+ Post New Thread
Results 1 to 13 of 13
Windows Thread, SMSS.exe Virus? (Major Outbreak!) in Technical; The issue all started a few days ago when I noticed a PC I was using kept hiding the extensions ...
  1. #1
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32

    SMSS.exe Virus? (Major Outbreak!)

    The issue all started a few days ago when I noticed a PC I was using kept hiding the extensions of known files types as I was working. Hidden File Extensions is one of my pet hates, so I ensure it is disabled in all of my builds. What was annoying was this particular PC was hiding them even after I had changed the setting in Folder Options. No matter what I did it changed it back to hidden.

    A few days later I noticed the same issue on my desk PC and also noticed that hidden files could not be unhidden either. Now we have had an outbreak of students and staff not being able to log in because the "Personalised Settings" window when logging in gets stuck at "IE7 Uninstall Stub" - We haven't even run an uninstaller for IE7. When you fire up Task Manager, kill Explorer.exe and restart it, you get a horrible "pink bug" icon flash 2 or 3 times in the Task Manager window before it disappears and loads the desktop. Definately a virus!

    Sophos was being it's reliable self and not finding anything. So, on my PC, I ditched it and have just installed Kaspersky Internet Security. Straight away it popped up with a process trying to run, that had that horrible icon... SMSS.exe. I'm doing a full Kaspersky scan right now. It's giving me lots of pop ups telling me SMSS.exe is trying to edit the registry, particularly the part that shows hidden files, but Kaspersky is doing it's bit to block it. My colleagues machine that is also infected (running Sophos) isn't picking up anything. Infact, the virus is refusing to allow Sophos to even run! The Enterprise Console isn't finding anything when scanning the PC either.

    Has anyone encountered something like this before? How can we disinfect the PC's on our network if Sophos isn't even recognising it?

    I've had enough of Sophos, no wonder we get it for free! I'm surprised they can sell it at all!

  2. #2
    Fridge's Avatar
    Join Date
    Apr 2009
    Location
    Yeovil
    Posts
    56
    Thank Post
    4
    Thanked 11 Times in 11 Posts
    Rep Power
    12
    smss.exe - smss - Process Information

    Tells you a little bit about it. SMSS.exe is actually a legitimate process on the most part.

  3. #3
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32
    I know. However, it's the alternate description I'm referring to.

  4. #4

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Bear in mind there is also a legitimate smss.exe file which can be found in your system32 directory - are you assuming your colleague's machine is infected based on the existence of this file or are is it displaying the same symptoms as your own machine?

    Grab one of the infected smss.exe files from a machine which definitely has problems and upload it to virustotal or virusscan.jotti.org to check what it is, then google for a removal tool for that particular strain. Many AV companies provide some free standalone removal tools. If you can't shift it like that, you're looking at a few days of unplugging workstations from the network, scanning and cleaning from a boot CD, patching if necessary and waiting until all machines are clean before reconnecting everything...

  5. #5
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32
    This is a screenshot of the icon that is coming up.
    Attached Images Attached Images

  6. #6

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    Definitely an odd icon. What does virusttotal report it as?

  7. #7
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32
    I just noticed as I posted that image, there is a space after system32 (C:\Windows\System32 \Smss.exe)

    I just uploaded it to Virustotal and this is what it found:

    Code:
     File smss.exe received on 05.18.2009 17:10:09 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
    Result: 18/40 (45%)
    	
