Jump to content

Registry key for smss32.exe keeps coming back

Santos

By Santos
in Resolved Malware Removal Logs

 Share

Recommended Posts

Santos

Santos

Posted
Posted

Hey,

Firefox asked me to post here regarding a registry key that I delete using Malwarebytes or even manually and it comes back. I remove it with MBAM and it comes back. I delete it manually from the registry and it comes back instantly, I change a folder in the registry go back to run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe is back. I don't know what is writing it. What is interesting enough is that if I change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray.exe then it stays that way, I delete it and it comes back as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray.exe. Really weird.

Please help. Logs are attached. Thanks in advance.

Attach.zip

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Let's begin, sorry for the confusion.

First, we need to disable a few things.

Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable SpyBot's TeaTimer

We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click mode.png and then on "Advanced Mode"
    advanced%20mode.png
  4. You may be presented with a warning dialog. If so, press btnYes.png
  5. Click on tools.png
  6. Click on resident.png
  7. Uncheck this checkbox:
    teatimercheck.png
  8. Close/Exit Spybot Search and Destroy

Download and Run OTM

  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the OTMdesktopicon.png icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the pasteline.png area. Do not include the word "Code".
    :processes
    explorer.exe
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "smss32.exe"=-
    :Commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]


  4. Click the large btnmoveit.png button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the results.png line here in your next reply.

Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know how it goes.

Link to post
Share on other sites
Santos

Santos

Posted
  • Author
Posted

Hey extremeboy,

I got it!!! I did a little experiment. I followed your instructions, then ran Malwarebytes to see if the key came back and it didn't. Restarted Spybot's resident and ran Malwarebytes again. The key came back. Deleted it from the registry the key came back. Shutoff both of Spybot's residents deleted the key and it didn't come back. Restarted Spybot's residents and the key came back. So, on the system tray, I right clicked on Spybot and chose settings, smss32.exe was in the blocked registry changes list. I deleted it from the blocked registry changes list and deleted the key and allowed the change using Spybot. The key does not come back anymore! I think that the blocked registry changes in teatimer.exe should be taken into account when removing malware because the removed registry key comes back when teatimer.exe is activated again. There should not be any blocked registry changes in teatimer.exe during removal of malware/spyware.

Thanks so much for your help!!!

OTM log is below if you need it.

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\smss32.exe deleted successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (64424509440)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator

User: administrator.CHESHIRE_ACAD.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: hester.tinti-kane
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: santos.cardona
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: santos.cardona.CHESHIRE_ACAD
->Temp folder emptied: 1382972 bytes
->Temporary Internet Files folder emptied: 4761861 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: william.johnson
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 88788 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03172010_094649

Files moved on Reboot...

Registry entries deleted on Reboot...

Hello.

Let's begin, sorry for the confusion.

First, we need to disable a few things.

Realtime security programs are important for keeping out malware. However, they can interfere with the tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable SpyBot's TeaTimer

We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click mode.png and then on "Advanced Mode"
    advanced%20mode.png
  4. You may be presented with a warning dialog. If so, press btnYes.png
  5. Click on tools.png
  6. Click on resident.png
  7. Uncheck this checkbox:
    teatimercheck.png
  8. Close/Exit Spybot Search and Destroy

Download and Run OTM

  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the OTMdesktopicon.png icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the pasteline.png area. Do not include the word "Code".
    :processes
    explorer.exe
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "smss32.exe"=-
    :Commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]


  4. Click the large btnmoveit.png button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the results.png line here in your next reply.

Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Let me know how it goes.

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Yup, it worked. I believed it was due to Spybot interference from the log you posted since it was running at startup and we didn't disable it or I gave you "specific" instruction on disabling it. Spybot has this feature that allows it to remember things that are fixed and can cause issues with removal procedures.

Glad we fixed it now though.

Happy surfing again.

Link to post
Share on other sites
Santos

Santos

Posted
  • Author
Posted

Hey,

I'm glad too. Well I think it's something to check when doing a removal. Thanks again for your help!

Take care,

Santos

Hello.

Yup, it worked. I believed it was due to Spybot interference from the log you posted since it was running at startup and we didn't disable it or I gave you "specific" instruction on disabling it. Spybot has this feature that allows it to remember things that are fixed and can cause issues with removal procedures.

Glad we fixed it now though.

Happy surfing again.

Link to post
Share on other sites
extremeboy

extremeboy

Posted
Posted

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we can help. :)

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,

Extremeboy

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.