Virus found in smss.dll file, Symantec cannot delete or quarantine

Posted on 2006-07-23
Last Modified: 2012-06-27
Hi, We are running a small office with Symantec anti-virus corporate edition on a server and 9 client machines.  Yesterday during real-time scan, a virus was detected on one of the client machines running Windows 2000.  Symantec doesn't give an actual name other than to say it's a "trojan".
This is driving me nuts.  Symantec cannot delete or quarantine the file: it says access denied.  I cannot delete the file (even after booting in safe mode).  Here is the message that keeps popping up over and over:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\WINNT\system32\smss.dll
Location:  C:\WINNT\system32
Computer:  WK6
User:  mark
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Sat Jul 22 16:47:07 2006

Please help with any info on what this virus is and how i can remove it.  Thanks!!
Question by:pvmatt
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 47

Accepted Solution

rpggamergirl earned 500 total points
ID: 17165539
That's part of purityscan/clickspring or any files from OIN.
Just manually delete that file -->  C:\WINNT\system32\smss.dll

and look for any programs by OIN in your add/remove programs list.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
LVL 47

Expert Comment

ID: 17165541
We could also look at your hijackthis log, it should confirm whether there are OIN apps installed in your system.

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> 
and click "Analyse", click "Save".  Then post the link to the saved list here.
LVL 97

Expert Comment

ID: 17165543
Greetings, pvmatt !

Smss.dll is a trojan.  Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files. Use the option delete on reboot

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".

Best wishes!
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 17165571
Hi.  thanks for the help.  I did find "Cowabunga by OIN" and removed it.  However, I cannot just manually delete the file.  Windows keeps saying file in use: even in safe mode.  any idea how i can delete it?
LVL 47

Expert Comment

ID: 17165587
Sometimes it adds a value in AppInit_dlls and that's when you need a third party tool like Killbox or Avenger.

Let's look at your hijackthis log to make sure it's not hooked up with AppInit_dlls or winlogon otherwise if it is then you need to remove the reg entry first so you don't get an error after deleting it.

Author Comment

ID: 17165658
Thanks again guys.  i got a little ahead of myself here before reading your additional posts.  i already used killbox and deleted the file.

I posted the hijack this log here:

let me know what to do next!
LVL 47

Expert Comment

ID: 17165713
Fix these entries by putting a check next to them and click "Fix Checked":
O2 - BHO: (no name) - {8B5A385C-AEC2-8D6C-CB41-FABAA2131BE7} - C:\WINNT\system32\tnguzwyx.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O20 - AppInit_DLLs: smss.dll C:\WINNT\system32\chkntfs.dll

here's another purityscan file, delete this one too --> C:\WINNT\system32\chkntfs.dll

Maybe try running their uninstaller to make sure no OIN files left.

Author Comment

ID: 17165740
thanks again.  HiJackThis spit this back out:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs:   smss.dll  C:\WINNT\system32\chkntfs.dll  )
Error #5 - Invalid procedure call or argument

Please email me at, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
LVL 47

Expert Comment

ID: 17165765
Can you check this in the registry and tell me if smss.dll is also present?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Check the value of "AppInit_Dlls" and let me know if smss.dll is still there or is it just the  C:\WINNT\system32\chkntfs.dll  

We'll use Avenger to get rid of the file, and the value all at once.
LVL 47

Expert Comment

ID: 17165788
Nevermind my above post.

1. Please download The Avenger by Swandog46 to your Desktop.

   *Click on to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The       Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\

5. Please copy/paste the content of c:\avenger.txt into your reply

Author Comment

ID: 17165805
Hi- there is no value at all in the AppInit_DLLs entry.  I was able to use Killbox to delete the chkntfs.dll file.  is there anything else that i need to do?
LVL 47

Expert Comment

ID: 17165832
Oh I see, looks like everything's ok then.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question