    Antivirus 	Version 	Last Update 	Result
    a-squared	4.0.0.101	2009.05.18	-
    AhnLab-V3	5.0.0.2	2009.05.18	Win32/IRCBot.worm.variant
    AntiVir	7.9.0.168	2009.05.18	TR/Crypt.FKM.Gen
    Antiy-AVL	2.0.3.1	2009.05.18	Backdoor/Win32.Rbot
    Authentium	5.1.2.4	2009.05.17	W32/Backdoor2.EFJU
    Avast	4.8.1335.0	2009.05.17	-
    AVG	8.5.0.336	2009.05.18	IRC/BackDoor.SdBot4.KNX
    BitDefender	7.2	2009.05.18	Backdoor.Agent.AAEP
    CAT-QuickHeal	10.00	2009.05.15	Backdoor.Rbot.abvf
    ClamAV	0.94.1	2009.05.18	-
    Comodo	1157	2009.05.08	-
    DrWeb	5.0.0.12182	2009.05.18	BackDoor.Rbot.35
    eSafe	7.0.17.0	2009.05.18	-
    eTrust-Vet	31.6.6508	2009.05.16	-
    F-Prot	4.4.4.56	2009.05.17	W32/Backdoor2.EFJU
    F-Secure	8.0.14470.0	2009.05.18	-
    Fortinet	3.117.0.0	2009.05.18	-
    GData	19	2009.05.18	Backdoor.Agent.AAEP
    Ikarus	T3.1.1.49.0	2009.05.18	-
    K7AntiVirus	7.10.737	2009.05.16	-
    Kaspersky	7.0.0.125	2009.05.18	-
    McAfee	5618	2009.05.17	-
    McAfee+Artemis	5618	2009.05.17	-
    McAfee-GW-Edition	6.7.6	2009.05.18	Trojan.Crypt.FKM.Gen
    Microsoft	1.4602	2009.05.18	Worm:Win32/Cubspewt.A
    NOD32	4083	2009.05.18	Win32/AutoRun.Agent.HD
    Norman	6.01.05	2009.05.16	-
    nProtect	2009.1.8.0	2009.05.18	-
    Panda	10.0.0.14	2009.05.18	-
    PCTools	4.4.2.0	2009.05.18	-
    Prevx	3.0	2009.05.18	Medium Risk Malware
    Rising	21.30.04.00	2009.05.18	Backdoor.Win32.VB.epv
    Sophos	4.41.0	2009.05.18	-
    Sunbelt	3.2.1858.2	2009.05.17	VIPRE.Suspicious
    Symantec	1.4.4.12	2009.05.18	-
    TheHacker	6.3.4.1.326	2009.05.18	-
    TrendMicro	8.950.0.1092	2009.05.18	-
    VBA32	3.12.10.5	2009.05.18	Win32.AutoRun.Agent.HD
    ViRobot	2009.5.18.1739	2009.05.18	Backdoor.Win32.IRCBot.425984
    VirusBuster	4.6.5.0	2009.05.18	-
    Additional information
    File size: 1359872 bytes
    MD5...: c3c0a21affe511b8c96bd6dbb0b8c8a5
    SHA1..: 982cc92091d4bdfcc83a46f071441d92c6a44952
    SHA256: ac228011b164ae1b7a28ba7c8175cce0803d18038c6a40507971ac178a7e2cf2
    SHA512: 6d01ffdd368d0840b3934a8bf338a1ce22782a8ec9fbbc3d429c214cd7832e5e
    b7d342ca03aee58af4e8972f5cf9d03bbf199a70baa2fcdbeacc9486577f1f3c
    ssdeep: 12288:QHyBeTFRtaLaWekYdtkMjIQO2aJwKSH9QpRHa:QH4eTFRU+tYM22zhYFa
    PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
    TrID..: File type identification
    Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    PEInfo: PE Structure information
    
    ( base data )
    entrypointaddress.: 0xf859
    timedatestamp.....: 0x496f67d7 (Thu Jan 15 16:44:07 2009)
    machinetype.......: 0x14c (I386)
    
    ( 6 sections )
    name viradd virsiz rawdsiz ntrpy md5
    0x1000 0x4a000 0x19000 7.91 f059ac8715d9424491a9bfd55be03eb1
    0x4b000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    0x50000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
    .rsrc 0x51000 0x1000 0x1000 1.56 10d0648e6f536634800863f9c41c24f1
    .data 0x52000 0x4d000 0x4d000 7.92 52f23673f8b6d06fb9c446afb0d294e7
    0x9f000 0xe4000 0xe4000 0.00 e422bc985c88b68f4362068f83a5650d
    
    ( 8 imports )
    > kernel32.dll: VirtualAlloc, VirtualFree, GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
    > user32.dll: MessageBoxA
    > advapi32.dll: RegCloseKey
    > oleaut32.dll: SysFreeString
    > gdi32.dll: CreateFontA
    > shell32.dll: ShellExecuteA
    > version.dll: GetFileVersionInfoA
    > msvbvm60.dll: EVENT_SINK_GetIDsOfNames
    
    ( 0 exports )
    PDFiD.: -
    RDS...: NSRL Reference Data Set
    -
    packers (Kaspersky): PE_Patch.Enigma
    <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=B08EB5FA0092C5A1C057148C60CC9800DF62FE3C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=B08EB5FA0092C5A1C057148C60CC9800DF62FE3C</a>
    So, what can I do to remove it?

  8. #8
    Fridge's Avatar
    Join Date
    Apr 2009
    Location
    Yeovil
    Posts
    56
    Thank Post
    4
    Thanked 11 Times in 11 Posts
    Rep Power
    12
    By the description it sounds like it could be Malware...

    Might be worth giving Malwarebytes.org a go i find this really good and might remove the problem.

  9. #9
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32
    Right, overnight, Sophos must have been updated. It finally started detecting it as "Mal/UnkPack-Fam".

