Solved

Virus found in smss.dll file, Symantec cannot delete or quarantine

Posted on 2006-07-23
12
1,941 Views
Last Modified: 2012-06-27
Hi, We are running a small office with Symantec anti-virus corporate edition on a server and 9 client machines.  Yesterday during real-time scan, a virus was detected on one of the client machines running Windows 2000.  Symantec doesn't give an actual name other than to say it's a "trojan".
This is driving me nuts.  Symantec cannot delete or quarantine the file: it says access denied.  I cannot delete the file (even after booting in safe mode).  Here is the message that keeps popping up over and over:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\WINNT\system32\smss.dll
Location:  C:\WINNT\system32
Computer:  WK6
User:  mark
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Sat Jul 22 16:47:07 2006

Please help with any info on what this virus is and how i can remove it.  Thanks!!
0
Comment
Question by:pvmatt
  • 7
  • 4
12 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17165539
That's part of purityscan/clickspring or any files from OIN.
Just manually delete that file -->  C:\WINNT\system32\smss.dll

and look for any programs by OIN in your add/remove programs list.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165541
We could also look at your hijackthis log, it should confirm whether there are OIN apps installed in your system.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 97

Expert Comment

by:war1
ID: 17165543
Greetings, pvmatt !

Smss.dll is a trojan.  Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files. Use the option delete on reboot
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".


Best wishes!
0
 

Author Comment

by:pvmatt
ID: 17165571
Hi.  thanks for the help.  I did find "Cowabunga by OIN" and removed it.  However, I cannot just manually delete the file.  Windows keeps saying file in use: even in safe mode.  any idea how i can delete it?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165587
Sometimes it adds a value in AppInit_dlls and that's when you need a third party tool like Killbox or Avenger.

Let's look at your hijackthis log to make sure it's not hooked up with AppInit_dlls or winlogon otherwise if it is then you need to remove the reg entry first so you don't get an error after deleting it.
0
 

Author Comment

by:pvmatt
ID: 17165658
Thanks again guys.  i got a little ahead of myself here before reading your additional posts.  i already used killbox and deleted the file.

I posted the hijack this log here: http://www.rafb.net/paste/results/m2uQli32.html

let me know what to do next!
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165713
Fix these entries by putting a check next to them and click "Fix Checked":
O2 - BHO: (no name) - {8B5A385C-AEC2-8D6C-CB41-FABAA2131BE7} - C:\WINNT\system32\tnguzwyx.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - AppInit_DLLs: smss.dll C:\WINNT\system32\chkntfs.dll


here's another purityscan file, delete this one too --> C:\WINNT\system32\chkntfs.dll

Maybe try running their uninstaller to make sure no OIN files left.
0
 

Author Comment

by:pvmatt
ID: 17165740
thanks again.  HiJackThis spit this back out:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs:   smss.dll  C:\WINNT\system32\chkntfs.dll  )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165765
Can you check this in the registry and tell me if smss.dll is also present?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

Check the value of "AppInit_Dlls" and let me know if smss.dll is still there or is it just the  C:\WINNT\system32\chkntfs.dll  


We'll use Avenger to get rid of the file, and the value all at once.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165788
Nevermind my above post.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
---------------------------------------------------------------------------------------------------------------

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINNT\system32\chkntfs.dll
C:\WINNT\system32\smss.dll  

---------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The       Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply
0
 

Author Comment

by:pvmatt
ID: 17165805
Hi- there is no value at all in the AppInit_DLLs entry.  I was able to use Killbox to delete the chkntfs.dll file.  is there anything else that i need to do?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17165832
Oh I see, looks like everything's ok then.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now