Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smsn.exe


  • Please log in to reply
5 replies to this topic

#1 BonaDea2008

BonaDea2008

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 16 May 2008 - 11:07 PM

Unfortunately, I don't have enough information to enter smsn.exe into the start-up database. At least, I don't think I do. I can't find it in any "English" database but I did an internet search and found this http://www.virit.com/startup/scheda.asp?num=4150 on a Spanish speaking database. It's easy enough to figure out what the site is saying about the start-up, even if you don't speak Spanish. It claims it's part of a trojan. It came up under my 023 listings in HJT but it didn't give a lot of information. Anybody out there know how to run down more information on this?

Edited by BonaDea2008, 16 May 2008 - 11:09 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:14 PM

Posted 18 May 2008 - 06:22 PM

You need to provide more information as to where it is located on your PC, what the service display name and service name are, etc.

#3 BonaDea2008

BonaDea2008
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 21 May 2008 - 02:53 PM

Here's the complete 023 listing:

023 - Service: Windows Audio Server (Audios) - Unknown Owner - c:\Recycle\smsn.exe

That's all the information I have. Thanks.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:14 PM

Posted 21 May 2008 - 04:08 PM

Definitely malware.

Let me get a sample. Please submit this file:

c:\Recycle\smsn.exe

To http://www.bleepingcomputer.com/submit-malware.php?channel=3

#5 BonaDea2008

BonaDea2008
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 23 May 2008 - 11:45 AM

I've been trying to get a sample of that file for you. Here are a couple of problems I'm running into. First, when I use windows to navigate to the "Recycle" folder, it says the folder is empty. When I run cmd and do a "dir" of the "recycle" directory, I get two directories named:

2008-05-20 13:02 <DIR> .
2008-05-20 13:02 <DIR> ..

I cannot do a cd to either of these directories (. and .. dirs)

When I do a "dir \a (for hidden files) this is what I get:

Directory of C:\
File Not Found

In win 2000 "\a" should be sufficient for finding hidden files, but even when I add the switch [h], I get the same results as above.

Another interesting thing: apparently the file changes its name spontaneously. In my first HJT log on 05/13, this is what I got (this is copied and pasted from HJT log):
O23 - Service: Windows Audio Server (Audios) - Unknown owner - c:\Recycle\smsn.exe
Today, I run HJT and get this:
O23 - Service: Windows Audio Server (Audios) - Unknown owner - c:\Recycle\smsa.exe

Notice the last letter in the file name has changed.

When I check my task manager it shows up as a running process with the following information:
PID 492 CPU 00 CPU Time 0:00:00 Mem Usage 3,932

Could this be an ads attached to a directory? Should I download and run Lads? (Is there an alternative to Lads if I don't have an unzip program (if Lads is really best, I'll get an unzip program) Any tips on how to isolate the file so I can send it to you?)

Thanks for any help you can provide in isolating this file.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:14 PM

Posted 25 May 2008 - 06:24 AM

I would follow the prep guide here: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ and post a DSS log. Sounds like you have more than one malware infection and should be properly looked at. This forum is not designed for that purpose.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users