New threat. I have a virus, help.

[yaz]

I have found a virus in my windows/32 files and it can't be
cleaned. It wasn't detected by Avast, I found it with
trendMicro. Can someone tell me how I might get rid of it.
It won't let me clean it or anything cuz it is inside a file
responsible for my online activity. Is this a spyware virus?
I hope some one can help. Please let me know if you have
any advice. Thanks so much. yaz

[yaz]

More details:
I have something called ' BKDR AGENT.CZ' does anyone
here have info on it? It is hiding in my
windows/system32/smss.exe file. can anyone help me
figure out how to delete it or remove it? It will not let me
when I tried to cuz it says I'm using that to operate the
pc. It is part of my registery. I think it smells of spyware.
Desperate for help. yaz

[RejZoR]

Hm, looks like its file infector. File location is correct so it cannot be a trojan/worm. I hope you made VRDB database before this incident so you can use Repair function. But it might be impossible to repair because its resident process.

I have english Windows XP with SP2. If you want i can send you clean smss.exe file.

[yaz]

TY TY TY for answering my post!!
Can you tell me what SP2 is? And how might I do that?
Can I rename the existing file before replacing it with
the correct one that you're offering? I have additional
 info I was going to add here. In the next post I will.
I'm very distressed .. if you think that might work, I can
try that. I'm using  the WINXP with IE 6. and it is English.
Yaz

[Eddy]

These are not complete HJT logs. Please post the entire log here and make sure you are using the latest version of HJT (1.98.2)

[lalabugu]

http://Diddo on that cry for help!!! I also have contracted 5 viruses that avast missed and Trend picked up on them. 32Trojano, 32troj - gen, 32troj-vc, 32troj -other, 32Adware. Spybot has them locked in. have tried just about everything for over 3 days now!  ???help

[whocares]

' BKDR AGENT.CZ' ... windows/system32/smss.exe

Why not slow down a bit.. ?

Other AV's Do produce false alarms..

I can't find "Bkdr_agent.cz" on Trend's site &
google only reports it in a Controlled pattern release (i.e. a BETA-release)

- why not test the file online with KAV, RAV, JOTTI & VirusTotal ?
(for links: see "VirusRemoval" below in my sig)

- also rightclick c:\windows\system32\smss.exe and look at its properties -> report here info, Version-number, size and date etc..

- and go start -> run, then enter:
SFC /scannow
if the file was changed/infected you should get an alert there

 

P.S.: The update VPTNfile.212 from Housecall definitely doesn't contain
BKDR_Agent.CZ
How about an Update & rescan ?

[whocares]

32Trojano, 32troj - gen, 32troj-vc, 32troj -other, 32Adware.

Hi lalabugu,

please open a new topic of your own here:
http://forum.avast.com/index.php?board=4
and then be more exact & give more details,
e.g.
- Windows-Version, avast/VPS-version
- EXACT/complete Trojan-Names & their locations -> the link "VirusRemoval" below in my sig should give your some ideas..

the above sound like garbled avast detections:
maybe you didn't enable archive scanning in avast, and avast's  residentShield intercepted when TrendMicro/Housecall tried to open infected (but not immediately harmful) archives ?

Also please read the USER's FAQ in the Off-Topic forum


 

[yaz]

Eddy, I did cut and paste all there was but had to
break it into 2 seperate posts there was too much
the system had said to shorten my messages.
Sorry. I guess it isn't as easy to see that way. I can
try again though if you think I should. thankz,
yaz

[Eddy]

If you have webspace you can put the log there and only place a link to it here. You can also send it to me hjtbeta@yahoo.com and I can post it online for you if you wish.

[yaz]

Whocares, thanks for all the advice and info. I will
follow it once I check with trend micro again. I did
that twice and it gave me the CZ extention virus
name and I too got nothing on searches regarding
that. I tried rav but couldn't get my pc to get the
activeX to accept I did scan one a cpl other free
online scanners and  that very file came up with
nothnig. One was Kapeskery or saomethnig like
that. I have the info on my file here it is:
File name Smss.exe
location: C drive windows/system32/
Version: 5.1.2600.0
What it is: Windows NT session mgr
Size: 45.568 bytes
size on disc 49,153 bytes
modified Aug 18,2001

' BKDR AGENT.CZ' ... windows/system32/smss.exe

Why not slow down a bit.. ?

Other AV's Do produce false alarms..

I can't find "Bkdr_agent.cz" on Trend's site &
google only reports it in a Controlled pattern release (i.e. a BETA-release)

- why not test the file online with KAV, RAV, JOTTI & VirusTotal ?
(for links: see "VirusRemoval" below in my sig)

- also rightclick c:\windows\system32\smss.exe and look at its properties -> report here info, Version-number, size and date etc..

- and go start -> run, then enter:
SFC /scannow
if the file was changed/infected you should get an alert there

 

P.S.: The update VPTNfile.212 from Housecall definitely doesn't contain
BKDR_Agent.CZ
How about an Update & rescan ?

[Eddy]

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Looks like we have a false positive here by Trend. Submit the file to Jotti and tell us the results please.

[yaz]

Everything is goning bad today ..
I have just also had 3 seperate   trojan horses
hit me. They are going into C:/temp/INSTAL~1.EXE
VPS version 0443-3      10/22/04
Everytime I try to delete it, since it is in the temp folder
I try to delete it but it tells me there is no such location
once I hit the delete button with the avast ... arggg. Am
i better off with a new pc.
Getting frustrated. Okay so I'm trying to get my new
hp together so I can show Eddy my log but my paid
webhost is having server errors, not sure if it is them
or me so I'm opening a new account elsewhere ..
yaz

[yaz]

Eddy, if it is a false/positive then why all the trojan
attempts. i also had other ones on Sunday night.
This all began  then on a wallpaper site
(I know better- I know I should not have been
looking at sites like free places etc) but it also
happened at google- I think.
yaz

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Looks like we have a false positive here by Trend. Submit the file to Jotti and tell us the results please.

[yaz]

Eddy, I hope it is legible. I don't know how to unclutter
the garble ..


Question: What does Hijacklog reveal? I'm assuming
I should be scanning each of these paths? I'm using
Kasperskys and still not getting any live info.
Everything is reporting back as 'ok'.

If you have webspace you can put the log there and only place a link to it here. You can also send it to me hjtbeta@yahoo.com and I can post it online for you if you wish.