smartserach.ws : can't run CWshredder or hijackthis

Hi,

I try to run adaware, CWshredder or hijackthis to clean up
my computer (XP) infected by "smartserach.ws".
But the windows of these softwares disappear after 5 seconds.

The problem is the same when a make a google search with IE
with "adaware" as a key word.

Is this a known problem ?

Please help ...

(sorry for my poor english, i'm ...french)

 

Hi g.turbelin,

Yes. It is a known problem.
Please download this text file: http://www.wilderssecurity.com/attachments/processnames.txt and rename it to processnames.vbs
Then doubleclick it. It will display a prompt with all the running processes on your computer. Click OK and it will make a .txt file out of that.
Post the content of the .txt file and I will tell you which one needs to be stopped, so you can use HijackThis and CWshredder.

If you have script protection, you may get an alarm about running the vbs
Ignore that, this one is harmless.

Regards,

Pieter

 

Thank you Peter,

Here is the result :

System Idle Process
System
C:\WINDOWS\System32\smss.exe
csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Windows\iexplorer.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\System32\WScript.exe
wmiprvse.exe

Regards

Greg

 

Hi Greg,

This is the process to kill: C:\Windows\iexplorer.exe
Do NOT confuse with explorer.exe or iexplore.exe, which are both legitimate files.

After ending the process in TaskManager, delete that file and see if there is a file called network.sys in the same directory. If so delete that one as well.

Now you should be able to run CWShredder and HijackThis.
Please use them in that following order and post the HijackThis log.

Regards,

Pieter

 

Hi peter,

I've killed iexplorer.exe and network.sys.

Now CwShredder and Hijackthis can run.

Here is the HijackThis log

Logfile of HijackThis v1.97.7
Scan saved at 14:58:52, on 13/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\temporaires\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=greppo.univ-evry.fr:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inti.univ-evry.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.hp.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.netscape.fr"); (C:\Documents and Settings\Grégory Turbelin\Application Data\Mozilla\Profiles\default\q8kal2lt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Grégory Turbelin\Application Data\Mozilla\Profiles\default\q8kal2lt.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Fichiers communs\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Regards,

Greg

 

Hi Greg,

First download and run W32.Blaster.Worm Removal Tool

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe

O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe

Then reboot and pay Windows update a visit.
You may also have to reinstall NAV since it was probably corrupted by Blaster. (Only necessary if the removal tool really finds something)

Regards,

Pieter

 

Hi Peter,

W32 has not been found on my system.

I followed your instructions, Evrything is
OK now.

Thank you, and now I will try to minimize
the risk of infrction.

Best regards

Greg

 

Glad we could help Greg.

Regards,

Pieter

 

Pieter_Arntz --"Please download this text file: http://www.wilderssecurity.com/attachments/processnames.txt and rename it to processnames.vbs
Then doubleclick it. It will display a prompt with all the running processes on your computer. "
I feel like I have followed the instructions, but when I double left click on the icon for processnames.vbs all I get is a window with the text for the file. And if I right click and click Open, I get the error message below.

 

Hi Welshjim,

Unfortunately that script will not work on most Windows 98 computers.

Are you having the same problem as Greg or were you just testing the script?

Regards,

Pieter

 

Hi, i found your forum very usefull ! (I appreciate the vbs script !)

I just want to tell you that there is another way to be infected :

A process named DirectX.exe that is located in C:\Program Files\DirectX\ with 2 other files a setup file and your network.sys !

I assume that you've to kill the directx process, destroy the "C:\Program Files\DirectX\" directory and (optionnaly) clean the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ DirectX=DirectX.exe registry entry (I don't know if it's the right entry but you don't need to remove this key, you've delete the Virus)

If you are not sure, you can just move or rename the DirectX Directory so if it was a wrong idea, you can roll back

After this, you've to do what Welshjim said !

 

Hi AkhenatonXP,

There are many filenames being used by this variant of CWS. That is why the script was written. So we can identify the one that is causing it.

Regards,

Pieter

 

Pieter_Arntz--Just testing, since it seemed like a helpful tool. Anyone have a script for Win98?

 

If you download and install WMI for win 98, it should work. WMI for Win 98 will support many if not all WMI functions supported in 2k and XP.


http://www.microsoft.com/downloads/details.aspx?FamilyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=en

 

So you have the list. But killing the process in 98 is not like in XP or 2k. In 98 this does not appear in the Ctrl+Alt+del list. You can't just end the process so easily. If the file is not running, deleting it and cleaning up the registry entries does the job. Getting its name and then killing the process or preventing it from running several ways is key.

 

Mosaic1 --Thank you for the WMI info and comment. Hope I do not have to use it.