hi friends, do you ever hear about a process named "smss.exe", it's a virus?

I've ran CCLeaner and Symantec and nothing had been found but it look to me
very strange.

I feel the same thing with "wdfmgr.exe", both located in SYSTEM32.

any idea?

thanks

From: "Hernan Batista" >

| hi friends, do you ever hear about a process named "smss.exe", it's a virus?
|
| I've ran CCLeaner and Symantec and nothing had been found but it look to me
| very strange.
|
| I feel the same thing with "wdfmgr.exe", both located in SYSTEM32.
|
| any idea?
|
| thanks

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

SMSS.EXE is associated with the Sober and Ladex Internet worms.

I don't see anything for WDFMGR.EXE except that it is associated with WMP v10.

Please submit a sample of "SMSS.EXE " to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

If it is a virus, you can use the following to remove it.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

As per the Micorsoft site:
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us
/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmc_s
tr_elqj.asp

smss.exe is: The Session Manager subsystem, which starts the user session.
This process is initiated by the system thread and is responsible for
various activities, including starting the Winlogon.exe and Csrss.exe
services and setting system variables.

It is part of the OS!

--
JimC
---------------------------------------------------
"David H. Lipman" > wrote in message
...
> From: "Hernan Batista" >
>
> | hi friends, do you ever hear about a process named "smss.exe", it's a
virus?
> |
> | I've ran CCLeaner and Symantec and nothing had been found but it look to
me
> | very strange.
> |
> | I feel the same thing with "wdfmgr.exe", both located in SYSTEM32.
> |
> | any idea?
> |
> | thanks
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> SMSS.EXE is associated with the Sober and Ladex Internet worms.
>
> I don't see anything for WDFMGR.EXE except that it is associated with WMP
v10.
>
> Please submit a sample of "SMSS.EXE " to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
scanners.
> That will give you an idea what it is and who recognizes it. In addition,
unless told
> otherwise, Virus Total will provide the sample to all participating
vendors.
>
> When you get the report, please post back the exact results.
>
> If it is a virus, you can use the following to remove it.
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
> (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using; Sophos, Trend and McAfee Anti Virus
Command Line Scanners to
> remove
> viruses, Trojans and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode. This
> way all the components can be downloaded from each AV vendor's web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "JimC" >

| As per the Micorsoft site:
| http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us
| /Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmc_s
| tr_elqj.asp
|
| smss.exe is: The Session Manager subsystem, which starts the user session.
| This process is initiated by the system thread and is responsible for
| various activities, including starting the Winlogon.exe and Csrss.exe
| services and setting system variables.
|
| It is part of the OS!
|
| --
| JimC

That's true. So is SVCHOST.EXE. However an infector can use *any* name. It is a common
practice for a given infector to use valid OS file names. It just depends on where the file
is located as if it is in the OS location then it would overwrite a possibly critical file.
But if it is located in another folder then it can use the same name and one may assume it
is another instance of that OS file but it is actually a wolf in sheep's skin.

In both of the below URLs, for the listed Internet worms, you will find they use the file
name SMSS.EXE.

WNT/Ladex.worm -- http://vil.nai.com/vil/content/v_99590.htm

W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm

That's the idea. Use the name of a valid OS file and the user will come to a faux
conclusion of its legitimacy.

When it comes to the name SVCHOST.EXE it is the most targeted OS name by viral and non-viral
malware. If it is found on a Win9x/ME platform the probability of infection is extremely
high. It should also be noted that there ae *many* variations on the name SVCHOST.EXE.
(i.e, SCVHOST.EXE )
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm