Problem with duplicate smss.exe processes

Status
Not open for further replies.

watercrazed

Posts: 15   +0
Hi,

I am having reoccurring memory exceptions in smss.exe usually the same memory location. Task Manager shows 2 smss.exe processes running one is using 2,624K and the other is using 392K of memory.

I have located three copies of the files one in c:/windows/system32/ 50K in size and one in c:/windows/i386/system32/ 459K in size (this one is all capital letters), and a smss.exe-002D997.pf in the Prefetch subdirectry and a SMSS.EX_ in C:/i386/

I have a similar system without problems and it shows the two files at the same size. But there is only one instance of the program running.

The system has 3 problems that I have noticed

The reoccurring application error in smss.exe instruction at 0x7c901010 referring memory at 0x00875a4 in a message window. The location is usually the same one.

This opens a dialog for visual studio asking if I want to debug it, I generally click NO but if yes the debugger opens and hangs.

after closing the exception message, sometimes several times, the the user settings will load.

The wireless network may or may not load.

It can also cause other problems intermittently, such as the task bar not displaying

there are also occassional other program exception errors

I tried to boot in safe mode, all three types and drivers would load and then it would go back to the safe mode selection screen, but I can select boot from windows normally and it will boot up windows.

I have the paid version of AVG internet security but the command center will not load, the outline of the program shows then it hangs, I tried to reinstall it and it failed with a program exception error. win32 exception in avgxxxxx.exe install - I do see the avg processes running in task manager

I tried running housecall both with java and a local kernel but it hangs in the idle mode while on the setup and download screen.

I can not run AVG anti virus

Search and destroy found 2 viruses smithfraud and Virtumone and on a second run through showed clean.

There are about 20 Microsoft.windows.redirectedHosts. [xx]
These do not show up on my similar machine in Search and Destroy

I ran CCleaner and deleted the recommend files

I ran Ad-Aware smart scan and it found 1 critical problem - Zedo and deleted it.
ran a deep scan and found virtumode deleted it


Before I did something really stupid out of frustration I figured I better ask the experts.
 
Session Manager Subsystem

Hi watercrazed :wave:

Well you should only have one smss.exe on your system, but before deleting any file, I always right click and check properties (this file is from Microsoft so that's what you should see)
By the way the pf files in the Prefetch folder are really just shortcuts, which are there to open your previous used programs quicker. Some users clean out the Prefetch folder, but normally it is wiser to leave it alone.

Now, your first to take:
Viruses/Spyware/Malware, preliminary removal instructions
 
note the date-time-size of each

then run SFC /SCANNOW to fix-up system files

revisit both and see if one has changed; delete the OTHER :)
 
Jobeard - no change in either file and both signed by Microsoft- the problem lies with the two processes running, I have the same two files on a clean system and only one process is running. My guess is that either the Main smss.exe file is corrupt or another program is running using the process name.

Also I am getting exception errors in explorer.exe and alg.exe that brings up VS 2005 just in time debugger. so sometimes I have to go to Task Manager to run explorer

Lots of problems stepping through the preliminary solutions.

I can not start AVG so I can not disable the real time monitoring; it does not show up in the system tray. But it looks like it is there. I could not uninstall with the process provided or with control panel I did delete all of the files that were not locked. A reinstall did not work. An unhandled win32 exception stopped the application.

Step 3: House call would not get through the update process

Step 4 and 5 done

Step 6 see above I could not run or install the AVG antivirus program

Step 7 and 8 done

Step 9 done but I forgot to unck the old prefetch data

Step 10 done for all three
VBG - log attached
Smithfraud - logs attached
No Vundo files found


Step 11 ran panda - No files found

Step 12 Combofix - opens a blue box with a black c in the header and nothing else happens and DSS would not load - DSS started to load - registering then stalled - brought up the Highjack this error

Attempted to load Kaspersky antivirus free trail would not run but saw avp.exe process loaded

Step 13

step 14 Ran SSD and Ad Aware
SSD -
First time through
Virtumundo -
Smithfraud-C-generic
showed a lot of Mircosoft.windows.RedirectedHosts. [###]
Second time through
No virus detected
Still alot of redirectedhosts

Ad aware
Trojan - Psexesvc
win32.trojan.agent
Virtumundo

could not run AVG or other anti virus - can not open safe mode

Ran Hijack this as crusty worked but
started with an error

Error details - an unexpected error has occurred at procedure: ModMain_CheckOther1Item() Error#70 permission denied

Could not save the log file - saved a 0k file.

Hijack log showed a number of suppected problems
alot of 04-Global startup ~.exe.188187.exe with differing 6 digit numbers, generating popups.

other entries of concern
02 BHO : (no name) [xxx-xxxx-xxxx-xxx } (no file)
08 &AOLSearch bar not used
020 AppInit_Dlls: C:/windows/system32/dnsq.dll
023: KService-unknown owner C:/program files/Kontiki/KService.exe

023: -Service: PrismXL - New Boundary Tech. Inc c:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys

023: - Service: PsExec (PSEXESVC) Sysinternals C:\window\PSEXESVC.exe
Ad aware caught this but seems like a left over.

