattjurado
MIS
Got it, so let's boot to safe mode and post back virus history. Then, let's run regedit.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Any weird exe's or vbs's, delete them. In fact, any programs you don't need, dump them. Check for the same key under HKEY_Current_User.
If this is a different PC than the one you are posting to me, then run another scan in safe mode, before you reboot. If it is the same pc, reboot and post back the virus history.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Any weird exe's or vbs's, delete them. In fact, any programs you don't need, dump them. Check for the same key under HKEY_Current_User.
If this is a different PC than the one you are posting to me, then run another scan in safe mode, before you reboot. If it is the same pc, reboot and post back the virus history.
Matt J.
Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
We are having problem with this virus as well. Hainley, did you ever figure it out? I've tried the steps mentioned, but the virus seems to go dormant then re-appear. Our virus program picks it up, but cannot disinfect. UssaShohhdi.vbs continues to come back, sometimes even changing its file extention...ie. UssaShohhdi.wsh or .ass Any ideas or other steps?
- Thread starter
- #11
I've gotten this on a couple of my computers as well (one XP, one NT4). Symantec Antivirus Corporate 8.1 couldn't clean it out, and when I booted to safe mode on the XP machine the antivirus client wouldn't even start (it "generated errors" per Windows). They're public machines so I just pushed fresh images onto them, problem solved.
-
1
- #13
We were hit with this virus last week. It infected 1 NT 4.0 sp 6a server and 15 workstations (Win95, Win98 and WinXP). It did NOT seem to spread via shares or email. However, most of the workstations that became infected ran programs that were on the NT 4.0 server. The virus seems to infect valid exe files, i.e., winword.exe, spooler.exe, etc.
Only fix was to rebuild all workstations and the server. During this process we discovered the core virus exe file which among other things would create the UssaShohhdi.* file.
We sent the exe to our anti-virus company, McAfee and within 5 hours they identified it as W32/Shoder.a@MM and provided us with a EXTRA.DAT (supplemental virus ID file). We have applied the EXTRA.DAT to some workstations that were infected and it is cleaning the files.
McAfee still has not updated their virus library with the W32/Shoder.a@MM virus. Also, a google search does not turn up anything with that name yet.
Interestingly, in the code of the virus it contains a text that is a rant about America, government, and is very negative against President Bush.
Hope this information is helpful to others and good luck.
Only fix was to rebuild all workstations and the server. During this process we discovered the core virus exe file which among other things would create the UssaShohhdi.* file.
We sent the exe to our anti-virus company, McAfee and within 5 hours they identified it as W32/Shoder.a@MM and provided us with a EXTRA.DAT (supplemental virus ID file). We have applied the EXTRA.DAT to some workstations that were infected and it is cleaning the files.
McAfee still has not updated their virus library with the W32/Shoder.a@MM virus. Also, a google search does not turn up anything with that name yet.
Interestingly, in the code of the virus it contains a text that is a rant about America, government, and is very negative against President Bush.
Hope this information is helpful to others and good luck.
Does anyone have the name of the core .exe file that triggers the virus. This has infected one of my desktops as well. I found and sent the UssaShohhdi.vbs file to our anti-virus company (Computer Associates) and they are calling it VBS.Memas.B, and released an update for their Vet Engine today. (InoculateIT Engine update to follow).
Also provided the following information:
Aliases reported by other AV products are listed here:
(Generic Mailworm) (SCRIPT) (VBS/Thier.A@mm) (I-Worm.Shoder)
(VBS/Generic@MM)
The problem I am having is that it still seems to be resident on the system. When I excecute a program, it opens, and in my task manager, I have a process for the .exe file and a .uss file for each program open (antivirus software included). I'm not quite understanding how this virus is working, so having a hard time getting rid of it. Still no detalied desciption that I can find one any of the AV company websites.
Any suggestions? (besides what is looking like the obvious reformat option).
Thanks,
Jennifer
Also provided the following information:
Aliases reported by other AV products are listed here:
(Generic Mailworm) (SCRIPT) (VBS/Thier.A@mm) (I-Worm.Shoder)
(VBS/Generic@MM)
The problem I am having is that it still seems to be resident on the system. When I excecute a program, it opens, and in my task manager, I have a process for the .exe file and a .uss file for each program open (antivirus software included). I'm not quite understanding how this virus is working, so having a hard time getting rid of it. Still no detalied desciption that I can find one any of the AV company websites.
Any suggestions? (besides what is looking like the obvious reformat option).
Thanks,
Jennifer
- Thread starter
- #15
I talked on the phone with Symantec support for about an hour yesterday (we have a support contract), and the person I spoke with said he'd never heard of it before. He passed word along, and also had me send in copies of the altered executable files (along with the unaltered ones, for comparison). Unfortunately, I didn't have the original file that started the whole mess (at that time I was more concerned with containment) though hopefully someone has/will have one to send them.
As of yet, Kaspersky seems to be the only one with the name mSean68 gave (W32/Shoder.A@MM) in their virus list. Hopefully the AV companies work together enough for this one to be taken care of soon.
As of yet, Kaspersky seems to be the only one with the name mSean68 gave (W32/Shoder.A@MM) in their virus list. Hopefully the AV companies work together enough for this one to be taken care of soon.
- Thread starter
- #17
I just got a reply back from Symantec:
The virus is called W32.Tunk.A. They sent me beta definitions that they say will allow SAV to get rid of it. I'll have to decide if I want to risk running beta defs on a production machine though.
It's not on their website yet, nor is it on Google. However, it may be a case of two companies giving the same virus different names.
The virus is called W32.Tunk.A. They sent me beta definitions that they say will allow SAV to get rid of it. I'll have to decide if I want to risk running beta defs on a production machine though.
It's not on their website yet, nor is it on Google. However, it may be a case of two companies giving the same virus different names.
Just a little update - FYI.
I am still working with my AV Company with this one. The .uss files are the clean ones. The .exe files that replace them are the virus. That's probably obvious by now.
Now, my AV software is only detecting the ussashohhdi.vbs.. and did not catch it with the .ass ending. Additionally it is not detecting the .exe files that are viral - yet. I sent them .exe file samples this morning.
Additionally, I have run web scans from Norton and McAfee, and CA/eTrust (as well as pc version of eTrust) each did not find anything, and have downloaded stinger for the fun of it which found nothing, as well.
Still waiting for a thorough diagnosis and cure on this one, but just wanted to post my findings on this one in case it might help.
I have reformatted twice, and it keeps coming back... need to find out where the original infection is.
I am still working with my AV Company with this one. The .uss files are the clean ones. The .exe files that replace them are the virus. That's probably obvious by now.
Now, my AV software is only detecting the ussashohhdi.vbs.. and did not catch it with the .ass ending. Additionally it is not detecting the .exe files that are viral - yet. I sent them .exe file samples this morning.
Additionally, I have run web scans from Norton and McAfee, and CA/eTrust (as well as pc version of eTrust) each did not find anything, and have downloaded stinger for the fun of it which found nothing, as well.
Still waiting for a thorough diagnosis and cure on this one, but just wanted to post my findings on this one in case it might help.
I have reformatted twice, and it keeps coming back... need to find out where the original infection is.
- Status
Similar threads
- Locked
- Question