Try New Technology

smass.exe (Windows Account Manager service) – Dropper Trojan/Virus

by on May.27, 2016, under Techie

First off I must suggest that everyone ALWAYS RUN RKill as IEXPLORE.EXE to you can detect Trojans like this!

I had a computer (Windows 10 Pro) tonight that had a bunch of crapware and bogus antivirus that just “appeared” on May 20th. The kids were being blamed, but it just didn’t add up since nothing aside from all of the this junk was installed on the same day at/around the same time. Running RKill as RKill.exe didn’t detect anything, so then AdwCleaner found a whole bunch of junk and after a reboot looked to have all the infections gone.

Well don’t ever stop there! Once infections are cleaned up it’s always best to start from the beginning (of you toolkit) in case one of them was hiding something else.

I then realized I had ran RKill as rkill.exe and not iexplore.exe (some infections will look for the name rkill.exe and work to hide themselves, but iexplore.exe is the name of Internet Explorer so they won’t hide from that file). So I renamed my file and ran (as Administrator – another thing you always need to do) and this time it found and killed the Windows Service file smass.exe (which is close in name to smss.exe – if found inside of the C:\Windows\System32\ it’s OK). Looking at it’s file location it was obvious it was NOT a real service and based on it’s location had to be bad news. This file was located at “C:\ProgramData\Microsoft\Windows\WindowsAccountManager\smass.exe” so I browsed in to Delete it and it was already running again. After finding out I could not do anything with the Windows Account Manager service (all options were grey) I rebooted Windows 10 into a Command Prompt, and browsed to the file directly. I them renamed it (just to make sure I don’t break anything major on the next reboot), then backed up and renamed the folder I was in (once again to be safe), and rebooted Windows to the desktop. No error on boot and the service is no longer listed and RKill (as iexplore.exe) doesn’t find anything…

Now on to all my other scanning tools – See the Self Help list for all that I use when cleaning infections…but nothing there will teach you things like this.

NOTE: What I could find about the smass.exe is that it’s a Dropper Trojan, but I am guessing it has other file names, which is why the only pages If found about it were questionable and linked to “support” downloads to fix it…most likely these sites were created by the same people or the same kind of people that made the Dropper Trojan in the first place


Comments are closed.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!