Small.H duplicates file names and processes of legitimate Windows applications.
Windows Task Manager does not show distinctive details:
In order to determine the Small.H processes from the Windows processes, an enhanced Task Manager is needed. Process Explorer, freeware from Sysinternals, is one such application. Note
: This is a Third Party application, the link below will direct you away from F-Secure's website.
1. Download Process Explorer from Sysinternals website: http://www.sysinternals.com/Utilities/ProcessExplorer.html
The application is a standalone exe file and does not require installation.
2. Run Process Explorer, in the process list find the following processes and end them by using the Kill option from the context menu (right-click).
The screenshot below shows the targets highlighted in purple. Note the use of the folder icons unlike the legitimate Windows files. Do not end the Windows processes with the same names also seen in the screenshot.
3. Remove the following files from the hard drive:
- C:\[Documents and Settings]\[Current User]\winlogon.exe
- C:\[Documents and Settings]\[Current User]\csrss.exe
- C:\[Documents and Settings]\[Current User]\Local Settings\Temp\FolderData.exe
[Documents and Settings] is by default C:\Documents and Settings\
for Windows XP installations and C:\Users\
on 2K/Vista installation. [Current User] folder name is the same as the currently logged in user name.
4. Download SmallH_RegCleaner.zip, then extract and merge "SmallH_RegCleaner.reg" into your registry by double-clicking on the file.