how to remove fake smss.exe file

[goran]

fake smss.exe is located in the systemroot!

Hi, I have been trying to figure out how to remove the last remaining files after a vicious trojan attack last week, but I need help on the last bits.

I think I got the trojan attack from downloading Vcodec, which looked like a codec needed for windows media playeer, but turned out to give me the trojan Zlob.i, which in turn filled my comp with other malware like Spyware Quake, and assorted password stealing and keylogging utilities. I got more and more suspicious as it got more difficult to open any programs, and my AVG free antivirus and Zone alarm didn't open either.

Things I have managed to remove where: nvctrl.exe, lots of temp files, itsys.exe (which had replaced my AVG and Zome alarm files), stickrep.dll, all.exe, dfrgsrv.exe, and many other things. I removed everything I could find tips about from many differreent websites and forums, including this forum.

The new programs I hadn't used before, but which have helped me find a new piece each, are PrivX1, HijackThis, TuneupUtilities and ProcX. ProcX finally showed me what no other had managed before, the problem that I now turn to you for help about.

the three very critical processes smss.exe, csrss.exe and winlogon.exe should be located in system32. And they are. but the CURRENTLY RUNNING processes, with identical names, are NOT run from system32!

I think those three are causing my remaining problems. earlier my IE startpage was hijacked and lots of other symptoms but what remains now is just that I can't open any exe processes after the first 10-15 seconds after I login to windows after startup. I've read that services.msc could be accessed to change rights level to be able to shut processes down, but I keep getting error messages that I don't have the necessary rights, which is untrue since I log on to the administrator account.

so, over to my concrete problem:
how do I kill or remove these three processes:

\systemroot\system32\smss.exe
\??\c:\windows\system32\csrss.exe
\??\c:\windows\system32\winlogon.exe

because if they are running and I kill them, the computer stops to a dead halt right away, I tried.

uh, oh, the above file names were for last login session, today, on the same lines in ProcX, this shows up:
\systemroot\system32\system
\??\c:\windows\system32\smss.exe
\??\c:\windows\system32\smss.exe
two smss.exe after each other, but with different memory usage sizes! definitely not the correct files used!

so how can I get rid of them? I don't know how to see files in \systemroot\ or \??\ folders.

or mayby the fake smss.exe file is blocking me from viewing those areas?

anyway, I can't do a clean reinstall, since my wife has too many important files and I have too many programs that I haven't kept the installation zip files for, so if there is any way possible, please help me find a way to remove the fake smss.exe files and give me back control over my computer.

I've read so many good explainations here so I think you guys can crack this nut, too.

just tell me if I need to submit any hijackthis or other files for you to view.

Thanks in advance,
Goran

[Staff]

I'm just about to leave the city for much of the day so can't give you any long answer. But, do a quick search on Google for smss.exe. One of the results will be a Symantec writeup for a Trojan. The Symantec writeups are typically some of the more detailed so there might be some help there.

One of the things that might be happening here is that System Restore is set to on in your system (it typically is). Since smss.exe is a valid system file a Trojan will often copy itself to the backup directory so that when you delete the file from its location in the system or system32 directory Windows will politely copy the infected version back to active use for you on the next restart. So, turning system restore OFF is one of the steps in Trojan removal. Then removal of the file from the system restore directory is necessary. Then, removal of the file from active use (probably by booting into command prompt mode and then deleting the file but I'm not certain about that from memory). Then, restoring the file from the original CD.

More later as I find it and get back.

Good luck.

[Staff]

Have not forgotten about your question. It got me to thinking about a FAQ for my CKnow.com site so that's what I'm working on.

My initial recommendation will continue to be to use anti-virus software to remove the file(s) as that's what it is designed to do. However, sometimes this does not work so the other approach is two-fold:

1) How to use Windows to boot from a CD so that the operating system is running from the CD in its most basic mode so that the files on the hard disk are not in use and therefore available to be deleted and then replaced.

2) Doing the same thing with a Linux distro. There are several distros that run from a single CD but the main problem is finding one that can handle the NTFS file system. That's the stumbling block with this approach.

More later.