Virus found in smss.dll file, Symantec cannot delete or quarantine

Posted on 2006-07-23
Medium Priority
Last Modified: 2012-06-27
Hi, We are running a small office with Symantec anti-virus corporate edition on a server and 9 client machines.  Yesterday during real-time scan, a virus was detected on one of the client machines running Windows 2000.  Symantec doesn't give an actual name other than to say it's a "trojan".
This is driving me nuts.  Symantec cannot delete or quarantine the file: it says access denied.  I cannot delete the file (even after booting in safe mode).  Here is the message that keeps popping up over and over:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\WINNT\system32\smss.dll
Location:  C:\WINNT\system32
Computer:  WK6
User:  mark
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Sat Jul 22 16:47:07 2006

Please help with any info on what this virus is and how i can remove it.  Thanks!!
Question by:pvmatt
  • 7
  • 4
LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 17165539
That's part of purityscan/clickspring or any files from OIN.
Just manually delete that file -->  C:\WINNT\system32\smss.dll

and look for any programs by OIN in your add/remove programs list.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
LVL 47

Expert Comment

ID: 17165541
We could also look at your hijackthis log, it should confirm whether there are OIN apps installed in your system.

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
LVL 97

Expert Comment

ID: 17165543
Greetings, pvmatt !

Smss.dll is a trojan.  Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files. Use the option delete on reboot

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".

Best wishes!
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 17165571
Hi.  thanks for the help.  I did find "Cowabunga by OIN" and removed it.  However, I cannot just manually delete the file.  Windows keeps saying file in use: even in safe mode.  any idea how i can delete it?
LVL 47

Expert Comment

ID: 17165587
Sometimes it adds a value in AppInit_dlls and that's when you need a third party tool like Killbox or Avenger.

Let's look at your hijackthis log to make sure it's not hooked up with AppInit_dlls or winlogon otherwise if it is then you need to remove the reg entry first so you don't get an error after deleting it.

Author Comment

ID: 17165658
Thanks again guys.  i got a little ahead of myself here before reading your additional posts.  i already used killbox and deleted the file.

I posted the hijack this log here: http://www.rafb.net/paste/results/m2uQli32.html

let me know what to do next!
LVL 47

Expert Comment

ID: 17165713
Fix these entries by putting a check next to them and click "Fix Checked":
O2 - BHO: (no name) - {8B5A385C-AEC2-8D6C-CB41-FABAA2131BE7} - C:\WINNT\system32\tnguzwyx.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - AppInit_DLLs: smss.dll C:\WINNT\system32\chkntfs.dll

here's another purityscan file, delete this one too --> C:\WINNT\system32\chkntfs.dll

Maybe try running their uninstaller to make sure no OIN files left.

Author Comment

ID: 17165740
thanks again.  HiJackThis spit this back out:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs:   smss.dll  C:\WINNT\system32\chkntfs.dll  )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
LVL 47

Expert Comment

ID: 17165765
Can you check this in the registry and tell me if smss.dll is also present?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Check the value of "AppInit_Dlls" and let me know if smss.dll is still there or is it just the  C:\WINNT\system32\chkntfs.dll  

We'll use Avenger to get rid of the file, and the value all at once.
LVL 47

Expert Comment

ID: 17165788
Nevermind my above post.

1. Please download The Avenger by Swandog46 to your Desktop.

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The       Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Author Comment

ID: 17165805
Hi- there is no value at all in the AppInit_DLLs entry.  I was able to use Killbox to delete the chkntfs.dll file.  is there anything else that i need to do?
LVL 47

Expert Comment

ID: 17165832
Oh I see, looks like everything's ok then.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question