Removed: winlogon32.exe, smss32.exe
Malware: qKmfGb.exe
Removed: C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\smss32.exe
—————————————————————————————————————————-
Classification:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| F-Secure | 9.0.15370.0 | 2010.01.11 | Trojan.Downloader.FakeAlert.EG |
| Kaspersky | 7.0.0.125 | 2010.01.11 | Trojan-Downloader.Win32.FraudLoad.wxoe |
| McAfee | 5858 | 2010.01.11 | - |
| Microsoft | 1.5302 | 2010.01.11 | TrojanDownloader:Win32/Fakeinit |
| NOD32 | 4761 | 2010.01.11 | Win32/TrojanDownloader.FakeAlert.AED |
| Symantec | 20091.2.0.41 | 2010.01.11 | - |
—————————————————————————————————————————-
Additional information
File size: 33792 bytes
MD5 : f37b675d8a6689f2bb745f1256aa21ba
SHA1 : c5d1f9810383550f6440043bf1dd36d9072d5f96
SHA256: 4ee1989f1922e7c352b1055d56fa7c398037d25d41e52f14cee903f77dbd2076
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:3
———————————-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
———————————-
Values deleted:1
———————————-
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper: “”
———————————-
Values added:9
———————————-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\NoChangingWallpaper: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoActiveDesktopChanges: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe: “C:\WINDOWS\system32\smss32.exe”
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper: “%SystemRoot%\system32\warning.html”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper: 0×00000001
———————————-
Values modified:4
———————————-
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\userinit.exe,”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\winlogon32.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState: 24 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0D 00 00 00 00 00 00 00 02 00 00 00
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState: 24 00 00 00 78 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 0D 00 00 00 00 00 00 00 02 00 00 00
———————————-
Files added:5
———————————-
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\warning.html
C:\WINDOWS\system32\winlogon32.exe
———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt
———————————-
Total changes:23
———————————-
—————————————————————————————————————————-
Detected by UnHackMe:
Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\winlogon32.exe
Type: UserInit Value
Item Name: smss32.exe
Author: FBcTSRgugUr
Related File: C:\WINDOWS\system32\smss32.exe
Type: Registry Run
Item Name: smss32.exe
Author: FBcTSRgugUr
Related File: C:\WINDOWS\SYSTEM32\SMSS32.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Comments
3 Comments on Removed: winlogon32.exe, smss32.exe
-
Rikstar on
Fri, 5th Feb 2010 4:19 am
-
admin on
Sat, 13th Feb 2010 9:17 pm
-
admin on
Thu, 4th Mar 2010 2:25 pm
Can you help me???
I recently got the virus that installs the bogus Internet Security 2010
I deleted this registry value because I thought it was one created by the virus but i guess it was actually just modified by the virus:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon | Userinit = “C:WINDOWSsystem32winlogon32.exe”
The registry should actually be:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon | Userinit = “C:WINDOWSsystem32userinit.exe”
Right???? maybe??
Anyway now I can't log in to windows. If this missing piece of the registry is the problem then if i add the correct one into the registry via windows xp start up disc using the recovery function then it should work right? The only problem is i have to add it through dos and I'm not very code savvy.
I found this code online looking for answers but I don't want to try anything that I'm not sure about:
reg add "HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon" /v Userinit /f /d "%windir%system32userinit.exe"
Are there supposed to be quotations? Any help is appreciated thanks
Visit:
http://geatis.com/support
Make your regrunlog.txt using RegRun or Reanimator and attach to your ticket.
You can use reg.exe or regedit.exe for restoring the "Userinit" registry value.
But if malware is in memory it can easily restore the registry value back.
Suggest you to post your regrunlog.txt (made by RegRun Suite or UnHackMe Reanimator) to our support center: http://www.greatis.com/support
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
You must be logged in to post a comment.
