SMSS.exe Virus? (Major Outbreak!)
The issue all started a few days ago when I noticed a PC I was using kept hiding the extensions of known files types as I was working. Hidden File Extensions is one of my pet hates, so I ensure it is disabled in all of my builds. What was annoying was this particular PC was hiding them even after I had changed the setting in Folder Options. No matter what I did it changed it back to hidden.
A few days later I noticed the same issue on my desk PC and also noticed that hidden files could not be unhidden either. Now we have had an outbreak of students and staff not being able to log in because the "Personalised Settings" window when logging in gets stuck at "IE7 Uninstall Stub" - We haven't even run an uninstaller for IE7. When you fire up Task Manager, kill Explorer.exe and restart it, you get a horrible "pink bug" icon flash 2 or 3 times in the Task Manager window before it disappears and loads the desktop. Definately a virus!
Sophos was being it's reliable self and not finding anything. So, on my PC, I ditched it and have just installed Kaspersky Internet Security. Straight away it popped up with a process trying to run, that had that horrible icon... SMSS.exe. I'm doing a full Kaspersky scan right now. It's giving me lots of pop ups telling me SMSS.exe is trying to edit the registry, particularly the part that shows hidden files, but Kaspersky is doing it's bit to block it. My colleagues machine that is also infected (running Sophos) isn't picking up anything. Infact, the virus is refusing to allow Sophos to even run! The Enterprise Console isn't finding anything when scanning the PC either.
Has anyone encountered something like this before? How can we disinfect the PC's on our network if Sophos isn't even recognising it?
I've had enough of Sophos, no wonder we get it for free! I'm surprised they can sell it at all! :mad:
how to clean up pc after virus removal
Had the same issue on 2 pc's this week: virus removed, and users not able to logon (automatic logoff immediately after logon), or execute programs if able to logon. This is the procedure to fix the problem:
step 1: boot pc using WinPE or equivalent (bartpe, ubcd4win, ...) from cd/usb/pxe
step 2: run regedit inside WinPE (or bartpe, ...)
step 3: open infected windows' registry
- click HKEY_LOCAL_MACHINE
- in menu 'file', select ' load hive'
- browse to c:\windows\ssytem32\config, and click file SOFTWARE (no extension)
- name the hive something (e.g. virus_removal_registry)
- browse to the registry key
HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Classes\exefile\shell\open \command
- change value from ("c:\windows\system32 \smss.exe" "%1" %*) to ("%1" %*) without the brackets!
- browse to registry key
HKEY_LOCAL_MACHINE\<e.g. virus_removal_registry>\Microsoft\Windows NT\CurrentVersion\WinLogon
- change value of userinit from (c:\WINDOWS\system32\userinit.exeC:\Windows\system 32 \smss.exe)
to (c:\WINDOWS\system32\userinit.exe) without the brackets
step 4: reboot
First registry key tries to start the (removed) virus everytime you execute an executable file (.exe). you can start an .exe file by renaming it to .com
Second registry key loads virus every time a user logs on. If the virus has been removed, userinit will crash and logoff the user immediately.
- be careful when changing the registry, since a faulty registry may render windows unusable :)
- if you don't have a winpe or equivalent boot medium, you can run regedit in windows if you rename regedit.exe to regedit.com
- don't forget to disable system restore, or the virus might pop up again soon :)
Hope this helps!