FP? -- Heuristics.Reserved.Word.Exploit -- smss.TMP

[whatnext?]

Hi -- I think I have a FP. I started a thread earlier today in the other Malwarebytes forum: http://www.malwarebytes.org/forums/index.php?showtopic=7757 .

I submitted the "infected" file, smss.TMP, at virusscan.jotti.org, and all the scanners found it to be clean.

I ran the quick Malwarebytes' scan again in developer mode. Here is the log:

Malwarebytes' Anti-Malware 1.30

Database version: 1423

Windows 5.1.2600 Service Pack 2

11/25/2008 10:08:36 PM

mbam-log-2008-11-25 (22-08-27).txt

Scan type: Quick Scan

Objects scanned: 63439

Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\smss.TMP (Heuristics.Reserved.Word.Exploit) -> No action taken. [4642524945343638373041708683748485746884155170847083877069155680836915388981778

074851301847884841301474853017089709367667693777976937884689378807193807769]

---------------

I am not planning to remove the file, unless someone here in the forums advises me to. Please let me know what I should do. THANK YOU!

[Raid]

For the time being, until I can confer with Bruce; I wouldn't advise removing the file.

[nosirrah]

Smss is a reserved MS file name and should only be used by MS in predictable ways .

http://www.google.com/search?hl=en&q=s...mp;aq=f&oq=

There is not much at all on google on this file path , usually not a good sign .

[whatnext?]

Smss is a reserved MS file name and should only be used by MS in predictable ways .

http://www.google.com/search?hl=en&q=s...mp;aq=f&oq=

There is not much at all on google on this file path , usually not a good sign .

So should I go ahead and remove this? (Sorry it's taken me so long to reply.) Thanks for the help.

[exile360]

So should I go ahead and remove this? (Sorry it's taken me so long to reply.) Thanks for the help.

To be on the safe side, instead of just removing it please follow the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

This process will allow an expert to analyze what's going on and if it is in fact related to an infection.

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing.

[whatnext?]

To be on the safe side, instead of just removing it please follow the instructions here:

http://www.malwarebytes.org/forums/index.php?showtopic=2936

and post your logs in a new topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

This process will allow an expert to analyze what's going on and if it is in fact related to an infection.

Please be sure not to install any software or use any removal/scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

I hope I was helpful. Good luck and safe surfing.

Hi -- thanks for responding. I quarantined the smss.TMP file before reading your post. (But I can restore it, if you think I should.) Also, a more recent MalwareBytes quick scan found Trojan.DNSChanger, so I let it quarantine that. Then I reset my router, and realized that I hadn't noted down the correct Verizon settings. So I was without Internet for a couple of days because I didn't have time to call Verizon, but now I'm back. (I don't even know if the reset was necessary, since it's a wired router.)

Also, a recent "smart" scan with a-square-free found Trace.Directory.Berm.Amazon Toolbar!A2. I thought this might be because I recently installed the Amazon MP3 Downloader, but I wasn't sure and didn't find anything on Google linking the two, so I let a-squared quarantine it. And I saw that ViewPoint Media Player was installed (in Add/Remove programs), and Major Geeks lists this as a program to remove (on its list http://forums.majorgeeks.com/showthread.php?t=79754) because of privacy issues. (I don't remember installing this - maybe it also comes with the Amazon MP3 Installer? - or maybe I installed it and forgot.)

Now when I scan for registry issues with CCleaner, there are are a lot of installer and ActiveX/class issues. Instead of letting CClearer clean up, I am considering restoring the Amazon Toolbar from the a-squared quarantine (since it is not considered dangerous), and then removing the Amazon MP3 Downloader via Add/Remove programs, and then re-scanning with a-squared to see if the toolbar is still there. (If it is, I'd remove it at that point.)

I scanned with SpyBot (but after removing the files above, incl. smss.TMP), and it did not find anything. (Teatimer was not running in the background.) I will follow through and run the HJT and Panda or eSet and new MalwareByte scans as you suggested (within the next few days) and post the results to the HJT Logs forum. I would really like to get my system all cleaned up and backed up so that I can install SP3!

Some additional questions, if you have time:

1. Majorgeeks says on one page to use CCleaner to control startups, and on another page (http://forums.majorgeeks.com/showthread.php?t=149804) it says not to, b/c CCleaner uses msconfig, and that page's author does not recommend using msconfig to control startups. What should I be using? I have Windows Defender, would it be better to use that?

