I have found a virus in my windows/32 files and it can’t be
cleaned. It wasn’t detected by Avast, I found it with
trendMicro. Can someone tell me how I might get rid of it.
It won’t let me clean it or anything cuz it is inside a file
responsible for my online activity. Is this a spyware virus?
I hope some one can help. Please let me know if you have
any advice. Thanks so much. yaz

More details:
I have something called ’ BKDR AGENT.CZ’ does anyone
here have info on it? It is hiding in my
windows/system32/smss.exe file. can anyone help me
figure out how to delete it or remove it? It will not let me
when I tried to cuz it says I’m using that to operate the
pc. It is part of my registery. I think it smells of spyware.
Desperate for help. yaz

Hm, looks like its file infector. File location is correct so it cannot be a trojan/worm. I hope you made VRDB database before this incident so you can use Repair function. But it might be impossible to repair because its resident process.

I have english Windows XP with SP2. If you want i can send you clean smss.exe file.

TY TY TY for answering my post!!
Can you tell me what SP2 is? And how might I do that?
Can I rename the existing file before replacing it with
the correct one that you’re offering? I have additional
info I was going to add here. In the next post I will.
I’m very distressed … if you think that might work, I can
try that. I’m using the WINXP with IE 6. and it is English.
Yaz

These are not complete HJT logs. Please post the entire log here and make sure you are using the latest version of HJT (1.98.2)

Diddo on that cry for help!!! I also have contracted 5 viruses that avast missed and Trend picked up on them. 32Trojano, 32troj - gen, 32troj-vc, 32troj -other, 32Adware. Spybot has them locked in. have tried just about everything for over 3 days now! ???help

Why not slow down a bit… ? :wink: :wink:

Other AV’s Do produce false alarms…

I can’t find “Bkdr_agent.cz” on Trend’s site &
google only reports it in a Controlled pattern release (i.e. a BETA-release)

  • why not test the file online with KAV, RAV, JOTTI & VirusTotal ?
    (for links: see “VirusRemoval” below in my sig)

  • also rightclick c:\windows\system32\smss.exe and look at its properties → report here info, Version-number, size and date etc…

  • and go start → run, then enter:
    SFC /scannow
    if the file was changed/infected you should get an alert there

:wink:

P.S.: The update VPTNfile.212 from Housecall definitely doesn’t contain
BKDR_Agent.CZ
How about an Update & rescan ? :wink:

Hi lalabugu,

please open a new topic of your own here:
http://forum.avast.com/index.php?board=4
and then be more exact & give more details,
e.g.

  • Windows-Version, avast/VPS-version
  • EXACT/complete Trojan-Names & their locations → the link “VirusRemoval” below in my sig should give your some ideas…

the above sound like garbled avast detections:
maybe you didn’t enable archive scanning in avast, and avast’s residentShield intercepted when TrendMicro/Housecall tried to open infected (but not immediately harmful) archives ?

Also please read the USER’s FAQ in the Off-Topic forum

:wink:

Eddy, I did cut and paste all there was but had to
break it into 2 seperate posts there was too much
the system had said to shorten my messages.
Sorry. I guess it isn’t as easy to see that way. I can
try again though if you think I should. thankz,
yaz

If you have webspace you can put the log there and only place a link to it here. You can also send it to me hjtbeta@yahoo.com and I can post it online for you if you wish.

Whocares, thanks for all the advice and info. I will
follow it once I check with trend micro again. I did
that twice and it gave me the CZ extention virus
name and I too got nothing on searches regarding
that. I tried rav but couldn’t get my pc to get the
activeX to accept I did scan one a cpl other free
online scanners and that very file came up with
nothnig. One was Kapeskery or saomethnig like
that. I have the info on my file here it is:
File name Smss.exe
location: C drive windows/system32/
Version: 5.1.2600.0
What it is: Windows NT session mgr
Size: 45.568 bytes
size on disc 49,153 bytes
modified Aug 18,2001

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Looks like we have a false positive here by Trend. Submit the file to Jotti and tell us the results please.

Everything is goning bad today …
I have just also had 3 seperate ??? trojan horses
hit me. They are going into C:/temp/INSTAL~1.EXE
VPS version 0443-3 10/22/04
Everytime I try to delete it, since it is in the temp folder
I try to delete it but it tells me there is no such location
once I hit the delete button with the avast … arggg. Am
i better off with a new pc.
Getting frustrated. Okay so I’m trying to get my new
hp together so I can show Eddy my log but my paid
webhost is having server errors, not sure if it is them
or me so I’m opening a new account elsewhere …
yaz

Eddy, if it is a false/positive then why all the trojan
attempts. i also had other ones on Sunday night.
This all began then on a wallpaper site
(I know better- I know I should not have been
looking at sites like free places etc) but it also
happened at google- I think.
yaz

Eddy, I hope it is legible. I don’t know how to unclutter
the garble …

Question: What does Hijacklog reveal? I’m assuming
I should be scanning each of these paths? I’m using
Kasperskys and still not getting any live info.
Everything is reporting back as ‘ok’.

