Beware of SMSS. EXE Trojans

SMSS. EXE (Session Manager Subsystem), which is used by the Session management Subsystem to initialize system variables. The MS-DOS driver name is similar to LPT1 and COM. It calls the Win32 shell sub-system and runs in the Windows login process. It is a session management subsystem that starts user sessions. Threads) and set system variables. After it starts these processes, it waits until Winlogon or Csrss ends. If these processes are normal, the system will shut down. If something unexpected occurs, smss.exe will stop the system from responding (suspended ). Note: if there is not only one smss.exepath in the system, and the path of smss.exe is "% WINDIR % SMSS. EXE", it must be a virus or Trojan.

Solution:

(1) create a batch file (for example, d. bat) in the Windows directory ):

Del 1.com
Del finders.com
Del debugdebugprogram *. exe
Del exerouter.exe/ar
Del exerouter.exe/ah
Del exp10rer.exe/ar
Del exp10rer.exe/ah
Del d: command.com/ah
Del d: command.com/ar
Del smss.exe/ar
Del smss.exe/ah
Assoc. exe = exefile

(2) Start-run cmd, enter the windnows directory, and run d. bat.

(3) modify the registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun, delete the TProgram item.
HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogon: Change the Shell value from assumer.exe 1 to assumer.exe.

(4) RESET immediately after the registry is modified (cold start ).

(5) After entering the system, Run d. bat again.

(6) fix the association between EXE and HTM

Bytes.

(7) There is no smss.exe trojan in the final process (about the file with more than 5000 KB). If there is any, repeat the above operations in safe mode with command lines.