Every hour or so an avast trojan window will popup and 8 prevx1 windows will pop up with various .tmp files identified with their source being smss.exe. It's my understanding that this is a normal system file that is some sort of communication thing, but it, along with cmss.exe are big targets for hacks. I can't seem to clean out the source of the problem because it keeps happening. Log posted. Thanks guys.

EDIT: It just happened again. Here are the specific names of things.
avast!
File name: I:\WINDOWS\system32\1024\ldE2B.tmp\[UPX]
malware name: Win32: Trojano-CL. [Trj]
malware type: Trojan Horst
VPS version: 0617-3, 04/28/2006

Prevx1

Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDE0B.TMP has been blocked from starting.

Process :
I:\WINDOWS\SYSTEM32\1024\LDE0B.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information


Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDE0B.TMP has been blocked from starting (DLL).

Process :
I:\WINDOWS\SYSTEM32\1024\LDE0B.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information
(NOTE - Unable to JAIL file. Error Code: 12. The system cannot find the file specified.)

Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDD6F.TMP has been blocked from starting (DLL).

Process :
I:\WINDOWS\SYSTEM32\1024\LDD6F.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information

Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDDDC.TMP has been blocked from starting (DLL).

Process :
I:\WINDOWS\SYSTEM32\1024\LDDDC.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information
(NOTE - Unable to JAIL file. Error Code: 12. The system cannot find the file specified.)


Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDD9E.TMP has been blocked from starting.

Process :
I:\WINDOWS\SYSTEM32\1024\LDD9E.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information

Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDD6F.TMP has been blocked from starting.

Process :
I:\WINDOWS\SYSTEM32\1024\LDD6F.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information
(NOTE - Unable to JAIL file. Error Code: 12. The system cannot find the file specified.)


Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDD6F.TMP has been blocked from starting.

Process :
I:\WINDOWS\SYSTEM32\1024\LDD6F.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information


Date/Time :
5/1/2006 - 12:09:56 AM
Event :
LDD6F.TMP has been blocked from starting (DLL).

Process :
I:\WINDOWS\SYSTEM32\1024\LDD6F.TMP
Parent :
I:\WINDOWS\SYSTEM32\SMSS.EXE
Vendor :

Version :

Details :
Community Information - Technical Information


(NOTE - Unable to JAIL file. Error Code: 12. The system cannot find the file specified.)

Attached Files

hijackthis 4-29.txt (10.0 KB, 2 views)

Hya iMagnusX.

Lets see if we can clean that right up.


Please download Process Explorer by Systernals from HERE.

Download Smitrem to your desktop:
http://noahdfear.geekstogo.com/click...click.php?id=1
Run the installer and then press Start to Extract the
files to the desktop, Do not run it yet.

Reboot into safe mode (Reboot and keep tapping F8 , then
choose safe mode from the list)

Run SmitRem:
Open the SmitRem folder and double click the "RunThis.bat" file to start the tool. Follow the prompts on screen , wait for the tool to complete , and disk cleanup to finish.

The tool will create a log named smitfiles.txt on the drive that you ran Smitrem on, eg; "C:\smitfiles.txt" , or the partition where your operating system is installed on.

Please attach this log to your next reply.


Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.


You will need to reload your wallpaper as the SmitRem
tool will reset it, you can do this by right clicking
desktop and choosing properties, First check Theme and
set it to Windows XP then click the Desktop tab and
choose the one you want to use and press apply.



Now in safemode unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of winbjt32.dll once and then click the kill button.
After you have killed all of the winbjt32.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of winbjt32.dll then click the kill button.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following:

Then manually delete the file in bold , reboot and post the Smitrem log , plus an new hjt log.

Well I did what you said, and right when I booted back to normal mode it happened again. While I was in the Process Explorer, though, there were some interesting things highlighted in red. I forgot what specific ones they were, but they were Generic Host Processes for Win32 under svchost.exe I think. Anyway, here's all the logs.

Attached Files

	wmiprvse.exe.txt (3.3 KB, 5 views)
	smitfiles.txt (3.1 KB, 9 views)
	hijackthis 5-2.txt (7.8 KB, 7 views)

Download Brute Force Uninstaller http://www.merijn.org/files/bfu.zip and unzip it to it’s own folder (c:\BFU).

Run the program and click the Web button located on the top right corner.
Copy and paste the below web address into the address bar of the Download script window:

ht tp://metallica.geekstogo.com/alcanshorty.bfu
(after copying and pasting , remove the space between "ht" and "tp")

Checkmark the following boxes:

Use settings specified in script for the above option.
Show log after script ends.

Execute the script by clicking the Execute button.

When it finishes running, click the Save button for a copy of the log. Post the log created by the script when you have completed the fix.


And then please do a Panda online AV scan here and post the log from that aswell:

http://www.pandasoftware.com/products/activescan?NRMODE

For some reason the Panda scan doesn't want to go through, and I couldn't get a scan. But here's the scan with the BruteForce.

Attached Files

bfu 5-3.txt (4.1 KB, 3 views)

Try an Kaspersky scan instead:

http://www.kaspersky.com/service?chapter=161739400

Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings

In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:
Save the file to your desktop.

Please post that log.

as of right now I can't get past the first page of kaspery. When I hit "accept," internet explorer says "error on page" and won't load the next page. Doesn't work in Firefox either.