TechSpot

Help removing smssu.exe

By sshelp
Jul 3, 2005
  1. I used the directions here: http://www.techspot.com/vb/topic17297.html

    and after reboot the smssu.exe and the tmntsvr32.exe processes have just come back.

    Any ideas?

    Here is my hijack log.

    Note: first time posting to a tech forum, apologies if not in the right format:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:27:29 AM, on 7/3/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\hijakcthis\HijackThis.exe

    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
    O4 - HKLM\..\Run: [bcd] C:\WINDOWS\System32\bcd.exe
    O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O15 - Trusted IP range: 67.19.178.84
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your version of XP is totally unpatched.
    To check that your system is able to be patched with the latest M$ updates,
    go here and follow Step 2:
    http://www.microsoft.com/resources/howtotell/ww/windows/default.mspx

    Then report back with the exact message you receive.

    For your info, this lot is all bad:
    ...................................................................................................
    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
    O4 - HKLM\..\Run: [bcd] C:\WINDOWS\System32\bcd.exe
    O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
    O15 - Trusted IP range: 67.19.178.84
    ...................................................................................................
    These are NOT the final instructions!
    Do the patchtest first.
     
  3. sshelp

    sshelp TS Rookie Topic Starter

    Unfortunately I dont have the original CD from installation and I seem to be unable to get through that questionairre without describing the CD.

    Is there something else I can do to get the information you were hopoing to get from that link?

    Thanks Kindly for the help.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Never mind that test.

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    exp.exe
    wintask.exe
    nsvsvc.exe
    scrsvc.exebcd.exe
    strokeit.exe
    winstall.exe
    win32.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\Program Files\Strokeit\strokeit.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
    O4 - HKLM\..\Run: [bcd] C:\WINDOWS\System32\bcd.exe
    O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
    O15 - Trusted IP range: 67.19.178.84
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
     
  5. sshelp

    sshelp TS Rookie Topic Starter

    Okay .
    I turned off the system restore and booted into safe mode.

    The list of processes you gave me to kill werent running. However, once again, SMSSU.exe and TMNTSVR32.exe were running.

    I uninstalled the nsvscv.exe program and strokeit

    I ran HJT scan and removed the items you outlined and smssu and tmntsvr32

    I also deleted the bold files and the smssu.exe and tmntsvr32.exe

    deleted all files for each users temp directory
    deleted all windows\temp files (none were from today)

    Here is the HJT log after this is all done, below it is the log after reboot , i seem unable to get the smssu.exe and tmntsvr32.exe to stop reloading on reboot.


    Log right after clean up:

    ogfile of HijackThis v1.99.1
    Scan saved at 1:45:08 PM, on 7/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\hijakcthis\HijackThis.exe

    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
    O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O15 - Trusted IP range: 67.19.178.84
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120419213218
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

    NOTE: TRUSTED IP RANGE ENTRY COMES RIGHT BACK REGARDLESS

    Log after reboot:


    ogfile of HijackThis v1.99.1
    Scan saved at 1:51:59 PM, on 7/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\SMSSU.EXE
    C:\WINDOWS\system32\Tmntsrv32.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\system\sndqilgb.exe
    C:\WINDOWS\system32\SMSSU.EXE
    C:\WINDOWS\system32\Tmntsrv32.EXE
    C:\hijakcthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
    O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
    O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
    O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O15 - Trusted IP range: 67.19.178.84
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120419213218
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE



    Thanks yet again!
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...