2. I am confused about when to run scans in Safe Mode. I have often seen recommendations to run scans in SafeMode, but on http://forums.majorgeeks.com/showthread.php?t=139309, it specifically said to clean malware in normal startup mode.

3. I am also confused about when to re-set System Restore when cleaning malware. I'd like to confirm that you are supposed to clean up first, and then turn System Restore off, reboot, and then turn System Restore on. (I recently read a recommendation that you turn it off before cleaning, but I don't think this is correct.)

4. I have a lot of (free) anti-malware programs. It is quite time-consuming if I try to scan with them all, especially if I get a positive (or false-positive) result and have to spend time researching what to do. But I do find that sometimes one will pick up something the others miss.

From the list of programs on my machine, is there a small subset I could use regularly, and just run the others when I think there's a problem? Or should I rotate, and run (say) three per week? And should I also be using some sort of dedicated Trojan detector (free preferred)?

I have:

Ad-Aware (free)

A-squared (free; does not run in background)

A-squared anti-dialer (free; runs in background)

Avast AV (free; runs in background)

AVG Antispyware (does not run in background)

MalwareBytes Anti-malware (free; just added this recently)

Spyware Blaster (free; re-immunize about once every few wks)

SpyBot (free; TeaTimer runs in bkground; re-immunize once every few wks)

SuperAntiSpyware (free; runs in background; just added this recently)

Windows Defender (runs in background)

WinPatrol (free; runs in background)

Also, I am using Sygate Personal Firewall (although I am planning on switching to Comodo's free personal firewall). When running an anti-malware scan, I always turn off all the above programs that run in background, including Avast AV. But I leave the firewall on (and sometimes set to "Block All", if I have to leave it unattended overnight).

Whew, that was quite a laundry list of problems/questions. If you don't have time for all this, I understand. Thank you for your help.

[exile360]

Hello again. I'm going to try to answer your questions.

1. It won't hurt anything to use Ccleaner to control startups, but it's somewhat limited in the locations that it checks compared to tools like Microsoft Sysinternals Autoruns.

2. With Malwarebytes' you're much better off scanning in normal mode if possible because it's more likely to catch active infections while they're running. Each tool is different however and some are better in safe mode. My rule is if I can scan in Normal Mode I do and if after reboot it didn't remove what was detected, then reboot to Safe Mode to try getting rid of it.

3. Generally best practice here is to create a restore point before the cleaning begins in case of issues during removals. Then, after the system is totally clean, reset System Restore by turning it off and then back on again and create a new restore point.

4. Your best bet is to pick 2 or 3 that you trust and are updated frequently (like Malwarebytes', A-squared and SAS) and do a scan with them once a week or so (depending on how safe your surfing habits are). Also scan with your antivirus about that often as well.

As far as trojan detectors go, there aren't too many specifically dedicated to that purpose these days, but you could use Comodo Boclean. I've had good luck with it myself. For the sake of resources I would disable SAS (SUPERAntiSpyware) from running on startup if you're only using the free version.

I would also recommend purchasing either Malwarebytes' or SAS as the only AS apps I see resident are Windows Defender and TeaTimer, neither of which are updated frequently enough to stop the newest infections.

It looks like you're dedicated to security and that's good. In addition I'd recommend not using Peer to Peer programs like limewire and bittorrent and stay away from sites like myspace and facebook as they are common targets for makers of malicious software.

I hope I've been helpful, if you need anything else just let us know. Good luck and safe surfing.

[whatnext?]

Thank you, you have been very helpful. I do try to stay safe on the web, using Firefox with the Noscript extension. No peer-to-peer or Facebook yet, but I have a teenager, so it is only a matter of time before she gets into that. (Surprisingly, the local schools seem to encourage this by using Facebook for distributing class information!) So thanks for the warning about that.

I hope to get my scans run in the next few days, and will post the logs in the HJT forum.

Thanks again!

[DaChew]

Winpatrol and teatimer are trying to do duplicate registry protection, that's dangerous

[whatnext?]

Winpatrol and teatimer are trying to do duplicate registry protection, that's dangerous

Which is better to use?

Thank you.

[DaChew]

I would go for whatever reccomendations you are given in the HJT forum, I just chose one of the security conflicts I saw