Removing SMSS32.EXE from Windows 2000
Smss32.exe, winlogon32.exe, helper32.dll
are components of trojan FakeAlert. Once installed, the trojan will configure itself to run automatically when Windows starts. When the trojan is started, it will display a screen that states that Worm.Win32.Netsky detected on your computer as an attempt to make you think your computer is in danger. The alert is fake and you can safety ignore it.
What is more, the “smss32.exe, winlogon32.exe, helper32.dll” trojan may display a lot of popups, disable Windows Task Manager, change a desktop background, block the ability to run any applications including antivirus and antispyware programs. The trojan will also download and install Internet Security 2010 onto your computer automatically without your permission. Luckily my ZoneAlarm firewall flagged this up and I was able to stop it.
Internet Security 2010 is a rogue antispyware program, that reports false infections and shows fake security alerts as a method to to trick you into purchasing the so-called “full” version of the software.
DO NOT INSTALL INTERNET SECURITY 2010
SMSS32.EXE is very dangerous - Remove it manually this way...
1 – You need another disk or CD that you can boot your system from. If you don’t have one, create one now and print out these instructions – you’ll need them!
2 – Boot your system using the boot disk and browse to the following directory (NB: these folders are normally hidden)
C:\WINDOWS\system32\
Smss32.exe, winlogon32.exe, helper32.dll create the following files and folders – delete them and then empty the recycle bin
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\warning.html
3 – Now you have a system that will boot 'virus free' but you can’t logon to it because SMSS32.EXE has taken over WindowsNT logon. To get around this proceed as follows:
Browse back to C:\WINDOWS\
Copy C:\WINDOWS\regedit.exe to C:\WINDOWS\system32
Browse forward to C:\WINDOWS\system32
Rename the regedit.exe copy (in the system32 folder) to winlogon32.exe
4 – Now reboot the system as normal and logon as normal. You will go straight into the registry editor and now you have to find and delete all the following entries
Smss32.exe, winlogon32.exe, helper32.dll creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoSetActiveDesktop = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer | NoActiveDesktopChanges = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | smss32.exe = “C:\WINDOWS\system32\smss32.exe”
HKEY_CURRENT_USER\Software | 8636065b-fef0-4255-b14f-54639f7900a4 = “8636065b-fef0-4255-b14f-54639f7900a4″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | Wallpaper = “C:\WINDOWS\system32\warning.html”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoSetActiveDesktop = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoActiveDesktopChanges = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”
DELETE THEM ALL !
5 – When you finish exit the registry editor and use <ctrl><alt><delete> to bring up the windows 2000 security window and then select <shut down> and <restart>
6 – Your computer is now fixed and useable if you want you can tidy up by deleting
C:\WINDOWS\system32\winlogon32.exe
But this program is not the original virus it’s just a copy of regedit.exe
And Finally...
If you were using windows active desktop you will have to re-enable it. I didn't bother.