Press "Enter" to skip to content

Basic Procedures to Troubleshoot an Infected Computer

0

Today received a report from user, computer is slow and seems have been infected with unknown virus or malware. No special symptoms except slow.

1. Check task manager and resource monitor

There is a process smss.exe which description is “Microsoft ? Console Based Script Host ” using almost 75% CPU all the time.

From task manager, I found system was rebooted a couple of hours ago at very early morning and user was not around.

Also, no matter how you ended this process, it will come back in 10 seconds and take your CPU away and use about 4M your memory.

If you sorted all processes from all users , you will find there is another smss.exe which description is Windows Session Manage.

2. Check network traffic for this smss.exe
From Network tab in Resource Monitor, you will find this suspicious process smss.exe is communicating to remote address 51.15.69.136 on port 14444.

3. Suspend this process
Since most of CPU resource is taken away by this software, you may want to
Since end the process will not work, what the best you can do is to suspend the traffic from right click context menu at Resource Monitor (start menu -> run -> resmon).

3.1 Access Resource Monitor (where you can suspend the process):
a. from Task Manager

  • Use CTRL-SHIFT-ESC or CTRL-ALT-DELETE or another method to open Windows Task Manager.
  • Click the Performance tab.
  • In the lower part of the Task Manager, click the Resource Monitor button.

b. from Start Menu

  • Click the Start Menu
  • Click All Programs
  • Click Accessories
  • Click Run
  • type resmon.exe and press ENTER 

c. Use Run Command

  • Use [WINKEY]-R to open the Run command
  • type resmon.exe and press ENTER or RETURN

Note: perfmon is Performance Monitor. resmon is Resource Monitor.

3.2 Suspend/Resume the process:

  • Click the Memory tab
  • Right-Click the process you wish to suspend
  • Click the Suspend Process item
  • Click Resume Process when you are finished

4. Install MalwareBytes and Scan

5. Analyze Scan Results

MalwareBytes blocked two websites connections and blocked two Malware to run.

c:\windows\system32\wbem\scrcons.exe is trying to connect wmi.my0115.ru on port 62903
C:\windows\Help\www.exe is tring to connect to ww.kuai-go.com on port 62909
Found a Trojan.ShadowBrokers malware.

All links or remote sites including 51.15.69.136, ww.kuai-go.com and wmi.my0115.ru are listed as malware website at Virustotal.com

6. Remove those suspicious files and Re-run Malwarebytes to confirm system is clean

Note: Many users will do a reboot once they think system is slow. The fact is the process like smss.exe might not come back after you rebooted. They will spawn and re-launch another program to replace this. I have tried to search where is this smss.exe, but could not find one. Here is my search result on this computer.

Leave a Reply

%d bloggers like this: