TechSpot

Problem with duplicate smss.exe processes

By watercrazed
Feb 22, 2008
Topic Status:
Not open for further replies.
  1. Hi,

    I am having reoccurring memory exceptions in smss.exe usually the same memory location. Task Manager shows 2 smss.exe processes running one is using 2,624K and the other is using 392K of memory.

    I have located three copies of the files one in c:/windows/system32/ 50K in size and one in c:/windows/i386/system32/ 459K in size (this one is all capital letters), and a smss.exe-002D997.pf in the Prefetch subdirectry and a SMSS.EX_ in C:/i386/

    I have a similar system without problems and it shows the two files at the same size. But there is only one instance of the program running.

    The system has 3 problems that I have noticed

    The reoccurring application error in smss.exe instruction at 0x7c901010 referring memory at 0x00875a4 in a message window. The location is usually the same one.

    This opens a dialog for visual studio asking if I want to debug it, I generally click NO but if yes the debugger opens and hangs.

    after closing the exception message, sometimes several times, the the user settings will load.

    The wireless network may or may not load.

    It can also cause other problems intermittently, such as the task bar not displaying

    there are also occassional other program exception errors

    I tried to boot in safe mode, all three types and drivers would load and then it would go back to the safe mode selection screen, but I can select boot from windows normally and it will boot up windows.

    I have the paid version of AVG internet security but the command center will not load, the outline of the program shows then it hangs, I tried to reinstall it and it failed with a program exception error. win32 exception in avgxxxxx.exe install - I do see the avg processes running in task manager

    I tried running housecall both with java and a local kernel but it hangs in the idle mode while on the setup and download screen.

    I can not run AVG anti virus

    Search and destroy found 2 viruses smithfraud and Virtumone and on a second run through showed clean.

    There are about 20 Microsoft.windows.redirectedHosts. [xx]
    These do not show up on my similar machine in Search and Destroy

    I ran CCleaner and deleted the recommend files

    I ran Ad-Aware smart scan and it found 1 critical problem - Zedo and deleted it.
    ran a deep scan and found virtumode deleted it


    Before I did something really stupid out of frustration I figured I better ask the experts.
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Session Manager Subsystem

    Hi watercrazed :wave:

    Well you should only have one smss.exe on your system, but before deleting any file, I always right click and check properties (this file is from Microsoft so that's what you should see)
    By the way the pf files in the Prefetch folder are really just shortcuts, which are there to open your previous used programs quicker. Some users clean out the Prefetch folder, but normally it is wiser to leave it alone.

    Now, your first to take:
    Viruses/Spyware/Malware, preliminary removal instructions
  3. jobeard

    jobeard TS Ambassador Posts: 13,369   +302

    note the date-time-size of each

    then run SFC /SCANNOW to fix-up system files

    revisit both and see if one has changed; delete the OTHER :)
  4. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Jobeard - no change in either file and both signed by Microsoft- the problem lies with the two processes running, I have the same two files on a clean system and only one process is running. My guess is that either the Main smss.exe file is corrupt or another program is running using the process name.

    Also I am getting exception errors in explorer.exe and alg.exe that brings up VS 2005 just in time debugger. so sometimes I have to go to Task Manager to run explorer

    Lots of problems stepping through the preliminary solutions.

    I can not start AVG so I can not disable the real time monitoring; it does not show up in the system tray. But it looks like it is there. I could not uninstall with the process provided or with control panel I did delete all of the files that were not locked. A reinstall did not work. An unhandled win32 exception stopped the application.

    Step 3: House call would not get through the update process

    Step 4 and 5 done

    Step 6 see above I could not run or install the AVG antivirus program

    Step 7 and 8 done

    Step 9 done but I forgot to unck the old prefetch data

    Step 10 done for all three
    VBG - log attached
    Smithfraud - logs attached
    No Vundo files found


    Step 11 ran panda - No files found

    Step 12 Combofix - opens a blue box with a black c in the header and nothing else happens and DSS would not load - DSS started to load - registering then stalled - brought up the Highjack this error

    Attempted to load Kaspersky antivirus free trail would not run but saw avp.exe process loaded

    Step 13

    step 14 Ran SSD and Ad Aware
    SSD -
    First time through
    Virtumundo -
    Smithfraud-C-generic
    showed a lot of Mircosoft.windows.RedirectedHosts. [###]
    Second time through
    No virus detected
    Still alot of redirectedhosts

    Ad aware
    Trojan - Psexesvc
    win32.trojan.agent
    Virtumundo

    could not run AVG or other anti virus - can not open safe mode

    Ran Hijack this as crusty worked but
    started with an error

    Error details - an unexpected error has occurred at procedure: ModMain_CheckOther1Item() Error#70 permission denied

    Could not save the log file - saved a 0k file.

    Hijack log showed a number of suppected problems
    alot of 04-Global startup ~.exe.188187.exe with differing 6 digit numbers, generating popups.

    other entries of concern
    02 BHO : (no name) [xxx-xxxx-xxxx-xxx } (no file)
    08 &AOLSearch bar not used
    020 AppInit_Dlls: C:/windows/system32/dnsq.dll
    023: KService-unknown owner C:/program files/Kontiki/KService.exe

    023: -Service: PrismXL - New Boundary Tech. Inc c:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys

    023: - Service: PsExec (PSEXESVC) Sysinternals C:\window\PSEXESVC.exe
    Ad aware caught this but seems like a left over.

    There is also a variety of AGV7 and Kaspersky and symantec w files or (file missing)

    Task manager showing 15 to 20 nircmd.exe processes - related to pop ups?
  5. watercrazed

    watercrazed Newcomer, in training Topic Starter

    ad aware log

    I was able to copy the adware log to another system

    Note: the number of nircmd.exe processes does correlate with the number of popups in iexplorer since the last boot.
  6. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Rebooted and ran Ad aware agian - still found win32.trojan.agent
    Was also able to run AGV rootkit - it did not find anything
  7. tomrca

    tomrca Newcomer, in training Posts: 1,051

    post a hiackthis log
  8. watercrazed

    watercrazed Newcomer, in training Topic Starter

    From My Earlier Post

  9. tomrca

    tomrca Newcomer, in training Posts: 1,051

    need to see the whole hjt log

    the file dnsq.dll indicates a backdoor trojan
  10. watercrazed

    watercrazed Newcomer, in training Topic Starter

    I can not save the log file. Can I delete those I posted? I need to see if I can get the system to a point that the log will save.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    You can edit any of your messages you have posted
    But removing information may break the flow of responses.

    Usually I just save the log file to Desktop, and then attach from there (using the paperclip icon button in your new reply)
     
  12. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Deleting my posts is not what I meant, I meant fixing the highjackthis enteries I posted here. I CAN Not save the highjack this log. It is saving a 0 byte file. and I get an error as I posted earilier. I have tried to delete and redownload the highjackthis software with the same results.
  13. watercrazed

    watercrazed Newcomer, in training Topic Starter

    I found http://www.eset.eu with online anti virus that would run, it cleaned up some and got me to where housecall would run it is running now.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Actually Nod32 was the preferred scan engine for many technical users.
    The Online Scanner I'm sure must be still quite effective.

    After running housecall you may want to post another HJT log (again!)

    Anyway sorry about the confusion on the Post issue.
  15. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Hi,
    Housecall locked up on grayware scanning

    I still CAN NOT copy the highjack log. It still saves a 0 byte file.

    These are the 2 left from the above note

    020 AppInit_Dlls: C:/windows/system32/dnsq.dll
    023: -Service: PrismXL - New Boundary Tech. Inc c:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys

    Should I delete either of them?
  16. watercrazed

    watercrazed Newcomer, in training Topic Starter

  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Sorry for the delay in contacting you back.

    C:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys
    Is from Prism Deployment Software suite, and actually this page describes its uselessness and exact steps in removing it:
    http://www.networkswatteam.com/prismxl.html

    C:/windows/system32/dnsq.dll is a backdoor Trojan
    This file can be removed by:
    • Go to Safe Mode (repeatively press F8 at system startup)
    • Once in safe mode click on Start -> Run -> C:/windows/system32
    • Search for dnsq.dll, then right click on it and select Delete
      (You may need to show all files, by clicking on Tools->FolderOptions ->View->Show hidden)
    • Close System32 folder
    • Then go to Control Panel -> System -> System Restore > (Tick) Turn off System Restore OK
    • Then go back to your Safe mode Desktop
    • And empty (right click) the Recycle Bin (if it has files in it)
    • At last restart your computer back to Normal mode

    Once Normal Mode starts back up
    • Go to Control Panel -> System -> System Restore > (Un Tick) Turn on System Restore OK
    • Download CCleaner and fully run it
    • Download Startup Control Panel, and remove any not required startups
    • Restart your computer again

    Reply back with results
  18. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Safe mode is not working, I can get to the page, but when I select any of the safe mode options, it starts to reboot then returns to the safe mode menu page.

    selecting restart windows or select last know good configuration boots to windows as expected.

    for what it is worth I will try it in normal mode.
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    That's reasonable.

    But in Normal mode, you may need to kill the process in Task Manager (Ctrl+Alt+Del) first
  20. watercrazed

    watercrazed Newcomer, in training Topic Starter

    Hi, I have done that an no real change Kaspersky move the dsnq.dll to its subdirectory and I deleted it. afterwards I ran ad aware and kaspersky again. I still am getting the same application exception and still can not save highjackthis.
  21. tomrca

    tomrca Newcomer, in training Posts: 1,051

    try this. when hijack this produces a log do a copy and paste into another notepad and then save as XXX.txt (to desktop) then try to upload as you don't seem to have any problem with the other logs. alternatively i am sure that julio wouldn't mind on this occasion doing a copy and paste as a reply
  22. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I have an option run MSCONFIG and untick everything (this is a good test)
    Then restart, try HJT again
  23. watercrazed

    watercrazed Newcomer, in training Topic Starter

    HJT is only producing an 0 btye file; it is empty. So there is nothing to cut and paste. The MSCONFIG idea did not help. see the error message that I get when I run HJT scan that I posted in my opening post.
  24. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please follow tomrca's suggestion above. Regarding HJT log

    Also have you scanned with SuperAntiSpyware
  25. watercrazed

    watercrazed Newcomer, in training Topic Starter

    I can not, there is nothing to cut and paste. the log is empty and In the main screen I can not select items to copy.

    No I have not,
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.