smartserach.ws : can't run CWshredder or hijackthis

Discussion in 'adware, spyware & hijack cleaning' started by g.turbelin, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. g.turbelin

    g.turbelin Guest

    Hi,

    I try to run adaware, CWshredder or hijackthis to clean up
    my computer (XP) infected by "smartserach.ws".
    But the windows of these softwares disappear after 5 seconds.

    The problem is the same when a make a google search with IE
    with "adaware" as a key word.

    Is this a known problem ?

    Please help ...

    (sorry for my poor english, i'm ...french)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi g.turbelin,

    Yes. It is a known problem.
    Please download this text file: http://www.wilderssecurity.com/attachments/processnames.txt and rename it to processnames.vbs
    Then doubleclick it. It will display a prompt with all the running processes on your computer. Click OK and it will make a .txt file out of that.
    Post the content of the .txt file and I will tell you which one needs to be stopped, so you can use HijackThis and CWshredder.

    If you have script protection, you may get an alarm about running the vbs
    Ignore that, this one is harmless.

    Regards,

    Pieter
     
  3. g.turbelin

    g.turbelin Guest

    Thank you Peter,

    Here is the result :

    System Idle Process
    System
    C:\WINDOWS\System32\smss.exe
    csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Windows\iexplorer.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\WINDOWS\System32\WScript.exe
    wmiprvse.exe

    Regards

    Greg
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Greg,

    This is the process to kill: C:\Windows\iexplorer.exe
    Do NOT confuse with explorer.exe or iexplore.exe, which are both legitimate files.

    After ending the process in TaskManager, delete that file and see if there is a file called network.sys in the same directory. If so delete that one as well.

    Now you should be able to run CWShredder and HijackThis.
    Please use them in that following order and post the HijackThis log.

    Regards,

    Pieter
     
  5. g.turbelin

    g.turbelin Guest

    Hi peter,

    I've killed iexplorer.exe and network.sys.

    Now CwShredder and Hijackthis can run.

    Here is the HijackThis log

    Logfile of HijackThis v1.97.7
    Scan saved at 14:58:52, on 13/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\temporaires\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=greppo.univ-evry.fr:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inti.univ-evry.fr
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.fr"); (C:\Documents and Settings\Grégory Turbelin\Application Data\Mozilla\Profiles\default\q8kal2lt.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Grégory Turbelin\Application Data\Mozilla\Profiles\default\q8kal2lt.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Fichiers communs\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
    O4 - Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Regards,

    Greg
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Greg,

    First download and run W32.Blaster.Worm Removal Tool

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe

    O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe

    Then reboot and pay Windows update a visit.
    You may also have to reinstall NAV since it was probably corrupted by Blaster. (Only necessary if the removal tool really finds something)

    Regards,

    Pieter
     
  7. g.turbelin

    g.turbelin Guest

    Hi Peter,

    W32 has not been found on my system.

    I followed your instructions, Evrything is
    OK now.

    Thank you, and now I will try to minimize
    the risk of infrction.

    Best regards

    Greg
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Glad we could help Greg. :)

    Regards,

    Pieter
     
  9. Welshjim

    Welshjim Registered Member

    Joined:
    Sep 11, 2003
    Posts:
    13
    Pieter_Arntz --"Please download this text file: http://www.wilderssecurity.com/attachments/processnames.txt and rename it to processnames.vbs
    Then doubleclick it. It will display a prompt with all the running processes on your computer. "
    I feel like I have followed the instructions, but when I double left click on the icon for processnames.vbs all I get is a window with the text for the file. And if I right click and click Open, I get the error message below.
     

    Attached Files:

  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Welshjim,

    Unfortunately that script will not work on most Windows 98 computers. :(

    Are you having the same problem as Greg or were you just testing the script?

    Regards,

    Pieter
     
  11. AkhenatonXP

    AkhenatonXP Guest

    Hi, i found your forum very usefull ! (I appreciate the vbs script !)

    I just want to tell you that there is another way to be infected :

    A process named DirectX.exe that is located in C:\Program Files\DirectX\ with 2 other files a setup file and your network.sys !

    I assume that you've to kill the directx process, destroy the "C:\Program Files\DirectX\" directory and (optionnaly) clean the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ DirectX=DirectX.exe registry entry (I don't know if it's the right entry but you don't need to remove this key, you've delete the Virus)

    If you are not sure, you can just move or rename the DirectX Directory so if it was a wrong idea, you can roll back

    After this, you've to do what Welshjim said !
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi AkhenatonXP,

    There are many filenames being used by this variant of CWS. That is why the script was written. So we can identify the one that is causing it.

    Regards,

    Pieter
     
  13. Welshjim

    Welshjim Registered Member

    Joined:
    Sep 11, 2003
    Posts:
    13
    Pieter_Arntz--Just testing, since it seemed like a helpful tool. Anyone have a script for Win98? :D
     
  14. Mosaic1

    Mosaic1 Guest

  15. Mosaic1

    Mosaic1 Guest

    So you have the list. But killing the process in 98 is not like in XP or 2k. In 98 this does not appear in the Ctrl+Alt+del list. You can't just end the process so easily. If the file is not running, deleting it and cleaning up the registry entries does the job. Getting its name and then killing the process or preventing it from running several ways is key.
     
  16. Welshjim

    Welshjim Registered Member

    Joined:
    Sep 11, 2003
    Posts:
    13
    Mosaic1 --Thank you for the WMI info and comment. Hope I do not have to use it. :)
     
Thread Status:
Not open for further replies.