Smss32.exe, winlogon32.exe, helper32.dll are components of trojan FakeAlert. Once installed, the trojan will configure itself to run automatically when Windows starts. When the trojan is started, it will display a screen that stats that Worm.Win32.Netsky detected on your computer as an attempt to make you think your computer in danger. The alert is fake and you can safety ignore it.
What is more, the “smss32.exe, winlogon32.exe, helper32.dll” trojan may display a lot of popups, disable Windows Task Manager, change a desktop background, block the ability to run any applications including antivirus and antispyware programs. The trojan will also download and install Internet Security 2010 onto computer automatically without your permission. Internet Security 2010 is a rogue antispyware program, that reports false infections and shows fake security alerts as method to to trick you into purchase so-called “full” version of the software.
Use the removal guide below to remove smss32.exe, winlogon32.exe, helper32.dll and any associated malware from your computer for free.
Symptoms in a HijackThis Log
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
Use the following instructions to remove remove smss32.exe, winlogon32.exe, helper32.dll (Remove Worm.Win32.Netsky Spyware Alert)
Step 1.
Download HijackThis from here and save it to your Desktop.
If you cannot run HijackThis, then re-download it, but before saving HijackThis.exe, rename it first to explorer.exe and click Save button to save it to desktop.
Run HijackThis. Click “Do a system scan only” button. Now select the following entries by placing a tick in the left hand check box, if present:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
Place a checkmark against each of them. Once you have selected all entries, close all running programs then click once on the “fix checked” button. Close HijackThis.
Step 2.
Download LSPFix from here and unzip it to your Desktop.
Run LSPFix. Place a tick in the “I know what i`m doing”.
In the KEEP box select helper32.dll and press “>>” button.
Press Finish>> button. When LSPFix is done removing the LSP you will see a summary box. Press OK.
Step 3.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for remove smss32.exe, winlogon32.exe, helper32.dll. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove THREATNAME. MalwareBytes Anti-malware will now remove all of associated remove smss32.exe, winlogon32.exe, helper32.dll files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Smss32.exe, winlogon32.exe, helper32.dll creates the following files and folders
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
Daniel, open a new topic in our Spyware removal forum.
After I did all of this, my computer began to lock up on me. Is there any specific reason for this and how can I fix it?
Scott, what you mean “lock up on me” ?
After a while, my computer will just freeze and I can’t do anything.
I’d just like to say thanks Patrik. You’ve helped lots of people out with this, including myself, and I just thought I’d take the time to show some appreciation!
Cheers buddy.
Scott, try boot your PC in Safe mode, run Malwarebytes Anti-malware and perform a scan.
Thanks! Your instructions worked well to clear up the problem in minimal time. It was necessary to run the scan three times to uncover the infected files. The first time using quick scan while connected to the network the scan stopped after uncovering 3 infected files. I disconnected the computer from the network, ran quick scan again and it uncovered 11 more infected files. I then ran a full scan which found 5 more infected files. Now fully connected, pop ups are gone and no other problems are noted. It should be noted the Norton did not stop the infection, nor did it recognize the malware and infected files. Your suggested fix quickly located the infection and allowed easy deletion. Bravo!
Hi, Patrik,
thanks for your info. I managed to delete the virus. however, the virus redirect webpages??
any solution for it or do i still have the virus?
Malwarebytes detected no virus anymore?!!
thanks
amy, probably you have infected with a variant of TDSS trojan. Follow the steps.
Patrik, Thanks for posting the fix for this. When my computer was infected, I deleted smss32.exe and winlogon32.exe from c:\windows\system32 and removed their registry references (reg edit), before I sought help online. I then tried to restart my computer and it wouldn’t let me log on. I can’t get past the welcome screen. It goes through a loop on the log on screen, both for my user profile and administrator. I just read this post and found then deleted helper32.dll , 41.exe and warning.html through the recovery console but I still can’t log on. The only access I have to my computer is through the recovery console, so I can’t run any programs or edit the registry. And I can’t do an XP repair install because I have XP pro and I’m running the recovery console with an XP home cd. Also, I don’t have a floppy drive. I had to make a slipstream XP disk. Any help would be greatly appreciated. thanks!
Forgot to mention I can’t log on to safe mode either and the last known good configuration doesn’t work either. I did a dir command and didn’t find any files associated with the TSDD trojan in the directories listed in the link above. I think I also had a process running called xuxfncpmxbyudddjltgvw and that was also listed as the company name when I right clicked smss32.exe and winlon\gon32.exe under properties>version:company. Thanks again.
