Smss32.exe, winlogon32.exe, helper32.dll are components of trojan FakeAlert. Once installed, the trojan will configure itself to run automatically when Windows starts. When the trojan is started, it will display a screen that stats that Worm.Win32.Netsky detected on your computer as an attempt to make you think your computer in danger. The alert is fake and you can safety ignore it.
What is more, the “smss32.exe, winlogon32.exe, helper32.dll” trojan may display a lot of popups, disable Windows Task Manager, change a desktop background, block the ability to run any applications including antivirus and antispyware programs. The trojan will also download and install Internet Security 2010 onto computer automatically without your permission. Internet Security 2010 is a rogue antispyware program, that reports false infections and shows fake security alerts as method to to trick you into purchase so-called “full” version of the software.
Use the removal guide below to remove smss32.exe, winlogon32.exe, helper32.dll and any associated malware from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
Use the following instructions to remove remove smss32.exe, winlogon32.exe, helper32.dll (Remove Worm.Win32.Netsky Spyware Alert)
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select helper32.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for remove smss32.exe, winlogon32.exe, helper32.dll. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove THREATNAME. MalwareBytes Anti-malware will now remove all of associated remove smss32.exe, winlogon32.exe, helper32.dll files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Smss32.exe, winlogon32.exe, helper32.dll creates the following files and folders
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
Patrik for President. Or King. Something.
Thank you so much for sharing this!
Patrick, I tried to install MBAM after I renamed the setup files to a made up name and it failed to install. Tom from Malwarebytes advised me to try install with random installer and if it fails he will look for the rootkit infected files in the log I will send him. I will resume tonight when I get home. Will keep you posted on progress, hoping others may benefit from this effort.
Since my pc is infected with the fake alert Trojan I wanted to retrieve bunch of personal files (photos, etc) from the infected C drive: On save, I got message “$encrypted; data, do you want to proceed, continueing may cause harm or loss of content” poped up when saving entire subfolder to a jump drive (in safe mode)…Is this coming from the virus or McAfee? If yes, what software should I use to check and clean the copied data files in the jump drive?
FYI, copying file by file did not give the message.
Thanks so much, it all worked perfect for me and was so easy to follow – broadband seems to be alot slower now than before – is this due to the malware software?
I followed the steps and it appears that the virus was removed. However, now my computer pops up a message every 15-20 minutes saying that Generic Host Process for win32 Services has encountered an error and needs to shut down. I get a countdown timer that my system will reboot in 1 minute and it does – only to get the same message again in 15-20 minutes. Did I not get all the files or is one of my files now corrupted from the virus? Any help would be appreciated!
pete, open a new topic on our Spyware removal forum. I will check your PC.
I believe I have all the files removed and I have used Malware to scan serveral times over and it comes up with no infected objects.
I had a problem with IE connecting to any sites, so I reset all the IE settings and it seems to be working again.
Firefox on the otherhand cannot connect to gmail when I try. Then I’m forced to shut firefox down. The wondow closes but the firefox.exe keeps running. Opera apears to work correctly.
Is there something I’m missing?
Hero – Thank you.
Iwas so impressed with your clear instructions
I posted on my website
yonokwetlands.awardspace.com/records_2010.html
cheers mick
dan, probably you infected with another trojan. Ask for help in our Spyware removal forum.
Thanks so much for this site — a godsend and a good site quicker, easier, and cheaper than big-name commercial supposed-protection.
Other than no longer being annoyed by popup warnings every minute, is there a good way to positively verify that all virus artifacts are, indeed, gone? Many thanks.
I followed all 3 steps but there was not an O4-HKLM\..Run[smss32.exe] file listed when I ran HijackThis. I proceded on through the remainder of the steps, ran malware bytes, and everything appeared to be working correctly. My desktop was restored after reboot but I thought I would check to make sure the smss32.exe file was gone. Well to my surprise it was still in my Window/prefetch folder. I might note that Norton IS had previously removed the Fake Internet Sercurity 2010 program and also said that it had done something with the smss32.exe. It now appears in the Quarantined listing in NIS. Am I overly concerned? My other computers do not have a smss32.exe file, so I assume it is created by this virus.
After agonizing over this and even buying Norton with no success, I followed your instructions and everything was fixed within an hour. Thanks!!
1/24/2010
Just finished all steps exactly as stated above. I now have everything back to normal. Many Thousand Thanks for flawless instructions to eliminate Netsky trojan.
