cougart4bl
asked on
Smartsearch about:blank Browser Hijacker Removal
I have a smartsearch.ws web page hijacker that keeps resetting my home page to about:blank and when I run any of the removal tools (adaware, Spybot S&D, CWShredder, and more) they remove the hijacker only for the remainder of that windows session. When I reboot I am always back in the same situation with the same two items to be removed. The Items I have been removing to fix are as follows:
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
By removing these two entries it temporarily fixes or stops the hijacking.
Does anyone know how to stop this issue permanently????
By the way I believe this issue started with the java.bytever.a (trend) virus which has been removed and is not replicating itself anymore
-------------------This is the Log when I boot up the machine-----------------
Logfile of HijackThis v1.97.7
Scan saved at 1:22:59 AM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\Program Files\Internet Explorer\iexplore.exe
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
------------This is what it looks like after I run any of the removal tools or just remove them with Hijack This---------
Logfile of HijackThis v1.97.7
Scan saved at 1:14:53 AM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\WINNT\system32\rundll32
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
Any help would be greatly appreciated,
Andy
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
By removing these two entries it temporarily fixes or stops the hijacking.
Does anyone know how to stop this issue permanently????
By the way I believe this issue started with the java.bytever.a (trend) virus which has been removed and is not replicating itself anymore
-------------------This is the Log when I boot up the machine-----------------
Logfile of HijackThis v1.97.7
Scan saved at 1:22:59 AM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\Program Files\Internet Explorer\iexplore.exe
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
------------This is what it looks like after I run any of the removal tools or just remove them with Hijack This---------
Logfile of HijackThis v1.97.7
Scan saved at 1:14:53 AM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\WINNT\system32\rundll32
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
Any help would be greatly appreciated,
Andy
Try these...
These are my steps...
1.) Disable System Restore...
2.) Ran McAfee Stinger 2.28
http://vil.nai.com/vil/stinger/
3.) Installed Lavasoft Ad-aware 6.0 (build 181)...update it and start scanning and removal.
http://www.lavasoftusa.com/support/download/
4.) Installed Spybot - Search and Destroy 1.3...update it and start scanning and removal.
http://www.download.com/3000-8022-10122137.html
5.) Installed Javacool SpywareBlaster 3.1...update it and start scanning and removal.
http://www.javacoolsoftware.com/spywareblaster.html
6.) Installed WebRoot Spy Sweeper 3.27...start scanning and removal.
http://www.webroot.com/wb/products/spysweeper/index.php
7.) Ran CWShredder - (single exe)...start scanning and removal.
http://www.spywareinfo.com/~merijn/downloads.html
8.) Uninstall Norton Anti-Virus, restart and re-installed Norton Anti-Virus...LiveUpdate...
9.) Checked Windows Update...installed all critical updates...etc.
10.) After system checks = OK, uninstalled 3.) and 6.), ran Defrag disks and Re-enabled System Restore.
Maybe it will work for you too...;-)
These are my steps...
1.) Disable System Restore...
2.) Ran McAfee Stinger 2.28
http://vil.nai.com/vil/stinger/
3.) Installed Lavasoft Ad-aware 6.0 (build 181)...update it and start scanning and removal.
http://www.lavasoftusa.com/support/download/
4.) Installed Spybot - Search and Destroy 1.3...update it and start scanning and removal.
http://www.download.com/3000-8022-10122137.html
5.) Installed Javacool SpywareBlaster 3.1...update it and start scanning and removal.
http://www.javacoolsoftware.com/spywareblaster.html
6.) Installed WebRoot Spy Sweeper 3.27...start scanning and removal.
http://www.webroot.com/wb/products/spysweeper/index.php
7.) Ran CWShredder - (single exe)...start scanning and removal.
http://www.spywareinfo.com/~merijn/downloads.html
8.) Uninstall Norton Anti-Virus, restart and re-installed Norton Anti-Virus...LiveUpdate...