Blair, boot your PC in Recovery console.
You will now see the Prompt c:\windows>
Type cd system32 and press Enter.
Type copy userinit.exe winlogon86.exe and press Enter.
Type copy userinit.exe winlogon32.exe and press Enter.
Type del winupdate86.exe and press Enter.
Type del smss32.exe and press Enter.
Type del critical_warning.html and press Enter.
Type exit and press Enter.
Reboot your computer and run Malwarebytes Anti-malware.
Patrick,
Thanks for this thread. Your instructions are very clear and concise.
My problem is similar to Blair’s (deleted smss32.exe and winlogon32.exe before I found this thread. I have the endless loop of logging in and immediately shutting down. I can’t boot in safe mode. My big problem is I’ve misplaced my xp install disk so I can’t boot in Recovery console to follow your instructions.
Any suggestions would be appreciated.
Thanks!
Thanks so much Worked very well Thanks so much
Hi Patrik,
Thanks for your detailed instructions.
My problem is similar to Blair’s (i.e., I removed smss32.exe, winlogon32.exe, and helper32.dll before I found this thread) I am now in the endless loop of logging in with machine immediately logging off. I am unable to boot in safe mode at all.
My real problem is I’ve misplaced my Windows XP install disc and thus am unable to boot PC in Recovery console.
I am able to interrupt the process and get to Set Up. Am wondering if I use SetUp/Maintenance/Load Defaults (to restore factory defaults) will it restore the system without deleting any other updates?
Please help!
Thank you so much. Did everything in Safe Mode with Networking, and it worked wonderfully. I can’t thank you enough.
After scanning with Malwarebytes Anti-Malware, I clicked “remove selected ” and the system froze up while trying to remove the following line:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Any help is appreciated.
I’ve completed steps 1 and 2 but cannot get Malware to run. When I click on it nothing happens. I’ve tried running it from a usb stick and nothing happens when I double click on it. Help!
Ken, you need download and/or build yourself a bootable CD that also has the facility to edit the Windows registry off-line.
Try ultimatebootcd.com
Run from the disk, run registry editor, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
and change the Userinit entry to “C:\WINDOWS\system32\userinit.exe”
Bill, try run Malwarebytes in Safe mode.
Mona, ask for help in our Spyware removal forum.
I see this often and pretty much what many state for removal. Patrik was right. I use ERD Commander to boot from:
1. Edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\winlogon32.exe and replace winlogon32.exe to userinit.exe
2. Delete smss32.exe and winlogon32.exe
3. Run combofix then malwarebytes.
4. Should be fixed.
Hi,
3 days ago I got the SMSS32.exe appearing on my desktop, but Avira couldn’t recognize any virus. Task manager disappeared and Internet security 2010 also popped-up all the time.
On the recommandation of a collegue I reinstalled Windows7 and then Avira could recognize winlogon32.exe, which I let quarantaining/repairing, and now, buy restarting my computer, I just have a black screen… I can’t do anything now ==>> Is there a solution to my problem? I am no expert in computer and a little hopeless. Thx in advance for any help,
C.
Thank you very much….It worked just fine….Finally that annoying thing is off my computer..thanks once again….
Toffer, read my comments above “Comment by Patrik — February 6, 2010 to Blair”, and Comment by Patrik — February 10, 2010 to Ken”
Thank you, thank you, thank you! Worked perfectly, although my laptop is running slowly at startup!
Thanks so much for your clear and detailed advice. Something that is so often missing on other advice sites. You saved me from a meltdown.
Its awesome work man…Its worked for me…keep going
omg this worked. easy to follow and actually quite quick. i got these horrible viruses on my mums laptop a couple of days ago from downloading torrents. anyway longstory short i just spent a coupld frantic hours trying to fix the problems. so im here now sitting with my desktop pc with like 20 forums opened and my mums laptop on my desk blocking my second moniter. this really worked. ive only restareted once so i think really i wont know until after a couple days but signs are very good for this
WOW. I’m Scanning with malwarebytes at the moment, and so far it has found 45! I really hope this works! This weird sound comes up saying something about getting a girl, having 3 kids and so on! at the moment my AVG9 keeps on popping up every 5 seconds, saying TROJAN HORSE! TROJAN HORSE! it finds up to 8 at a time!