Windows 2000 trojan in smss.exe

[Laymen]

Hello dear members,

I just checked my friends computer for trojans and it appears he is running a RAT trojan which is attached to the file smss.exe, the problem with this is that its a windows service and I cannot kill this process and delete the file. He is running windows 2000 BTW.

The file is embedded in following path,

c:\winnt\java\packages\data\smss.exe

And the trojan is called "Trojan Client Netcat 1.10(utility)"

So anyone who has any clues on how to remove this then I would be more then happy to hear about it

Thnx alot

 

[leinadM]

I could be wrong, but I think this is a false alarm. Sometimes AVs detect things that are legitimate programs.

 

[Laymen]

Mmmm I am not checking with a virusscanner, I am using an official tool called TDS-3 Trojan Defense Suite 3!!!! When I run it on my own computer it does not give this warning about infection???

So I am about 95% sure that it is in fact a spoofed trojan!!!!

 

[leinadM]

Maybe it is...have you tried using another trojan checker on the file? Also, even if it is a trojan, it says it's the Client, which usually is harmless.

 

[Laymen]

Also, even if it is a trojan, it says it's the Client, which usually is harmless

Good point leinad, but still I would like to know how to solve it, and how to get rid of this file, since it obviously has no reason for being there.

So I want to know where to look to prevent this smss.exe from starting up so I can safely replace it with my safe non trojan client "smss.exe"

Thnx to anyone who replies,

Laymen

 

[n0cmonkey]

Shutdown the service. Dont ask me how, I dont know

If it is netcat, its typically not a trojan, but an actual utility. What is installed in that java directory? Is it something important? Try with an online virus scanner and see what it picks up.

 

[Harvey]

Info from Norton.

 

[leinadM]

Originally posted by: Harvey
Info from Norton.

That info is telling what a RAT (Remote Administration Tool) is. I can't find any info about this specific RAT, though.

 

[Laymen]

Scanning with different tools doesn't do anything but detect it, so still need some way to turn off this service or the dependancy on a service, either way its gotta be removed. I just know that it is possible, and yeah I also don't know how:LOL:

Keep 'em coming,

Laymen

 

[n0cmonkey]

Originally posted by: Laymen
Scanning with different tools doesn't do anything but detect it, so still need some way to turn off this service or the dependancy on a service, either way its gotta be removed. I just know that it is possible, and yeah I also don't know how:LOL:

Keep 'em coming,

Laymen

Look for it in the services applet thingy in the admin tools doohicky in the control panel place.

 

[Nighthawk69]

Originally posted by: n0cmonkey

Originally posted by: Laymen
Scanning with different tools doesn't do anything but detect it, so still need some way to turn off this service or the dependancy on a service, either way its gotta be removed. I just know that it is possible, and yeah I also don't know how:LOL:

Keep 'em coming,

Laymen

Look for it in the services applet thingy in the admin tools doohicky in the control panel place.

LOL, n0c! Nice

 

[leinadM]

Originally posted by: Laymen
Scanning with different tools doesn't do anything but detect it, so still need some way to turn off this service or the dependancy on a service, either way its gotta be removed. I just know that it is possible, and yeah I also don't know how:LOL:

Keep 'em coming,

Laymen

The reason I said to scan it with more than one tool is to make sure that other trojan checkers detect it, too. If nothing else detects it, then more than likely it's a false alarm.

 

[n0cmonkey]

Originally posted by: Nighthawk69

Originally posted by: n0cmonkey

Originally posted by: Laymen
Scanning with different tools doesn't do anything but detect it, so still need some way to turn off this service or the dependancy on a service, either way its gotta be removed. I just know that it is possible, and yeah I also don't know how:LOL:

Keep 'em coming,

Laymen

Look for it in the services applet thingy in the admin tools doohicky in the control panel place.

LOL, n0c! Nice

Windows isnt my thing. Im not sure what all of those things are called, but I think I provided enough information to find it properly

 

[Laymen]

I found some more stuff out now, it is not a false alarm, users with windows 2000 running can check it, the file smss is only located in 3 windows folders and none of them include the directory,

c:\winnt\java\packages\data

So yeps its a dirty file I also found a way to remove it now, do it by using inuse.exe,

http://support.microsoft.com/default.aspx?scid=KB;en-us;q228930

So he's gonna reboot and see if its gone now, if all works well then he should be starting up with my clean smss.exe

Can't really say microsoft has a bad help site

Thnx for the advice

 

[leinadM]

Ok, that's a good way to see if a file is legitimate. Hopefully you were able to remove it.

 

[Laymen]

Yeps the crap is gone

 

[leinadM]

Originally posted by: Laymen
Yeps the crap is gone

good nice work