Smss32.exe, winlogon32.exe, helper32.dll are components of trojan FakeAlert. Once installed, the trojan will configure itself to run automatically when Windows starts. When the trojan is started, it will display a screen that stats that Worm.Win32.Netsky detected on your computer as an attempt to make you think your computer in danger. The alert is fake and you can safety ignore it.
What is more, the “smss32.exe, winlogon32.exe, helper32.dll” trojan may display a lot of popups, disable Windows Task Manager, change a desktop background, block the ability to run any applications including antivirus and antispyware programs. The trojan will also download and install Internet Security 2010 onto computer automatically without your permission. Internet Security 2010 is a rogue antispyware program, that reports false infections and shows fake security alerts as method to to trick you into purchase so-called “full” version of the software.
Use the removal guide below to remove smss32.exe, winlogon32.exe, helper32.dll and any associated malware from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
Use the following instructions to remove remove smss32.exe, winlogon32.exe, helper32.dll (Remove Worm.Win32.Netsky Spyware Alert)
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select helper32.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for remove smss32.exe, winlogon32.exe, helper32.dll. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove THREATNAME. MalwareBytes Anti-malware will now remove all of associated remove smss32.exe, winlogon32.exe, helper32.dll files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Smss32.exe, winlogon32.exe, helper32.dll creates the following files and folders
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
Thanks so much, this worked for me today.
Bless you! Bless you! A thousand blessings upon you for the angst, and lost hair you have saved me. I got the whole package… smss32.exe, Win32.NetSky, etc. Things were deteriorating before my eyes. I thought it was all over…. I spent 3 hours running scans, antivirus software, etc., until I googled smss32 and found your site. I followed your instructions carefully; they were incredibly clear and concise, and best of all — EFFECTIVE!!!
I was about to jump out the window — I hope you receive even a small portion of the rewards you deserve. What else is there to say: Thank you ever so much!
A matter of concern for me is that simply visiting a webpage started the install process for this thing. I don’t recall clicking or accepting anything. Windows defender alerted me that winlogon32 and smss32 were trying to set up to autorun and I denied permission for that but the malware payload had already started running the bogus 2010 software. MS security essentials said it detected “Trojan:HTML/Fakeinit” and removed it. task manager was getting blocked but I used the defender “software explorer” to stop the 2010 program.
I still had to manually repair the registry keys.
I used the lsp-fix product, which I already had, to remove the helper32.dll
Followed this procedure this morning and it cleaned up the problem nicely. Thanks to all who put this together.
Thank you so much for these instructions, worked like a charm!
Thanks
So easy a caveman can do it! thanks guys.
BAC3, once Windows loaded, press CTRL + ALT + DEL.
Task Manager should opens.
Click File, New Task.
Type explorer.exe and press Enter.
It should load all icons and show windows task bar.
Now run Malwarebytes Anti-malware and perform a scan.
frank, ask for help in our Spyware removal forum.
i have a little problem, i had to clean my hard hard and now i cant access to the internet, every connection is fine but the internet explorer says: internet explorer cannot display the web page…. what should i do about it?
Hey, everything worked for me, till the LPSFIX i never saw helper32.dll in there, help please?
reaper, try run WinSock XP Fix (look a link above), also check proxy settings of Internet Explorer.
FROM A FRUSTRTAED GUY IN ATHENS, GREECE, WHO HAS BEEN TRYING FOR 20 HOURS TO GET RID OF THE LATEST VERSION OF THE VIRUS WITH OVERHYPED ANTIVIRUS PROGRAMS SUCH AS KASPERSKY, NORTON, AVIRA, LOCKED REGEDIT EDITORS, LOCKED SYSTEM RESTORE ETC., I HAVE ONE THING TO SAY TO YOU:
YOU ROCK MORE THAN “TRAILER PARK BOYS” TV SHOW, ICED EARTH AND “CLERKS” MOVIE COMBINED
THANK YOU
Running LSPFix did not highlight the helper32.dll for me either. But I saw others say that despite this, the process outlined here worked for them, so I continued. When I ran the the MALwarebytes software, it found and removed the helper32.dll file. Thank you very much for your help!!!
This worked like a charm. Thank you vary much for sharing the fix!
What a lifesaver. Thank you x 1000.
This worked great for me. Step 2 did not highlight the helper32.dll but everything still worked regardless. Thank you SO SO very much for your help and publishing this article.
Again Thank you
Thank you….Thank you….Thank you!!!
Thanks so much for this fix! We have been trying to remove this thing for two days with no luck. on each reboot this \PITA\ kept coming back. Step by step instructions were perfect and the Malware program is a godsend. Microsoft’s and Spyware Doctor didn’t help us but following these steps and using the Malware did. Someone tell me again why we’re paying McAfee?
Thanx so much, man. U rule!
I followed the steps and I am 10 times worse off than before. Now, I cannot execute ANY programs and whenever I try to go to any website, I am hijacked to a (I am sure) fake anti spyware site. I am sooooo upset
i accidently delteted the other things that was with helpper32 did i mess this up
Sam Gil,
My laptop also kept booting me out even after accepting the pwd.
So I booted using my WinXP Pro CD and chose to ” setup windows xp ” instead repair.
This will detect your existing installation and reinstall all the system files without losing your data.
Follow this link for a step by step procedure
http://michaelstevenstech.com/XPrepairinstall.htm
The virus was removed and I was able to login to my laptop.
PS: you’ll need to have the original win xp product key to do this. In case you don’t have one…just google.
Hope this helps
After following the instructions here step by step and losing the desktop icons and start button, I managed to get my desktop back (by using system restore, which was now available to me), but now most of the programs won’t connect to the internet. Firefox Mozilla and Outlook Express WILL connect just fine. Nothing else connects, though (Internet Explorer, Dropbox, Itunes, all chat programs such as Yahoo Messenger, etc.).
It obviously sounds like a firewall issue, but it’s apparently not. All permissions are granted. I’ve even shut down the firewall briefly to test, and same result.
I’ll be your biggest fan (and you have a lot, obviously) if you can help me with this one.
Help please. I am struggling to install the Malwarebytes anti-malware software on my infected PC in safe mode. Getting message Unable to execute file: C\Program Files\Malwarebytes ‘Antimalware\mbam.exe Create Process failed; code 2. System cannot find specified file.
I renamed the setup file to another name, but same result on installation.
FYI: I downloaded purchased version of the antispyware onto another computer and via jump drive attempted install on infected pc. Any suggestions?
I also have McAfee Security Suite and still got infected.
FYI, I did step 1 and 2 (smss32.exe was removed – at least it is not showing up in task manager, but task manager shown bunch other processes: like smss.exe)
Both Skype and Mozilla Thunderbird will connect just fine too.
How do I get the other programs to connect?
Sorry. One more detail that might help. If I switch users in windows, the programs work logged in as the second user.
Baffling to me.
Help, please.
BAC3, look also to Internet Explorer proxy settings.
Tools->Internet Options->Connections->Lan Settings->Uncheck “Use a proxy server”.
stan, download this file and save it to C\Program Files\Malwarebytes ‘Antimalware\. Run it.
Great Fix!
Worked like a charm on my first try. Thank you very much for this post!