I just cleaned a friend's computer of the smsss.exe worm/trojan/bug. Hijack This found entries in the registry under the usual Run & RunService keys (HKCU & HKLM) which I deleted, and a file search revealed its presence in the \Windows\Prefetch directory which I also deleted, but it returned after reboot. So I did a manual search in the registry and found it in several other places.

HKLM\Software\Microsoft\OLE
HKCU\Software\Microsoft\OLE
HKCU\System\CurrentControlSet\Lsa
HKLM\System\CurrentControlSet001\Lsa
HKLM\System\CurrentControlSet003\Lsa
HKU\.Default\Software\Misorosft\OLE
HKU\.Default\Software\Microsoft\Windows\CurrentVer sion\Run
HKU\.Default\Software\Microsoft\Windows\CurrentVer sion\RunServices
HKU\.Default\System\CurrentControlSet\Control\Lsa

After deleting these entries I was able to clean this from his system.

I am running Hijack This 1.99.0 and am wondering if this is a known behavior or is it something that the authors of the program would like to know about. I hate spyware and will do anything and everything I can to help rid the world of it. Let me know if this is helpful to anybody.

Thanks.

Quite often there are also several other values and keys left in the Registry related to the spyware, but Hijack This only creates a log of the most commonly affected areas of the registry that spyware invades. If it created a log of everything and since it isn't specifically aimed at any programs, the log would be massive and take us hours to get through just a few.

The other areas of the registry are left to the dedicated antispyware programs to deal with. Unfortunately, it takes time for the antispyware companies to get the signatures, etc and it may be some months before definitions are released.