Desktop Locked, smss32.exe infection... - Page 2

How do you know that is what is creating the folders??? WHY are you looking through folders? Is that in the instructions given? Where are you seeing these folders?

It was more of a random find than anything. I tend to notice folders in my Program Files folder that are in all lowercase letters. That's how I found it. I noticed them when going to click on the new .exe file downloaded for M-bam when I opened the Program Files folder.

I'm not deleting or modifying anything however other than what you tell me specifically to do.

Anyways, as best I can tell your solution did in fact clean my system and get everything back to the way it should be.

I appreciate greatly your efforts.

Now go enjoy the National Championship game!

Ok so here is the deal:

This malware is heavily dependent on it changing the msconfig, so if you restart whilst cleaning it you are back to square one. I have also noticed that there is a degree of infection. If you have a lime green background with a you are infected warning then you are pretty much full blown.

Before we start save the following reg snippet to a .reg file and get it onto the infected machine. I had to use a flash drive because all network connectivity was down:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

<---END OF SNIPPET DO NOT ADD THIS LINE TO THE REG FILE--->

What I found worked on 2 infected systems:

1. The malware can disable taskmgr via a registry change so killing the sms32.exe can be pretty tricky. Very quickly hit return on the .reg file that you previously created and hit enter a second time fairly quickly. The reg file should load into the registry before the malware catches the exe. You may have to try a couple of times.

2. Once this has been added to the registry, you should be able to get to taskmgr. It took me a little time as the virus kept blocking it. I found that if I did a system restart and loaded the file into the registry before the malware spun up I could kill the smss32.exe app before full start up procedures has kicked in. Once the smss32 app was down I could start to execute things just fine.

3. Malwarebytes does a bloody good job of cleaning out the infected files after that.

4. You also need to go into msconfig and turn off the dubious entries: random generated exes and of course the smss32.exe.

5. I would also go to the registry and clean:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
You should see a couple of entries in there that match the same exes from step 5.

6. This malware can update proxy settings in IExplorer which you can turn off in the TOOLS/INTERNET OPTIONS/CONNECTIONS/Lan Settings/Proxy Server section.

Note: Even after cleaning and running malwarebytes I couldn't see webpages until I discovered that the proxy settings had been updated.

This is very clever malware. It was smart enough to delete the mbam.exe (malwarebytes) during install and seriously messed around with symantec, which by the way did nothing to stop this.

7. After you reboot you should be relatively clean (from my experience).

I feel good cos I beat these guys. They are yet to hit me with one that I couldn't decipher. It's like a rubics cube and is probably the most fun I have had in a while, not that I enjoy their stupidness. Obviously my notes are not an out an out guide since there are variations of the malware, but hopefully they will help.

polomint82, Please note, this thread is SOLVED.