Unfortunately, I don't have enough information to enter smsn.exe into the start-up database. At least, I don't think I do. I can't find it in any "English" database but I did an internet search and found this http://www.virit.com/startup/scheda.asp?num=4150 on a Spanish speaking database. It's easy enough to figure out what the site is saying about the start-up, even if you don't speak Spanish. It claims it's part of a trojan. It came up under my 023 listings in HJT but it didn't give a lot of information. Anybody out there know how to run down more information on this?

You need to provide more information as to where it is located on your PC, what the service display name and service name are, etc.

Here's the complete 023 listing:

023 - Service: Windows Audio Server (Audios) - Unknown Owner - c:\Recycle\smsn.exe

That's all the information I have. Thanks.

Definitely malware.

Let me get a sample. Please submit this file:

c:\Recycle\smsn.exe

To http://www.bleepingcomputer.com/submit-malware.php?channel=3

I've been trying to get a sample of that file for you. Here are a couple of problems I'm running into. First, when I use windows to navigate to the "Recycle" folder, it says the folder is empty. When I run cmd and do a "dir" of the "recycle" directory, I get two directories named:

2008-05-20 13:02 <DIR> .
2008-05-20 13:02 <DIR> ..

I cannot do a cd to either of these directories (. and .. dirs)

When I do a "dir \a (for hidden files) this is what I get:

Directory of C:\
File Not Found

In win 2000 "\a" should be sufficient for finding hidden files, but even when I add the switch [h], I get the same results as above.

Another interesting thing: apparently the file changes its name spontaneously. In my first HJT log on 05/13, this is what I got (this is copied and pasted from HJT log):
O23 - Service: Windows Audio Server (Audios) - Unknown owner - c:\Recycle\smsn.exe
Today, I run HJT and get this:
O23 - Service: Windows Audio Server (Audios) - Unknown owner - c:\Recycle\smsa.exe

Notice the last letter in the file name has changed.

When I check my task manager it shows up as a running process with the following information:
PID 492 CPU 00 CPU Time 0:00:00 Mem Usage 3,932

Could this be an ads attached to a directory? Should I download and run Lads? (Is there an alternative to Lads if I don't have an unzip program (if Lads is really best, I'll get an unzip program) Any tips on how to isolate the file so I can send it to you?)

Thanks for any help you can provide in isolating this file.

I would follow the prep guide here: http://www.bleepingcomputer.com/forums/forum22.html and post a DSS log. Sounds like you have more than one malware infection and should be properly looked at. This forum is not designed for that purpose.