smss.exe - smss - Process Information
Tells you a little bit about it. SMSS.exe is actually a legitimate process on the most part.
The issue all started a few days ago when I noticed a PC I was using kept hiding the extensions of known files types as I was working. Hidden File Extensions is one of my pet hates, so I ensure it is disabled in all of my builds. What was annoying was this particular PC was hiding them even after I had changed the setting in Folder Options. No matter what I did it changed it back to hidden.
A few days later I noticed the same issue on my desk PC and also noticed that hidden files could not be unhidden either. Now we have had an outbreak of students and staff not being able to log in because the "Personalised Settings" window when logging in gets stuck at "IE7 Uninstall Stub" - We haven't even run an uninstaller for IE7. When you fire up Task Manager, kill Explorer.exe and restart it, you get a horrible "pink bug" icon flash 2 or 3 times in the Task Manager window before it disappears and loads the desktop. Definately a virus!
Sophos was being it's reliable self and not finding anything. So, on my PC, I ditched it and have just installed Kaspersky Internet Security. Straight away it popped up with a process trying to run, that had that horrible icon... SMSS.exe. I'm doing a full Kaspersky scan right now. It's giving me lots of pop ups telling me SMSS.exe is trying to edit the registry, particularly the part that shows hidden files, but Kaspersky is doing it's bit to block it. My colleagues machine that is also infected (running Sophos) isn't picking up anything. Infact, the virus is refusing to allow Sophos to even run! The Enterprise Console isn't finding anything when scanning the PC either.
Has anyone encountered something like this before? How can we disinfect the PC's on our network if Sophos isn't even recognising it?
I've had enough of Sophos, no wonder we get it for free! I'm surprised they can sell it at all!
I know. However, it's the alternate description I'm referring to.
Bear in mind there is also a legitimate smss.exe file which can be found in your system32 directory - are you assuming your colleague's machine is infected based on the existence of this file or are is it displaying the same symptoms as your own machine?
Grab one of the infected smss.exe files from a machine which definitely has problems and upload it to virustotal or virusscan.jotti.org to check what it is, then google for a removal tool for that particular strain. Many AV companies provide some free standalone removal tools. If you can't shift it like that, you're looking at a few days of unplugging workstations from the network, scanning and cleaning from a boot CD, patching if necessary and waiting until all machines are clean before reconnecting everything...
This is a screenshot of the icon that is coming up.
Definitely an odd icon. What does virusttotal report it as?
I just noticed as I posted that image, there is a space after system32 (C:\Windows\System32 \Smss.exe)
I just uploaded it to Virustotal and this is what it found:
So, what can I do to remove it?Code:File smss.exe received on 05.18.2009 17:10:09 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 18/40 (45%) Antivirus Version Last Update Result a-squared 188.8.131.52 2009.05.18 - AhnLab-V3 184.108.40.206 2009.05.18 Win32/IRCBot.worm.variant AntiVir 220.127.116.11 2009.05.18 TR/Crypt.FKM.Gen Antiy-AVL 18.104.22.168 2009.05.18 Backdoor/Win32.Rbot Authentium 22.214.171.124 2009.05.17 W32/Backdoor2.EFJU Avast 4.8.1335.0 2009.05.17 - AVG 126.96.36.1996 2009.05.18 IRC/BackDoor.SdBot4.KNX BitDefender 7.2 2009.05.18 Backdoor.Agent.AAEP CAT-QuickHeal 10.00 2009.05.15 Backdoor.Rbot.abvf ClamAV 0.94.1 2009.05.18 - Comodo 1157 2009.05.08 - DrWeb 188.8.131.5282 2009.05.18 BackDoor.Rbot.35 eSafe 184.108.40.206 2009.05.18 - eTrust-Vet 31.6.6508 2009.05.16 - F-Prot 220.127.116.11 2009.05.17 W32/Backdoor2.EFJU F-Secure 8.0.14470.0 2009.05.18 - Fortinet 18.104.22.168 2009.05.18 - GData 19 2009.05.18 Backdoor.Agent.AAEP Ikarus T22.214.171.124.0 2009.05.18 - K7AntiVirus 7.10.737 2009.05.16 - Kaspersky 126.96.36.199 2009.05.18 - McAfee 5618 2009.05.17 - McAfee+Artemis 5618 2009.05.17 - McAfee-GW-Edition 6.7.6 2009.05.18 Trojan.Crypt.FKM.Gen Microsoft 1.4602 2009.05.18 Worm:Win32/Cubspewt.A NOD32 4083 2009.05.18 Win32/AutoRun.Agent.HD Norman 6.01.05 2009.05.16 - nProtect 2009.1.8.0 2009.05.18 - Panda 10.0.0.14 2009.05.18 - PCTools 188.8.131.52 2009.05.18 - Prevx 3.0 2009.05.18 Medium Risk Malware Rising 21.30.04.00 2009.05.18 Backdoor.Win32.VB.epv Sophos 4.41.0 2009.05.18 - Sunbelt 3.2.1858.2 2009.05.17 VIPRE.Suspicious Symantec 184.108.40.206 2009.05.18 - TheHacker 220.127.116.11.326 2009.05.18 - TrendMicro 8.950.0.1092 2009.05.18 - VBA32 18.104.22.168 2009.05.18 Win32.AutoRun.Agent.HD ViRobot 2009.5.18.1739 2009.05.18 Backdoor.Win32.IRCBot.425984 VirusBuster 22.214.171.124 2009.05.18 - Additional information File size: 1359872 bytes MD5...: c3c0a21affe511b8c96bd6dbb0b8c8a5 SHA1..: 982cc92091d4bdfcc83a46f071441d92c6a44952 SHA256: ac228011b164ae1b7a28ba7c8175cce0803d18038c6a40507971ac178a7e2cf2 SHA512: 6d01ffdd368d0840b3934a8bf338a1ce22782a8ec9fbbc3d429c214cd7832e5e b7d342ca03aee58af4e8972f5cf9d03bbf199a70baa2fcdbeacc9486577f1f3c ssdeep: 12288:QHyBeTFRtaLaWekYdtkMjIQO2aJwKSH9QpRHa:QH4eTFRU+tYM22zhYFa PEiD..: BobSoft Mini Delphi -> BoB / BobSoft TrID..: File type identification Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xf859 