Solved

Virus found in smss.dll file, Symantec cannot delete or quarantine

Posted on 2006-07-23
12
1,937 Views
Last Modified: 2012-06-27
Hi, We are running a small office with Symantec anti-virus corporate edition on a server and 9 client machines.  Yesterday during real-time scan, a virus was detected on one of the client machines running Windows 2000.  Symantec doesn't give an actual name other than to say it's a "trojan".
This is driving me nuts.  Symantec cannot delete or quarantine the file: it says access denied.  I cannot delete the file (even after booting in safe mode).  Here is the message that keeps popping up over and over:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan Horse
File:  C:\WINNT\system32\smss.dll
Location:  C:\WINNT\system32
Computer:  WK6
User:  mark
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Sat Jul 22 16:47:07 2006

Please help with any info on what this virus is and how i can remove it.  Thanks!!
0
Comment
Question by:pvmatt
  • 7
  • 4
12 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
That's part of purityscan/clickspring or any files from OIN.
Just manually delete that file -->  C:\WINNT\system32\smss.dll

and look for any programs by OIN in your add/remove programs list.
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
We could also look at your hijackthis log, it should confirm whether there are OIN apps installed in your system.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 
LVL 97

Expert Comment

by:war1
Comment Utility
Greetings, pvmatt !

Smss.dll is a trojan.  Use Killbox or Unlocker in Safe Mode to remove hard to remove file.

Killbox to remove stuborn files. Use the option delete on reboot
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html

If you cannot delete the file, disable it.  Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions.  If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".


Best wishes!
0
 

Author Comment

by:pvmatt
Comment Utility
Hi.  thanks for the help.  I did find "Cowabunga by OIN" and removed it.  However, I cannot just manually delete the file.  Windows keeps saying file in use: even in safe mode.  any idea how i can delete it?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Sometimes it adds a value in AppInit_dlls and that's when you need a third party tool like Killbox or Avenger.

Let's look at your hijackthis log to make sure it's not hooked up with AppInit_dlls or winlogon otherwise if it is then you need to remove the reg entry first so you don't get an error after deleting it.
0
 

Author Comment

by:pvmatt
Comment Utility
Thanks again guys.  i got a little ahead of myself here before reading your additional posts.  i already used killbox and deleted the file.

I posted the hijack this log here: http://www.rafb.net/paste/results/m2uQli32.html

let me know what to do next!
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Fix these entries by putting a check next to them and click "Fix Checked":
O2 - BHO: (no name) - {8B5A385C-AEC2-8D6C-CB41-FABAA2131BE7} - C:\WINNT\system32\tnguzwyx.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm  
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O20 - AppInit_DLLs: smss.dll C:\WINNT\system32\chkntfs.dll


here's another purityscan file, delete this one too --> C:\WINNT\system32\chkntfs.dll

Maybe try running their uninstaller to make sure no OIN files left.
0
 

Author Comment

by:pvmatt
Comment Utility
thanks again.  HiJackThis spit this back out:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs:   smss.dll  C:\WINNT\system32\chkntfs.dll  )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Can you check this in the registry and tell me if smss.dll is also present?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""

Check the value of "AppInit_Dlls" and let me know if smss.dll is still there or is it just the  C:\WINNT\system32\chkntfs.dll  


We'll use Avenger to get rid of the file, and the value all at once.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Nevermind my above post.

1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

2. Copy all the text contained inside the lines below to your Clipboard by highlighting it and pressing (Ctrl+C):
---------------------------------------------------------------------------------------------------------------

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINNT\system32\chkntfs.dll
C:\WINNT\system32\smss.dll  

---------------------------------------------------------------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
    *Under "Script file to execute" choose "Input Script Manually".
    *Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    *Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    *Click Done
    *Now click on the Green Light to begin execution of the script
    *Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
    *It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The       Avenger will actually restart your system twice.)
    *On reboot, it will briefly open a black command window on your desktop, this is normal.
    *After the restart, it creates a log file that should open with the results of Avenger’s actions. This logfile will be located at C:\avenger.txt
    *The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply
0
 

Author Comment

by:pvmatt
Comment Utility
Hi- there is no value at all in the AppInit_DLLs entry.  I was able to use Killbox to delete the chkntfs.dll file.  is there anything else that i need to do?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Oh I see, looks like everything's ok then.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

12 Steps to a more secure Internet experience (http://tekblog.teksquisite.com/) Everyone who is a licensed driver initially had to pass a driving test that consisted of taking:    1. a written test    2. a road test    3. a vision test Le…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now