lsmosee.exe Virus is a very dangerous Trojan horse, which has been spotted recently, but for the short period of time that it has been around, it seems that this threat has managed to infect a lot of web users. This particular malware is capable of various harmful actions, so we highly recommend you to read its specifics carefully and to strictly follow the instructions in the removal guide instructions that follow. There is NO software you need to buy and you do not need to put the infected system into SAFE MODE.
WHAT Does LSMOSEE.exe DO to the infected system?
Initially the virus inserts an autostart called "VMApplet" in the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. This process runs at system startup and causes an FTP download to occur to a random folder in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\". The filename created is close2.bat; or, something similar.
Creates virus executable files: c:\windows\debug\lsmose.exe and c:\windows\help\lsmosee.exe
Creates a hidden Scheduled Task which in turn executes the LSMOSE virus at 2:36am, 5:36am, 8:36am, 11:36am, 2:36pm, 5:36pm, 8:36pm and 11:36pm.
Creates four (4) non-hidden Scheduled Tasks named Mysa1, Mysa2, Mysa3 and ok which execute at system startup.
Creates a Registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run which executes "%systemroot%\system32\dumprep 0 -u" at system startup.
WHAT Happens when LSMOSEE.exe Executes?
DUMP files are created and sent via FTP.exe to the hackers server:
Recreates LMSOSE.exe and LSMOSEE.exe if missing.
Recreates Scheduled System Start Tasks if missing.
Recreates Registry Entries if missing.
How do I get rid of LSMOSEE.exe?
Follow the following steps in order making sure NOT to perform these tasks anywhere near the times mentioned above.
Delete the batch file in "C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\".
Delete the VMApplet registry key located at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon".
Delete the registry key located at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" which executes dumprep.
Delete the four (4) Scheduled Tasks named Mysa1, Mysa2, Mysa3 and ok.
Delete the dump files located in "C:\WINDOWS\PCHEALTH\ERRORREP\UserDumps\".
Reboot your system.