There is also a variety of AGV7 and Kaspersky and symantec w files or (file missing)

Task manager showing 15 to 20 nircmd.exe processes - related to pop ups?
 
ad aware log

I was able to copy the adware log to another system

Note: the number of nircmd.exe processes does correlate with the number of popups in iexplorer since the last boot.
 
Rebooted and ran Ad aware agian - still found win32.trojan.agent
Was also able to run AGV rootkit - it did not find anything
 
From My Earlier Post

Ran Hijack this as crusty worked but
started with an error

Error details - an unexpected error has occurred at procedure: ModMain_CheckOther1Item() Error#70 permission denied

Could not save the log file - saved a 0k file.

Hijack log showed a number of suppected problems
alot of 04-Global startup ~.exe.188187.exe with differing 6 digit numbers, generating popups.

other entries of concern
02 BHO : (no name) [xxx-xxxx-xxxx-xxx } (no file)
08 &AOLSearch bar not used
020 AppInit_Dlls: C:/windows/system32/dnsq.dll
023: KService-unknown owner C:/program files/Kontiki/KService.exe

023: -Service: PrismXL - New Boundary Tech. Inc c:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys

023: - Service: PsExec (PSEXESVC) Sysinternals C:\window\PSEXESVC.exe
Ad aware caught this but seems like a left over.

There is also a variety of AGV7 and Kaspersky and symantec w files or (file missing)
 
I can not save the log file. Can I delete those I posted? I need to see if I can get the system to a point that the log will save.
 
You can edit any of your messages you have posted
But removing information may break the flow of responses.

Usually I just save the log file to Desktop, and then attach from there (using the paperclip icon button in your new reply)
 
Deleting my posts is not what I meant, I meant fixing the highjackthis enteries I posted here. I CAN Not save the highjack this log. It is saving a 0 byte file. and I get an error as I posted earilier. I have tried to delete and redownload the highjackthis software with the same results.
 
Actually Nod32 was the preferred scan engine for many technical users.
The Online Scanner I'm sure must be still quite effective.

After running housecall you may want to post another HJT log (again!)

Anyway sorry about the confusion on the Post issue.
 
Hi,
Housecall locked up on grayware scanning

I still CAN NOT copy the highjack log. It still saves a 0 byte file.

These are the 2 left from the above note

020 AppInit_Dlls: C:/windows/system32/dnsq.dll
023: -Service: PrismXL - New Boundary Tech. Inc c:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys

Should I delete either of them?
 
Sorry for the delay in contacting you back.

C:\Program Files\common files\New Boundray\PrismXL\PrismXL.sys
Is from Prism Deployment Software suite, and actually this page describes its uselessness and exact steps in removing it:
http://www.networkswatteam.com/prismxl.html

C:/windows/system32/dnsq.dll is a backdoor Trojan
This file can be removed by:
  • Go to Safe Mode (repeatively press F8 at system startup)
  • Once in safe mode click on Start -> Run -> C:/windows/system32
  • Search for dnsq.dll, then right click on it and select Delete
    (You may need to show all files, by clicking on Tools->FolderOptions ->View->Show hidden)
  • Close System32 folder
  • Then go to Control Panel -> System -> System Restore > (Tick) Turn off System Restore OK
  • Then go back to your Safe mode Desktop
  • And empty (right click) the Recycle Bin (if it has files in it)
  • At last restart your computer back to Normal mode

Once Normal Mode starts back up
  • Go to Control Panel -> System -> System Restore > (Un Tick) Turn on System Restore OK
  • Download CCleaner and fully run it
  • Download Startup Control Panel, and remove any not required startups
  • Restart your computer again

Reply back with results
 
Safe mode is not working, I can get to the page, but when I select any of the safe mode options, it starts to reboot then returns to the safe mode menu page.

selecting restart windows or select last know good configuration boots to windows as expected.

for what it is worth I will try it in normal mode.
 
That's reasonable.

But in Normal mode, you may need to kill the process in Task Manager (Ctrl+Alt+Del) first
 
Hi, I have done that an no real change Kaspersky move the dsnq.dll to its subdirectory and I deleted it. afterwards I ran ad aware and kaspersky again. I still am getting the same application exception and still can not save highjackthis.
 
try this. when hijack this produces a log do a copy and paste into another notepad and then save as XXX.txt (to desktop) then try to upload as you don't seem to have any problem with the other logs. alternatively i am sure that julio wouldn't mind on this occasion doing a copy and paste as a reply
 
HJT is only producing an 0 btye file; it is empty. So there is nothing to cut and paste. The MSCONFIG idea did not help. see the error message that I get when I run HJT scan that I posted in my opening post.
 
I can not, there is nothing to cut and paste. the log is empty and In the main screen I can not select items to copy.

No I have not,
 
Status
Not open for further replies.
Back