9.) Checked Windows Update...installed all critical updates...etc.
10.) After system checks = OK, uninstalled 3.) and 6.), ran Defrag disks and Re-enabled System Restore.
Maybe it will work for you too...;-)
Hi,
Follow all instructions below and you will surely get rid of it.
CWS.Smartsearch - Counter-counter-actions
Approx date first sighted: January 7, 2004
Log reference: http://forums.spywareinfo.com/index.php?showtopic=26148
Symptoms: IE hijacked to smartsearch.ws, redirections to smartsearch.ws when entering incomplete URLs into the address bar, antispyware programs closing without reason only a few seconds after opening them
Cleverness: 5/10
Manual removal difficulty: Involves a process killer, lots of registry editing and deleting a few files.
Identifying lines in HijackThis log:
Running processes:
C:\Program Files\directx\directx.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
This variant is mostly hard to spot since it can use over a dozen different filenames, luckily all with the same registry value. The file is always running and reinstalls the hijack to smartsearch.ws every 10 seconds. Killing the trojan process, deleting/restoring all the Registry values it added or changed and deleting its files fixed the hijack.
CWS.Smartsearch.2: A mutation of this variant exists that attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It uses the filename IEXPLORER.EXE (note the extra 'R') and a different Registry value. It drops a hosts file that blocks over two dozen anti-spyware sites. CWShredder has been updated to circumvent this.
CWS.Smartsearch.3: A mutation of this variant exists that uses the startup 'coolwebprogram', and attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It also drops notepad32.exe and hijacks the .txt and .log filetypes to open with this file (before showing it in the real Notepad), reinstalling the hijack.
CWS.Smartsearch.4: A mutation of this variant exists that hijacks to magicsearch.ws instead of smartsearch.ws, uses the startup 'MicrosoftWindows' and also drops the notepad32.exe Notepad hijacker like CWS.Smartsearch.3. It also hijacks the DefaultPrefix and WWW Prefix to magicsearch.ws like CWS.Vrape and attempts to kill several firewalls, including (but not limited to) ZoneAlarm and Kerio Personal Firewall.
Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet
C:\Windows\Media\wmplayer.
C:\Windows\Help\helpcvs.ex
C:\Program Files\Accessories\accesss.
C:\Games\systemcritical.ex
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\
C:\Windows\sistem.exe
C:\Windows\System\RunDll16
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe
c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.ex
C:\Windows\system32\kazaa.
C:\Program Files\Common Files\Services\iexplorer.e
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.e
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.ex
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.ex
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.e
C:\Program Files\Common Files\Services\uninstall.e
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe
c:\Windows\system32\iexplo
c:\Windows\system32\explor
c:\Windows\system32\explor
c:\Windows\system32\sistem
c:\Windows\system32\critic
c:\Windows\system32\direct
c:\Windows\system32\intern
c:\Windows\system32\window
c:\Windows\system32\winmgn
c:\Windows\system32\clrssn
c:\Windows\system32\explor
c:\Windows\system32\win32e
c:\Windows\system32\direct
c:\Windows\system32\uninst
c:\Windows\system32\volume
c:\Windows\system32\autoru
c:\Windows\system32\users3
c:\Windows\system32\win64.
c:\Windows\system32\inetin
c:\Windows\system32\time.e
c:\Windows\system32\systee
Its a bit long but very efficient,
Pacificlog
Follow all instructions below and you will surely get rid of it.
CWS.Smartsearch - Counter-counter-actions
Approx date first sighted: January 7, 2004
Log reference: http://forums.spywareinfo.com/index.php?showtopic=26148
Symptoms: IE hijacked to smartsearch.ws, redirections to smartsearch.ws when entering incomplete URLs into the address bar, antispyware programs closing without reason only a few seconds after opening them
Cleverness: 5/10
Manual removal difficulty: Involves a process killer, lots of registry editing and deleting a few files.
