Virus found in smss.dll file, Symantec cannot delete or quarantine

Hi, We are running a small office with Symantec anti-virus corporate edition on a server and 9 client machines.  Yesterday during real-time scan, a virus was detected on one of the client machines running Windows 2000.  Symantec doesn't give an actual name other than to say it's a "trojan".
This is driving me nuts.  Symantec cannot delete or quarantine the file: it says access denied.  I cannot delete the file (even after booting in safe mode).  Here is the message that keeps popping up over and over:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\WINNT\system32\smss.dll
Location:  C:\WINNT\system32
Computer:  WK6
User:  mark
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Sat Jul 22 16:47:07 2006

Please help with any info on what this virus is and how i can remove it.  Thanks!!
pvmattAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
That's part of purityscan/clickspring or any files from OIN.
Just manually delete that file -->  C:\WINNT\system32\smss.dll

and look for any programs by OIN in your add/remove programs list.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpggamergirlCommented:
We could also look at your hijackthis log, it should confirm whether there are OIN apps installed in your system.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
war1Commented:
Greetings, pvmatt !

Smss.dll is a trojan.  Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files. Use the option delete on reboot
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".


Best wishes!
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

pvmattAuthor Commented:
Hi.  thanks for the help.  I did find "Cowabunga by OIN" and removed it.  However, I cannot just manually delete the file.  Windows keeps saying file in use: even in safe mode.  any idea how i can delete it?
0
rpggamergirlCommented:
Sometimes it adds a value in AppInit_dlls and that's when you need a third party tool like Killbox or Avenger.

Let's look at your hijackthis log to make sure it's not hooked up with AppInit_dlls or winlogon otherwise if it is then you need to remove the reg entry first so you don't get an error after deleting it.
0
pvmattAuthor Commented:
Thanks again guys.  i got a little ahead of myself here before reading your additional posts.  i already used killbox and deleted the file.

I posted the hijack this log here: http://www.rafb.net/paste/results/m2uQli32.html

let me know what to do next!
0
rpggamergirlCommented:
Fix these entries by putting a check next to them and click "Fix Checked":
O2 - BHO: (no name) - {8B5A385C-AEC2-8D6C-CB41-FABAA2131BE7} - C:\WINNT\system32\tnguzwyx.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - AppInit_DLLs: smss.dll C:\WINNT\system32\chkntfs.dll


here's another purityscan file, delete this one too --> C:\WINNT\system32\chkntfs.dll

Maybe try running their uninstaller to make sure no OIN files left.
0
pvmattAuthor Commented:
thanks again.  HiJackThis spit this back out:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs:   smss.dll  C:\WINNT\system32\chkntfs.dll  )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
0
rpggamergirlCommented:
Can you check this in the registry and tell me if smss.dll is also present?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

Check the value of "AppInit_Dlls" and let me know if smss.dll is still there or is it just the  C:\WINNT\system32\chkntfs.dll  


We'll use Avenger to get rid of the file, and the value all at once.
0
rpggamergirlCommented:
Nevermind my above post.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
---------------------------------------------------------------------------------------------------------------

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINNT\system32\chkntfs.dll
C:\WINNT\system32\smss.dll  

---------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The       Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply
0
pvmattAuthor Commented:
Hi- there is no value at all in the AppInit_DLLs entry.  I was able to use Killbox to delete the chkntfs.dll file.  is there anything else that i need to do?
0
rpggamergirlCommented:
Oh I see, looks like everything's ok then.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.