Re: bmss.exe running on boot
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Feb 2006 22:53:57 -0600
I did a search for that file on Google and did not find anything definitive
but nothing that seemed to indicate malware. Other users have found it and
were also curious as to what it was. A search of Microsoft.com showed
nothing for that file which certainly makes it suspect. I checked my Windows
2003 and Windows 2000 test domain controllers and it does not exist on
either one. In addition to routine malware scans with the latest definitions
from the publishers website you should scan for spyware with something like
AdAware SE to see if anything is found.
You could use the tools Process Explorer, TCPView, and Autoruns all free
from SysInternals to gain more information about the process. Process
Explorer will for instance show what ports it uses and if it is associated
with any services. If nothing indicates it is a legitimate or needed process
you could use Autoruns to disable it from being started when the computer
starts up. The first link below shows Windows server port usage which my be
able to help determine if it is something that is indeed used by Windows
Server. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer
http://www.lavasoftusa.com/software/adaware/ --- AdAware
"Sean Stromberg" <sean@xxxxxxxxxxxx> wrote in message
news:eddP0oqOGHA.2828@xxxxxxxxxxxxxxxxxxxxxxx
I have a process that is starting on reboot of my server that is found in
C:\Windows\System32 called bmss.exe.
The description of the file is 'Windows NT BMonitor Session Manager'
File Version: 5.2.3571.0 (JASBR(ntvbl07).010424-2101}
I found it under the following entry in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
with a REG_MULTI_SZ called BootExecute with the following values:
bmssldr
autocheck autochk *
SsiEfr.ex
This seems like a huge security hole as it opens up a ton of ports that my
Firewall is blocking.
MVP's is this legit or is it someone masquerading as a proper process?
Thanks,
Sean
.
- Prev by Date: Re: Remote desktop
- Next by Date: Quick Software Audit
- Previous by thread: Re: Remote desktop
- Next by thread: Quick Software Audit
- Index(es):
Relevant Pages
|