I can see the smss32 and helper32.dll files in my system32 folder.
But when I try to manually delete them, I get a popup saying access is denied. Perhaps those files are write-protected?
How can I manually delete them? thanks.
that worked… just update your malwarebyte links coz that isnt working anymore…
anyway i got another one and thats done now…
thx dude !
Bev, goto step 1, before removing anything.
Patrik –
I got rid of those files now (thanks), but I have another problem. The desktop takes about 15 minutes to load now.
When I boot up, the blue “welcome” message that appears on the screen before you get to the desktop “freezes” for about 20 seconds. This was happening yesterday when the computer was first infected. It was my first clue something was wrong.
I no longer have those fake popup spyware warning messages, and I no longer have my desktop backround hijacked by the warning message.
But, the desktop images and the software programs and files on the deskop take about 15 minutes to load, which they never used to. While they are loading, the computer makes a loud girgling noise.
Things finally do load, but I wonder if the viruses has all been removed and what can be done about the extremely slow loading of the desktop.
If I try to fire up IE, it takes about another 5 minutes. All this was not taking place before the virus set in yesterday.
Thanks for any help.
This worked better than I could ever have imagined, thanks!
thank you so much for this simple and clear instruction; I was able to remove Internet Security 2010 and all other junks in my computer that I ran the scan using Mcaffee for 4 hrs and did not work…you are a great one…thanks a million!
Thanks for the writeup. it worked great!!
Brilliant – worked a treat, many thanks
followed the instructions, it worked like a charm. thanks so much!!
Thanks guys. Worked perfectly. 18 minutes.
Hi, I had encountered this virus on the 17th but by another name SPM/LX. I tracked new files, renamed them, Malwarebytes deleted a few files and several reg strings, and all seemed fine til I tried to get online, dial up. My IP could see me there but IE would not go. I read your fix, ran hijackthis and it stated helper32.dll was missing so I renamed and restored the helper32.dll, ran the fix and all seems well. Note to others, never delete stuff, rename it and put it in a folder somewhere different, you may need it like I just did. Had I deleted it I’d be sunk. My question is Malwarebytes calls this file out as a virus should I delete it? I renamed and moved it and can still get on the web so I’d normally just delete it but somewhere I read windows needs the file, I think. Additionally I have files named IS15.exe and winlogon32.exe from system32 being held as renamed captives to be sure I don’t need them. They were never restored and subject to hijackthis or LSP Fix so I’m not sure if they should have been part of the fix. I also have a file named s that was on C. It is 4kb. Also never ran through the fix, it’s renamed and saved as well. Should I rename and restore them and rerun the fix or just delete them? Thanks.
Thank you so much! I couldn’t get rid of this malware for days; followed your instructions and voila! I had to remove the dll’s and exe’s in the recovery console but besides that the instructions were dead on.
Thanks very much for this much-needed service. I was able to follow the directions easily and my desktop is more or less restored, though with all of the icons highlighted for some reason.
Do you know a way of preventing a recurrence of this problem?
Took me 2 days to get rid of this swine of a trojan and my job is creating Windows images for a large corporation, so I really feel you guys with less IT experience.
Thanks for the help.
I was able to fix the smss32.exe virus manually. But my computer was part of a network so I fixed it from another PC. Also, I am running IE8. I’m sure IE7 is similar but haven’t tried.
Eventually these two fixes were what did it.
First Fix.
1) Copied authentic Windows file smss.exe to smss32.exe then made it Read-Only.
2) After reboot, I am logged off as soon as I logged in to Windows XP.
3) On a second PC on the network, I ran regedit and connected to the infected PC to bring up its registry.
4) Went to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
5) Changed the Userinit entry to “C:\WINDOWS\system32\userinit.exe”. (It was changed by the smss32.ex virus to “smsss32.exe”.)
6) Rebooted caused me to lose Internet. I can’t surf the web.
Second Fix.
1) Ran IE8.
2) IE8 said there’s something wrong and shows a big button saying “diagnose network connection”.
3) I clicked that and then it said something’s wrong with “VSockets LSP” do I want to remove it.
4) I clicked “Yes”.
5) I rebooted and I got back the Internet.
I hope this helps. I am really annoyed by people who write viruses. I hope everyone who finds a solution posts it on the Internet so we can defeat virus writers all the time.
Thinking about it some more, maybe I didn’t have to do steps #1 and #2 in the First Fix. I was grasping at straws at the time.