    However, some of the PCs it has "cleaned" it has rendered totally useless. My colleague PC which was affected, can no longer run anything. Anytime you try to launch an application you either get a message saying "Application not found" or you get a option box asking what application you want to use to open the program.

    Is there anyway to solve this issue without rebuilding the PC?

    Funnily enough, I had installed NOD32 on my own PC and it removed the file with no issues at all.

  10. #10
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    42
    System file checker may help. If any changes were made to windows main system files you could use sfc /scannow to restore them back to what they were. You will need the windows cd.

  11. #11
    Zoom7000's Avatar
    Join Date
    Feb 2006
    Location
    London
    Posts
    927
    Thank Post
    303
    Thanked 79 Times in 52 Posts
    Rep Power
    32
    SFC didn't work for the PCs because they were looking in the main for an ancient XP image on a RIS server that doesn't exist anymore and it didn't like the original XP CD.

  12. #12

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 455 Times in 335 Posts
    Rep Power
    137
    Can you check the registry key HKEY_CLASSES_ROOT\

    All of the file association registry keys are kept there.

    I have been battling an unidentified virus that has been deleting this section of the registry or at least I thought it was a virus.

    There should be a lot of registry keys starting with a .
    .386 thru to .zip

    If these are missing that is your problem.
    Let me know what you find, PM me if need be.
    You can export these and import them to the damaged machine as a workaround.

    In the last month this has happened on a load of machines running Sophos when the clean up options were set to agressively.

    According to Sophos, you should set your clean up actions to "Do Nothing" especially on Servers...
    This block access to the suspect file but wont blow a hole in your hard disk! Nice to know.....

    I'm still looking for answers on this one, the pattern starts with the file associations then services can't be restarted as registry keys and system files are deleted without trace or logging.

    The machine will fail on reboot with registry corruptions.
    I have seen some boot sectors erased also.

    With the right Sophos settings it now seems to be under control but not until we lost 8 servers and a dozen or more PC's on one site!

    This is not just a Sophos problem as I have seen identical symptoms on AVG protected machines.

    There seems to be a lot of false positive detection going on as well, SUS\Sality being reported in SIM Installer packages and HP Driver Packages downloaded from HP

    If you have all of the clean up options set too high, your AV may start deleting files that are not affected at all leaving you in a worse state than if they were!

  13. #13

    Join Date
    May 2009
    Location
    Belgium
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    how to clean up pc after virus removal

    Hi,

    Had the same issue on 2 pc's this week: virus removed, and users not able to logon (automatic logoff immediately after logon), or execute programs if able to logon. This is the procedure to fix the problem:

    step 1: boot pc using WinPE or equivalent (bartpe, ubcd4win, ...) from cd/usb/pxe

    step 2: run regedit inside WinPE (or bartpe, ...)

    step 3: open infected windows' registry

    - click HKEY_LOCAL_MACHINE
    - in menu 'file', select ' load hive'
    - browse to c:\windows\ssytem32\config, and click file SOFTWARE (no extension)
    - name the hive something (e.g. virus_removal_registry)
    - browse to the registry key
    HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Classes\exefile\shell\open \command
    - change value from ("c:\windows\system32 \smss.exe" "%1" %*) to ("%1" %*) without the brackets!
    - browse to registry key
    HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Microsoft\Windows NT\CurrentVersion\WinLogon
    - change value of userinit from (c:\WINDOWS\system32\userinit.exeC:\Windows\system 32 \smss.exe)
    to (c:\WINDOWS\system32\userinit.exe) without the brackets

    step 4: reboot

    First registry key tries to start the (removed) virus everytime you execute an executable file (.exe). you can start an .exe file by renaming it to .com
    Second registry key loads virus every time a user logs on. If the virus has been removed, userinit will crash and logoff the user immediately.

    additional notes:
    - be careful when changing the registry, since a faulty registry may render windows unusable
    - if you don't have a winpe or equivalent boot medium, you can run regedit in windows if you rename regedit.exe to regedit.com
    - don't forget to disable system restore, or the virus might pop up again soon

    Hope this helps!
    E.T.

SHARE:
+ Post New Thread

Similar Threads

  1. Major Changes To EduGeek
    By Dos_Box in forum BETT 2014
    Replies: 121
    Last Post: 19th January 2009, 02:57 PM
  2. Major network problem
    By Andyhall in forum Wireless Networks
    Replies: 5
    Last Post: 6th September 2008, 01:20 PM
  3. Lsass.exe and Lssas.exe
    By ndavies in forum Network and Classroom Management
    Replies: 5
    Last Post: 30th October 2007, 03:19 PM
  4. Mal/Behav-043 virus outbreak
    By tosca925 in forum Windows
    Replies: 13
    Last Post: 27th April 2007, 10:44 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •