Smss32.exe, winlogon32.exe, helper32.dll are components of trojan FakeAlert. Once installed, the trojan will configure itself to run automatically when Windows starts. When the trojan is started, it will display a screen that stats that Worm.Win32.Netsky detected on your computer as an attempt to make you think your computer in danger. The alert is fake and you can safety ignore it.
What is more, the “smss32.exe, winlogon32.exe, helper32.dll” trojan may display a lot of popups, disable Windows Task Manager, change a desktop background, block the ability to run any applications including antivirus and antispyware programs. The trojan will also download and install Internet Security 2010 onto computer automatically without your permission. Internet Security 2010 is a rogue antispyware program, that reports false infections and shows fake security alerts as method to to trick you into purchase so-called “full” version of the software.
Use the removal guide below to remove smss32.exe, winlogon32.exe, helper32.dll and any associated malware from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
Use the following instructions to remove remove smss32.exe, winlogon32.exe, helper32.dll (Remove Worm.Win32.Netsky Spyware Alert)
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select helper32.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for remove smss32.exe, winlogon32.exe, helper32.dll. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove THREATNAME. MalwareBytes Anti-malware will now remove all of associated remove smss32.exe, winlogon32.exe, helper32.dll files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Smss32.exe, winlogon32.exe, helper32.dll creates the following files and folders
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
Mike, if HijackThis does not show symptoms of the infection, then you can remove both files (IS15.exe and winlogon32.exe).
Jonathan, you should use: a good antivirus, an antispyware (SpyBot for example), a firewall (Windows firewal should be enables as minimum). And most important, be careful when opening attachments and downloading files and use only an alternate browser (Firefox or Opera).
Got this one from an infected website even though I am using Chrome and have AVG running.
Your info was very helpful. Thank you.
I had already deleted the new files in windows\system32
When I found I couldn’t reboot ala Sam Gil above, I booted from a Linux USB stick and copied the registry files from my ERUNT backup back to windows\system32\config
A few minor cleanups were required to re-enable taskmanager and restore my wallpaper.
Malwarebytes, HijackThis and other scans are now reporting clean. I sure hope so.
The biggest time savers for me were having a tested USB boot thumb drive that allowed me to edit the infected drive directly without running the Windows XP and ERUNT created registry backups that could be used to manually restore it. I recommend preparedness to save a lot of time under stress.
Thanks – your instructions worked for me. I had tried various other approaches to no avail. This was a lifesaver.
Thanks Patrick, hijackthis states I’m missing d3d932.dll where can I get that and do I need it? Everthing so far seems fine. LSP-Fix shows mswsock.dll (Tcpip), winrnr.dll (NTDS) and rsvpsp.dll (Protocol handler) in Keep. Should I do anything with them? Thanks again!
I got this virus last night playing a simple text game on Yahoo! in Firefox. I play this game all the time, but the green screen and warning just popped up.
I searched many forums, tried many things to remove and found this process. This worked, I did the process as Administrator in Safe Mode. However, it corrupted Windows Explorer in my regular user profile. I couldn’t do anything in it, (Windows Explorer has encountered an error and needs to close before anything loads after logon). Screen would only show my wallpaper, so had to go back to Safe Mode as Admin and create a new user profile and migrate my docs and settings over.
Still have a bunch of settings to re-do that don’t migrate (re-setup accounts in Outlook, reset desktop, and other settings/logins/passwords I used in other programs). Has anyone else encountered this? Does anyone have a solution?
I too fell pray to the IS1020/Netsky thing. Did all the scan and got back my PC. Next day had the FakeAV thing showed up. Scanned again and it was gone but lost my Internet. All other forms of internet worked like e-mail, IM and ftp but no browser. Did uninstall of IE7 to IE6 and back. No Go. Finally ran HijackThis. I saw this thing in my Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
Looked it up. It it as Loopback address. This is what I saw at the bottom of the browser. I deleted the whole damn thing and now I can surf again. Hope this helps the rest of you kids.
Anthony in Kansas
Thanks Patrick your steps worked perfectly. However, my computer is running very, very slow now. I am having the same problem as Bev. However, when I boot up, the blue “welcome” message that appears on the screen before you get to the desktop goes “black” for about 20 seconds. In addition, trying to use my programs like the internet, Microsoft Word etc.., are very slow and my computer makes loud gurgling noises too. Do you have any idea how to remedy the problem? Has the virus damaged my computer or is there another virus perhaps?
Thank you in advance!
I don’t have much money and cannot afford an expensive anti-virus/anti-malware program but if I did I would certainly donate to you. Simply outstanding job; keep up the good work. You are a professional and a gentleman.
Thanks,
John
Many thanks for this absolutely first class assistance. Worked like a charm !!TOP MAN.
Dear All,
I also got that virus, Fake Alert. Thanks to all for the published advices that helped me to get rid of that virus.
Best regards,
Sorin
Cinnamon, probably your PC infected with a trojan that blocks your old account. Ask for help in our Spyware removal forum.
Felicia, probably your PC is infected with another virus or trojan. Open a new topic in our Spyware removal forum.
Thanks, but the instructions didn’t work for me. I ran a few scanners, while they did detect and remove some things but they didn’t get rid of the problem completely and some of the infections returned. What mainly worked for me was Trojan Remover (www.simplysup.com). Before running Trojan Remover, Malwarebytes wouldn’t install and Windows Security Center, Task, Manager, and Desktop Display Properties were all disabled. Once I finished scanning with Trojan Remover, I was able to install Malwarebytes and everything was enabled once again. I then ran Malwarebytes, Spybot Search & Destroy, CCleaner, and a Registry Cleaner to remove what was left over. Now my pc is showing up clean. I thought I would have to reformat my system. Thank God I didn’t have to. I hope this never happens again because it took me almost three days to get rid of this nasty malware.
Thanks Patrick your steps worked perfectly. However, my computer is running very, very slow now. I am having the same problem as Bev. However, when I boot up, the blue “welcome” message that appears on the screen before you get to the desktop goes “black” for about 20 seconds. In addition, trying to use my programs like the internet, Microsoft Word etc.., are very slow and my computer makes loud gurgling noises too. Do you have any idea how to remedy the problem? Has the virus damaged my computer or is there another virus perhaps?
Thank you in advance!
(EDIT)
Hi Patrick!
I forgot to mention that after I followed your steps, I had to re-install Windows XP, because my computer kept automatically logging me out
Hi. Need your help.
I manually removed this virus/spyware: using the same instruction as “wl” did posted 01/10/10. However i lost my network connection to our server. no internet no network. i tried using “netsh winsock reset”. it works for my internet. But still, how come i could not connect to my local network? When I am trying to map a network folder i receive the error message “The drive could not be mapped because no network was found”.
Is there a virus/worm/spyware still hanging out with my pc? Or i just need to do something with my network. Also right-click for Properties isn’t working.
Thanks in advance to anyone who will help.
I terminated the virus process to enable malwareytes by using process explorer from a usb stick.
Big thanks!
Followed the instructions and the computer is now clean!
Before this I ran ad-aware + avg but to no success.
Worked very fine. Since I never heard of “Malwarebytes Anti Malware” I used Avira’s Antivir to clean the remains. I know this is Malewarebyte’s site – but can we trust the program “Anti Malware”?
Commentator, Malwarebytes Anti-malware is really good program.
A surefire fix is to take the infected hard drive out of the infected computer, connect it to another computer as a slave drive or use an enclosure. Boot up your second computer like normal with the infected drive attached. When the drive appears in “My Computer” right-click on it and use your virus scanner of choice on it. It will find all the infections related to smss32.exe. It appears to hide itself with a rootkit when it’s running. Too bad it cant hide if it’s in a slave drive and can’t start. HA! HA! You probably have to manually restore the proper logon programs if you do it this way.
Excellent. Your instructions worked a treat. I had tried other methods but the virus reappeared after rebooting. But not this time! Many thanks.
First of all thanks for this helpful site…the steps worked for mee, everything was present, malware found 16 items and i deleted them (all in safe recovery mode). But when i started my computer again the desktop was green stating my system is infected! i ran malwarebytes again, it found 1 object – did not resolve the problem. My task manager is working again…and the warning messages and the red button in the taskbar are gone…just this green desktop with the warning. Hope you can help me!
Uh, now it is gone…just that the \warning\ is still available in the pictures for my desktop…i have gone through all above stated files and registry changes the worm is doing and deleted all or changed to right value (after the process described here HKEY_CURRENT_USERSoftware | 8636065b-fef0-4255-b14f-54639f7900a4 was still there, I deleted it)…
Patrick for your information,
After following the instructions described in http://www.myantispyware.com/2009/12/02/remove-fake-spyware-alert/ and again the instructions here I still couldn’t remove all of the virus and my Pc still had symptoms: No access to task manager, programes suddenly shutting down, getting kicked out of firefox etc etc
I noticed two exe files on my running processes (mscjm.exe and mscj.exe) with their corresponding entries on hijackthis
O4 – HKCU\..\Run: [mscjm] c:\documents and settings\..\application data\msa\mscjm.exe
O4 – HKCU\..\Run: [mscj] c:\documents and settings\..\application data\msa\mscj.exe
by then I was getting pretty desperate so decided to try my own solution so ticked the “fix” bottom on hijacthis before running Malwarebytes for a fourth time. This time it seems everything is fine.
Patrik you’re advice has helped me before. Now I need it again.
Was infected with Internet Security 2010 and winlogon32 and smss32. Ran the instructions above, all three steps. Step 1 found and checked both items indicated. Step 2 found a removed helper32.dll as indicated. Ran MalwareBytes again and removed 29 infected items. (Note it said it couldn’t remove one item, but would do so upon rebooting. Have rebooted and still have problems accessing certain websites and doing searches on google through mozilla. Have gone thru the steps a few times since; none of the items appear in steps 1 or 2 anymore, but the problem still occurs once I reboot. Not sure what the next step should be. Any ideas, Patrik?
natalia, Right click to desktop, select Properties and choose a background/wallpaper.
Bart, probably your computer is infected with TDSS trojan. Ask for help in our spyware removal forum.
Patrik – thanks, I’ll do that when I get home tonight. I did notice that I can’t seem to get rid of the SOUNDMAN.EXE trojan with Malwarebytes.
I did all the steps and it removed lots of spyware from my computer. Malware bytes removed over 300 items. I thought all was well but it started happening again. I ran the startup registry and saw smss32 was on there still, but unchecked. Also, on the task manager i saw smss32.exe running and it would not let me end the process. I previously had Avira anti-spyware on there and it occasionally pops up and tells me that trojan such and such is up and the path name is in the svchost and the tempfile section. Can someone please help?
TR/Crypt.ULPM.Gen Tojan is the error I keep getting in my svchost.exe I do not know the tempfolde name.