HERE is the online analyses of the log. And this is what my analyzer says about it:


CHECKING HIJACKTHIS AND INTERNET EXPLORER :

You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
INMEDIATLY visit http://windowsupdate.microsoft.com and install ALL security patches/updates.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\program files\web_rebates\webrebates1.exe
\program files\web_rebates\webrebates0.exe
r3 - default urlsearchhook is missing
o2 - bho: clear search - {00000000-0000-0000-0000-000000000240} - c:\program files\clearsearch\ie_clrsch.dll (file missing)
o2 - bho: (no name) - {bdf3e430-b101-42ad-a544-fadc6b084872} - (no file)
o3 - toolbar: (no name) - {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - (no file)
o4 - hklm..\run: [webrebates0] “c:\program files\web_rebates\webrebates0.exe”
o4 - global startup: microsoft works calendar reminders.lnk = ?
o9 - extra button: messenger - {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll (file missing)
\program files\yahoo!\messenger\yhexbmes0411.dll (file missing)
o9 - extra button: messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe (file missing)
o9 - extra ‘tools’ menuitem: windows messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe (file missing)
o16 - dpf: yahoo! chat - http://cs7.chat.yahoo.com/c381/chat.cab
o16 - dpf: {01020304-0506-0708-090a-0b0c0d0e0f08} - http://messenger.yahoo.com/maintenance/patch.cab
o16 - dpf: {11260943-421b-11d0-8eac-0000c07d88cf} (ipix activex control) - http://www.ipix.com/viewers/ipixx.cab
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=48c347740e8f5c90be38175e52b8a764f9088180cf867b07efef0da67587cbcfe07d5eda93b070b3e1f5f4b23f7ec81a88639e10093bff8917f19d0c3b2daa1576:9088c9d39de8432b43b6edf749c9050f o16 - dpf: {1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} - http://ak.imgfarm.com/images/nocache/funwebproducts/smileycentralinitialsetup1.0.0.6.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
o16 - dpf: {40c83af8-fea7-4a6a-a470-431ee84a0886} (secureobjectfactory class) - http://enu.vs.mcafeeasap.com/vs2/bin/mycioagt.cab
o16 - dpf: {49dec3c0-c71a-11d4-ba38-000102621b9b} - http://store.yahoo.net/lib/cursorskins1/mousemagiccs.cab
o16 - dpf: {644e432f-49d3-41a1-8dd5-e099162eeec5} (symantec rufsi utility class) - http://security.symantec.com/sscv6/sharedcontent/common/bin/cabsa.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {8714912e-380d-11d5-b8aa-00d0b78f3d48} (yahoo! webcam upload wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
o16 - dpf: {a17e30c4-a9ba-11d4-8673-60db54c10000} (yahooymailto class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
o16 - dpf: {c2fcef52-ace9-11d3-bebd-00105aa9b6ae} (symantec rufsi registry information class) - http://security.symantec.com/ssc/sharedcontent/common/bin/cabsa.cab
o16 - dpf: {ce28d5d2-60cf-4c7d-9fe8-0f47a3308078} (activedatainfo class) - https://www-secure.symantec.com/techsupp/activedata/symadata.cab
o16 - dpf: {e77c0d62-882a-456f-ad8f-7c6c9569b8c7} (activedataobj class) - https://www-secure.symantec.com/techsupp/activedata/activedata.cab
o16 - dpf: {ef99bd32-c1fb-11d2-892f-0090271d4f88} (yahoo! companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_7.cab
o16 - dpf: {f58e1cef-a068-4c15-ba5e-587caf3ee8c6} (msn chat control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Thanks Eddy- I’ll get on that now. I do have Norton security and it sometimes
catches the trojans … is it possibly not detected cuz they disconnected it,
hackers or trojans? I’m confused. I must be infected right?

:frowning: webrebates won’t delete, it says ‘access denied’ do any of the tools remove these for me??

Since you don’t have the security patches/updates installed, your system will stay very vulnarable to infections. I suggest you visit the page in my signature and follow ALL steps there.

I’m not having an easy time by no means. I haven’t been able to locate some of those cuz the files really are missing and the cpl I did see won’t allow me to delete them. Access denied. I am running MIE6.0 according to what my toolbar say when I click the properties but the old one could be stuck in here. Does this appear to be a true mess? lol
I am going to check into those other tools mentioned now. thanks. yaz