What is secman.exe?
June 6, 2006 7:19 AM Subscribe
Unknown Process in Windows XP Pro SP2 called "secman.exe". Is it a virus? A system component?
I've googled enough to discover that "secman" is an app called Security Manager and seems relatively benign. Also, "scmn.exe" appears to be a virus.
However, I can't find anything about "secman.exe". I've tried terminating the process and it restarts imediately.
Updated Symantec AV indicates no problem. Any ideas out there? Thanks in advance!
I've googled enough to discover that "secman" is an app called Security Manager and seems relatively benign. Also, "scmn.exe" appears to be a virus.
However, I can't find anything about "secman.exe". I've tried terminating the process and it restarts imediately.
Updated Symantec AV indicates no problem. Any ideas out there? Thanks in advance!
Almost every time I find a mysterious process on my Windows box, a Google search turns up hundreds of hits for it with detailed and specific information on what it is. The search for secman.exe looks very thin by comparison. If it were my machine, I'd be very suspicious I've been infected. On Usenet you'll see the security app is a 1999 VB program of limited utility; not something you're likely to have installed casually.
posted by Nelson at 7:47 AM on June 6, 2006
posted by Nelson at 7:47 AM on June 6, 2006
Response by poster: Strange beccause this is a brand new install. I mean, less than 2 weeks old. And it resides behind a rather secure firewall, with up-to-date security measures. And I don't DL unusual things... Hmm..
pmbuko, I can't find it, though it is listed in Window's Prefetch folder (WINDOWS\Prefetch). What's interesting is that opening up the Prefetch file in notepad seems to bring up a list of all the files scheduled to be 'fetched' and it lists Secman.exe in the System32 folder. However, I can't find it there.
posted by lyam at 7:56 AM on June 6, 2006
pmbuko, I can't find it, though it is listed in Window's Prefetch folder (WINDOWS\Prefetch). What's interesting is that opening up the Prefetch file in notepad seems to bring up a list of all the files scheduled to be 'fetched' and it lists Secman.exe in the System32 folder. However, I can't find it there.
posted by lyam at 7:56 AM on June 6, 2006
I looked "secman virus" up on Ask.com and got quite a few hits. This one in particular talks about secman being used in a backdoor exploit. You may have the Sasser virus.
posted by JJ86 at 8:05 AM on June 6, 2006
posted by JJ86 at 8:05 AM on June 6, 2006
Response by poster: Otis,
No, this is in a University Environment.
JJ86,
I reviewed your search and I'm not sure that it's referencing secman.exe as a virus. However, I downloaded symantec's Sasser removal tool just in case and it did not find it.
posted by lyam at 8:22 AM on June 6, 2006
No, this is in a University Environment.
JJ86,
I reviewed your search and I'm not sure that it's referencing secman.exe as a virus. However, I downloaded symantec's Sasser removal tool just in case and it did not find it.
posted by lyam at 8:22 AM on June 6, 2006
Reason I ask is that "Security Manager" was a program that was part of the junk that came with a standard Comcast broadband install.
Could it be something custom to your network or environment? Can you check another PC on the university's network to see if it's running secman.exe?
The fact that it's not showing up in all the usual places like tasklist.org and Google makes me think it might be something custom to your environment.
posted by Otis at 8:52 AM on June 6, 2006
Could it be something custom to your network or environment? Can you check another PC on the university's network to see if it's running secman.exe?
The fact that it's not showing up in all the usual places like tasklist.org and Google makes me think it might be something custom to your environment.
posted by Otis at 8:52 AM on June 6, 2006
Response by poster: Yeah, I've checked three other machines set up similar to mine. No sign of the dang thing.
What's interesting is that after checking the Application Log, it indicates that the name of the process I deleted is called Security Manager. Some more Google searching led back to the Sasser virus in that it would delete the Security Manager setting in various places in the Registry.
Of course Security Manager is a vague enough term that the information above might be completely worthless.
posted by lyam at 8:57 AM on June 6, 2006
What's interesting is that after checking the Application Log, it indicates that the name of the process I deleted is called Security Manager. Some more Google searching led back to the Sasser virus in that it would delete the Security Manager setting in various places in the Registry.
Of course Security Manager is a vague enough term that the information above might be completely worthless.
posted by lyam at 8:57 AM on June 6, 2006
Best answer: Have you tried using Sysinternals' Filemon, or Regmon to see what it's doing? How about Ethereal to see if it's sending out any packets.
I'm assuming it's not digitally signed, but does the Version tab of the properties page give you any hints
posted by stovenator at 9:20 AM on June 6, 2006
I'm assuming it's not digitally signed, but does the Version tab of the properties page give you any hints
posted by stovenator at 9:20 AM on June 6, 2006
Speaking of sysinternals, you should download their process explorer. Run it, right-click on secman.exe, select "properties", and get all sorts of interesting information. "Strings" could give you some insight, as could "threads->stack".
posted by IvyMike at 9:44 AM on June 6, 2006
posted by IvyMike at 9:44 AM on June 6, 2006
Response by poster: Looks like someone is leeching...
Found a file thanks to filemon that appears to be some kind of log, complete with ascii art and system info.
How in the hell did I get this?
Well, time for a rebuild.
Thanks for all your help.
posted by lyam at 9:46 AM on June 6, 2006
Found a file thanks to filemon that appears to be some kind of log, complete with ascii art and system info.
How in the hell did I get this?
Well, time for a rebuild.
Thanks for all your help.
posted by lyam at 9:46 AM on June 6, 2006
Response by poster: Well, I'm now on a rebuilt machine.
What I did was used Filemon to observe what the file was doing. Well, among other things it was updating a certain file. I viewed the file, only to discover some crappy ascii art, statistics about my connection, and an invitation to all to 'Drink beer, not milk and continue to Leech!'.
So anyway, I tried to isolate the process which resulted in my machine's crashing. After discovering that no amount of cajoling would recover the system, I copied all the important documents to another machine and re-imaged.
So strange. I wonder how in the hell I let those jerks in...
posted by lyam at 1:45 PM on June 6, 2006
What I did was used Filemon to observe what the file was doing. Well, among other things it was updating a certain file. I viewed the file, only to discover some crappy ascii art, statistics about my connection, and an invitation to all to 'Drink beer, not milk and continue to Leech!'.
So anyway, I tried to isolate the process which resulted in my machine's crashing. After discovering that no amount of cajoling would recover the system, I copied all the important documents to another machine and re-imaged.
So strange. I wonder how in the hell I let those jerks in...
posted by lyam at 1:45 PM on June 6, 2006
I used to find Windows Startup Online absolutely invaluable for tracking down what the various programs and services running were.
The search function appears to be busted at the minute, but may be worth bookmarking and checking back again if you ever have a similar problem...
posted by Chunder at 4:55 AM on June 7, 2006
The search function appears to be busted at the minute, but may be worth bookmarking and checking back again if you ever have a similar problem...
posted by Chunder at 4:55 AM on June 7, 2006
Response by poster: For what it's worth, I've found the backdoor.subdot virus infected on 4 other machines where secman.exe is running. re-imaging is my solution. Still don't know how these machines got infected, though.
posted by lyam at 8:48 AM on June 28, 2006
posted by lyam at 8:48 AM on June 28, 2006
This thread is closed to new comments.
posted by Hubajube at 7:30 AM on June 6, 2006