3 Replies Latest reply on Jan 17, 2010 6:36 PM by german

    How to remove smss32.exe false trojan alarm virus?

      Why can't McAfee find and remove the smss32.exe trojan.  I have run the full scan twice and the file and constant popups keep returning.  What can I do?

        • 1. Re: How to remove smss32.exe false trojan alarm virus?

          I am having the same issue. Alerts showed up and have blocked anything possible McAfee sw offered, yet one seemed to get automatically ok'd. I managed to block the 'desktop unchanged' under explorer policies when the software asked this yet it did make changes in the registry eventually: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userini tC:\WINDOWS\system32\winlogon32.exe

          It also seems to place a html file Warning.html under the System32 folder.

          As a result, Ctrl-Alt-Del doesn't work and regedit command either, and messages keep appearing. Sorry haven't got a solution yet but hope every indication can help somebody to find it.

          • 2. Re: How to remove smss32.exe false trojan alarm virus?

            Hi, found the solution. all is explained on this page. this worked with me.

            http://www.myantispyware.com/2010/01/07/how-to-remove-smss32-exe-winlogon32-exe- helper32-dll-fake-worm-win32-netsky-spyware-alert/

             

            Step 1.

            Download HijackThis from http://go.trendmicro.com/free-tools/hijackthis/HijackThis.exe and save it to your Desktop.
            If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.

            Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:

            F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
            O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe

            Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.

            Step 2.

            Download LSPFix from http://www.cexx.org/lspfix.zip and unzip it to your Desktop.

            Run LSPFix. Place a tick in the “I know what i`m doing”.

            In the KEEP box select helper32.dll and press “>>” button.

            Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.

            Step 3.

            Download MalwareBytes Anti-malware (MBAM) here http://www.myantispyware.com/2008/08/28/malwarebytes-anti-malware-free-spyware-m alware-trojan-remover/. Once downloaded, close all programs and windows on your computer.

            Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.

            MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.

            As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.

            malwarebytes-antimalware1
            Malwarebytes Anti-Malware Window

            Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for remove smss32.exe, winlogon32.exe, helper32.dll. This procedure can take some time, so please be patient.

            When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
            Note: list of infected items may be different than what is shown in the image below.

            mbam
            Malwarebytes Anti-malware, list of infected items

            Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove THREATNAME. MalwareBytes Anti-malware will now remove all of associated remove smss32.exe, winlogon32.exe, helper32.dll files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.

            Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.

            Smss32.exe, winlogon32.exe, helper32.dll creates the following files and folders

            C:\WINDOWS\system32\helper32.dll
            C:\WINDOWS\system32\smss32.exe
            C:\WINDOWS\system32\winlogon32.exe
            C:\WINDOWS\system32\41.exe
            C:\WINDOWS\system32\warning.html

            Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesk top | NoChangingWallpaper = 1
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
            HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4″
            HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDeskt op | NoChangingWallpaper = 1
            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”

            • 3. Re: How to remove smss32.exe false trojan alarm virus?

              Jaerts

               

              MalwareBytes Anti-malware worked great found the problems and let me delete them, Thanks