Possible trojan???

From: Joe (me_at_me.com)
Date: 05/05/03 

Date: Sun, 4 May 2003 22:40:51 -0700

Here is the file size and version number for 2k SP3

Size: 44.7KB
Version: 5.0.2195.5382
Description: Windows NT Session Manager

Here is the link
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

>-----Original Message-----
>Thanks for the reply Joe, your reply has definitely been
>helpful.
>
>You mention checking the file size and version info which
>I'd like to do but I cannot find any information anywhere
>that tells me what the file size, version, and default
>install location should be. I'm sure the information is
>available somewhere on the Internet but I just can't seem
>to find it.
>
>I WILL check the client's computer to see if the registry
>is loading smss.exe from run. A point I hadn't thought
>of. Your advising that smss.exe is normally located under
>%systemroot%\system32\ confirms my suspicion that the
>file is not where it's supposed to be which, in turn,
>indicates somebody has been up to no good.
>
>Quote from your reply:
>"check your ip traffic, if you see a process by the name
>smss.exe either listing or established you know its a
>Trojan, here is a good utility to identify all ip traffic
>by the process name."
>
>I don't see any links or information in your reply that
>gets me to the "good utility" that will identify all IP
>traffic by process name. Would you happen to know if
>ZoneAlarm keeps a log that is detailed enough to identify
>the process? I'd intended to install it and see what it
>can tell me about traffic on the client's modem. If not,
>I'd appreciate your replying with a link to the utility
>you mentioned.
>
>If you should reply it may take me up to a week to
>respond but I will check tomorrow evening for a response
>from you. I've got work coming out of my ears Monday and
>then I'm on the road to install computers and set up a
>network 600 miles from here on Tuesday. I doubt I'll be
>back before Saturday.
>
>Thanks again,
>Geoff
>
>
>
>
>>-----Original Message-----
>>Geoff,
>>
>>SMSS.EXE is part of the operating system, its
>>called "system manager", the Session Manager Subsystem
>>initializes system environment variables, MS-DOS devices
>>names such as LPT1 and COM1, loads the kernel for the
>>Win32 subsystem, and starts the Windows Logon Process,
>it
>>is normally located under %systemroot%\system32\.
>>
>>I have seen Norton AV failing to detected more then
>once,
>>maybe its right or maybe its wrong, check it manually.
>>
>>1)check the file size and version info.
>>
>>2)check the registry
>>HKLM\Software\Microsoft\Windows\CurrentVersion\Run or
>HKCU
>>for anything referring to smss.exe, this file should not
>>be loaded for the run key.
>>
>>3)check your ip traffic, if you see a process by the
>name
>>smss.exe either listing or established you know its a
>>Trojan, here is a good utility to identify all ip
>traffic
>>by the process name.
>>
>>Joe
>>
>>
>>>-----Original Message-----
>>>A client's Windows 2000 Pro computer seems to have a
>lot
>>>of unexpected traffic on her cable modem. I am not at
>all
>>>familiar with Windows 2000 and she reports the computer
>>>is running slower than it used to.
>>>
>>>Nothing is found by Norton Antivirus 2003 with the
>latest
>>>definitions.
>>>
>>>An Ad-Aware 6 scan indicated possible trojan activity
>>>which I think may be related to smss.exe. The file is
>>>located in the C:\WINNT\SYSTEM32\SPOOL\DRIVERS folder
>>>which I believe to be wrong. I've been trying to find a
>>>site that lists the default install locations for the
>>>operating system's files with no luck but have found
>many
>>>references in various websites that would indicate
>>>smss.exe "should be" in C:\WINNT\SYSTEM32, not the
>>>SPOOL/DRIVERS subfolder.
>>>
>>>There is some info available that states smss.exe
>cannot
>>>be ended through task manager as it is a required
>system
>>>file. Hackers apparently take advantage of that by
>>>renaming their trojan smss.exe to prevent the trojan
>>>being shutdown, or detected by antivirus programs.
>>>
>>>I am correct that smss.exe on her machine is in the
>wrong
>>>folder and is anyone aware of a virus or trojan, by
>name,
>>>that would place the file in it's current location.
>>>
>>>Thanks for any help anyone can offer.
>>>
>>>Geoff
>>>.
>>>
>>.
>>
>.
>