First off I must suggest that everyone ALWAYS RUN RKill as IEXPLORE.EXE to you can detect Trojans like this!
I had a computer (Windows 10 Pro) tonight that had a bunch of crapware and bogus antivirus that just “appeared” on May 20th. The kids were being blamed, but it just didn’t add up since nothing aside from all of the this junk was installed on the same day at/around the same time. Running RKill as RKill.exe didn’t detect anything, so then AdwCleaner found a whole bunch of junk and after a reboot looked to have all the infections gone.
Well don’t ever stop there! Once infections are cleaned up it’s always best to start from the beginning (of you toolkit) in case one of them was hiding something else.
I then realized I had ran RKill as rkill.exe and not iexplore.exe (some infections will look for the name rkill.exe and work to hide themselves, but iexplore.exe is the name of Internet Explorer so they won’t hide from that file). So I renamed my file and ran (as Administrator – another thing you always need to do) and this time it found and killed the Windows Service file smass.exe (which is close in name to smss.exe – if found inside of the C:\Windows\System32\ it’s OK). Looking at it’s file location it was obvious it was NOT a real service and based on it’s location had to be bad news. This file was located at “C:\ProgramData\Microsoft\Windows\WindowsAccountManager\smass.exe” so I browsed in to Delete it and it was already running again. After finding out I could not do anything with the Windows Account Manager service (all options were grey) I rebooted Windows 10 into a Command Prompt, and browsed to the file directly. I them renamed it (just to make sure I don’t break anything major on the next reboot), then backed up and renamed the folder I was in (once again to be safe), and rebooted Windows to the desktop. No error on boot and the service is no longer listed and RKill (as iexplore.exe) doesn’t find anything…
Now on to all my other scanning tools – See the Self Help list for all that I use when cleaning infections…but nothing there will teach you things like this.
NOTE: What I could find about the smass.exe is that it’s a Dropper Trojan, but I am guessing it has other file names, which is why the only pages If found about it were questionable and linked to “support” downloads to fix it…most likely these sites were created by the same people or the same kind of people that made the Dropper Trojan in the first place
If you are like I was and find that your ##GB USB key is only showing 2MB or 3MB and needs to be formatted, you might need to “clean” it. These directions are for a Windows computer:
Open an Administrative Command Prompt:
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
——– ————- ——- ——- — —
Disk 0 Online 408 GB 0 B
Disk 1 Online 7509 MB 6619 MB
DISKPART> select disk 1
Disk 1 is now the selected disk.
DiskPart succeeded in cleaning the disk.
DISKPART> create partition primary
DiskPart succeeded in creating the specified partition.
You will then need to Format the USB key like usual.
This is pretty much a lot of copy and paste from here the article on the Apple Support site, but I wanted to find it easier than looking on their site.
See if the bad update was installed:
Follow these steps to see if the update was installed on your Mac.
- Launch the System Information app (Applications > Utilities or hold down the Option key and select Apple menu > System Information).
- In the left column, look for the Software header and expand it if needed. Select Installations.
- In the list in the top section of the main window, click the Software Name header to alphabetize the list.
- Scroll though the list and look for “Incompatible Kernel Extension Configuration Data” in the Software Name column. Then look at the version number.
- If the version is 3.28.1, you have the bad update and will need to get the latest version.
Install the new update via Wi-Fi:
Assuming you have Wi-Fi, you can use it to get the update. Get connected over Wi-Fi and follow these steps.
- Launch Terminal (Applications > Utilities).
- Enter the following:
sudo softwareupdate —background
This will update Incompatible Kernel Extension Configuration Data to version 3.28.2, which will correct the problem.
If you are like me want just want it disable to save disk space:
- Open an elevated command prompt
- Type in “powercfg -h [off/on]”
- Hit ENTER
- IF ON A LAPTOP: Look under Control Panel-> Power Options->Change Plan Settings->Change Advanced Power Settings->Battery and make sure none of the options are set to use “Hibernate”
High CPU load caused by the rundll32.exe file seen with any windows 7, 8, 8.1, and 10 upgrade or installation. The following items need to be disabled:
- Control Panel->Administrative tools->Task Scheduler
- Browse into Task Scheduler Library->Microsoft->Windows->Customer Experience Improvement Program
- Disable (right-click) all 3 of the following items under here: Consolidator, KernelCeipTask, UsbCeip
You shouldn’t see rundll32.exe chewing up so much CPU. On a windows 10 machine (upgraded from Windows 7) I worked on tonight this change made it so when launching and App you went from 20-60 seconds of delay to almost no delay at all.