timedatestamp.....: 0x496f67d7 (Thu Jan 15 16:44:07 2009) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x4a000 0x19000 7.91 f059ac8715d9424491a9bfd55be03eb1 0x4b000 0x5000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x50000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x51000 0x1000 0x1000 1.56 10d0648e6f536634800863f9c41c24f1 .data 0x52000 0x4d000 0x4d000 7.92 52f23673f8b6d06fb9c446afb0d294e7 0x9f000 0xe4000 0xe4000 0.00 e422bc985c88b68f4362068f83a5650d ( 8 imports ) > kernel32.dll: VirtualAlloc, VirtualFree, GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA > user32.dll: MessageBoxA > advapi32.dll: RegCloseKey > oleaut32.dll: SysFreeString > gdi32.dll: CreateFontA > shell32.dll: ShellExecuteA > version.dll: GetFileVersionInfoA > msvbvm60.dll: EVENT_SINK_GetIDsOfNames ( 0 exports ) PDFiD.: - RDS...: NSRL Reference Data Set - packers (Kaspersky): PE_Patch.Enigma <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=B08EB5FA0092C5A1C057148C60CC9800DF62FE3C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=B08EB5FA0092C5A1C057148C60CC9800DF62FE3C</a>
Right, overnight, Sophos must have been updated. It finally started detecting it as "Mal/UnkPack-Fam".
However, some of the PCs it has "cleaned" it has rendered totally useless. My colleague PC which was affected, can no longer run anything. Anytime you try to launch an application you either get a message saying "Application not found" or you get a option box asking what application you want to use to open the program.
Is there anyway to solve this issue without rebuilding the PC?
Funnily enough, I had installed NOD32 on my own PC and it removed the file with no issues at all.
System file checker may help. If any changes were made to windows main system files you could use sfc /scannow to restore them back to what they were. You will need the windows cd.
SFC didn't work for the PCs because they were looking in the main for an ancient XP image on a RIS server that doesn't exist anymore and it didn't like the original XP CD.
Can you check the registry key HKEY_CLASSES_ROOT\
All of the file association registry keys are kept there.
I have been battling an unidentified virus that has been deleting this section of the registry or at least I thought it was a virus.
There should be a lot of registry keys starting with a .
.386 thru to .zip
If these are missing that is your problem.
Let me know what you find, PM me if need be.
You can export these and import them to the damaged machine as a workaround.
In the last month this has happened on a load of machines running Sophos when the clean up options were set to agressively.
According to Sophos, you should set your clean up actions to "Do Nothing" especially on Servers...
This block access to the suspect file but wont blow a hole in your hard disk! Nice to know.....
I'm still looking for answers on this one, the pattern starts with the file associations then services can't be restarted as registry keys and system files are deleted without trace or logging.
The machine will fail on reboot with registry corruptions.
I have seen some boot sectors erased also.
With the right Sophos settings it now seems to be under control but not until we lost 8 servers and a dozen or more PC's on one site!
This is not just a Sophos problem as I have seen identical symptoms on AVG protected machines.
There seems to be a lot of false positive detection going on as well, SUS\Sality being reported in SIM Installer packages and HP Driver Packages downloaded from HP
If you have all of the clean up options set too high, your AV may start deleting files that are not affected at all leaving you in a worse state than if they were!
Had the same issue on 2 pc's this week: virus removed, and users not able to logon (automatic logoff immediately after logon), or execute programs if able to logon. This is the procedure to fix the problem:
step 1: boot pc using WinPE or equivalent (bartpe, ubcd4win, ...) from cd/usb/pxe
step 2: run regedit inside WinPE (or bartpe, ...)
step 3: open infected windows' registry
- click HKEY_LOCAL_MACHINE
- in menu 'file', select ' load hive'
- browse to c:\windows\ssytem32\config, and click file SOFTWARE (no extension)
- name the hive something (e.g. virus_removal_registry)
- browse to the registry key
HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Classes\exefile\shell\open \command
- change value from ("c:\windows\system32 \smss.exe" "%1" %*) to ("%1" %*) without the brackets!
- browse to registry key
HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Microsoft\Windows NT\CurrentVersion\WinLogon
- change value of userinit from (c:\WINDOWS\system32\userinit.exeC:\Windows\system 32 \smss.exe)
to (c:\WINDOWS\system32\userinit.exe) without the brackets
step 4: reboot
First registry key tries to start the (removed) virus everytime you execute an executable file (.exe). you can start an .exe file by renaming it to .com
Second registry key loads virus every time a user logs on. If the virus has been removed, userinit will crash and logoff the user immediately.
- be careful when changing the registry, since a faulty registry may render windows unusable
- if you don't have a winpe or equivalent boot medium, you can run regedit in windows if you rename regedit.exe to regedit.com
- don't forget to disable system restore, or the virus might pop up again soon
Hope this helps!
There are currently 1 users browsing this thread. (0 members and 1 guests)