Identifying lines in HijackThis log:
Running processes:
C:\Program Files\directx\directx.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\RunServices: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\directx\directx.exe
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
This variant is mostly hard to spot since it can use over a dozen different filenames, luckily all with the same registry value. The file is always running and reinstalls the hijack to smartsearch.ws every 10 seconds. Killing the trojan process, deleting/restoring all the Registry values it added or changed and deleting its files fixed the hijack.
CWS.Smartsearch.2: A mutation of this variant exists that attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It uses the filename IEXPLORER.EXE (note the extra 'R') and a different Registry value. It drops a hosts file that blocks over two dozen anti-spyware sites. CWShredder has been updated to circumvent this.
CWS.Smartsearch.3: A mutation of this variant exists that uses the startup 'coolwebprogram', and attempts to close CWShredder, HijackThis, Ad-Aware, Spybot S&D and the SpywareInfo forums when they are opened. It also drops notepad32.exe and hijacks the .txt and .log filetypes to open with this file (before showing it in the real Notepad), reinstalling the hijack.
CWS.Smartsearch.4: A mutation of this variant exists that hijacks to magicsearch.ws instead of smartsearch.ws, uses the startup 'MicrosoftWindows' and also drops the notepad32.exe Notepad hijacker like CWS.Smartsearch.3. It also hijacks the DefaultPrefix and WWW Prefix to magicsearch.ws like CWS.Vrape and attempts to kill several firewalls, including (but not limited to) ZoneAlarm and Kerio Personal Firewall.
Known filenames used by this variant:
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\explore.exe (note the missing 'r')
C:\Windows\System\internet
C:\Windows\Media\wmplayer.
C:\Windows\Help\helpcvs.ex
C:\Program Files\Accessories\accesss.
C:\Games\systemcritical.ex
C:\Documents Settings\sistem.exe
C:\Program Files\Common Files\Windows Media Player\wmplayer.exe
C:\Windows\Start Menu\Programs\Accessories\
C:\Windows\sistem.exe
C:\Windows\System\RunDll16
C:\Windows\iexplorer.exe (note the extra 'i' or the extra 'r')
C:\y.exe
C:\x.exe
c:\funny.exe
c:\funniest.exe
c:\Windows\notepad32.exe
C:\Windows\system\kazaa.ex
C:\Windows\system32\kazaa.
C:\Program Files\Common Files\Services\iexplorer.e
C:\Program Files\Common Files\Services\explore.exe
C:\Program Files\Common Files\Services\exploreer.e
C:\Program Files\Common Files\Services\sistem.exe
C:\Program Files\Common Files\Services\critical.ex
C:\Program Files\Common Files\Services\directx.exe
C:\Program Files\Common Files\Services\internet.ex
C:\Program Files\Common Files\Services\window.exe
C:\Program Files\Common Files\Services\winmgnt.exe
C:\Program Files\Common Files\Services\clrssn.exe
C:\Program Files\Common Files\Services\explorer32.
C:\Program Files\Common Files\Services\win32e.exe
C:\Program Files\Common Files\Services\directx32.e
C:\Program Files\Common Files\Services\uninstall.e
C:\Program Files\Common Files\Services\volume.exe
C:\Program Files\Common Files\Services\autorun.exe
C:\Program Files\Common Files\Services\users32.exe
C:\Program Files\Common Files\Services\notepad.exe
C:\Program Files\Common Files\Services\win64.exe
C:\Program Files\Common Files\Services\inetinf.exe
C:\Program Files\Common Files\Services\time.exe
C:\Program Files\Common Files\Services\systeem.exe
c:\Windows\system32\iexplo
c:\Windows\system32\explor
c:\Windows\system32\explor
c:\Windows\system32\sistem
c:\Windows\system32\critic
c:\Windows\system32\direct
c:\Windows\system32\intern
c:\Windows\system32\window
c:\Windows\system32\winmgn
c:\Windows\system32\clrssn
c:\Windows\system32\explor
c:\Windows\system32\win32e
c:\Windows\system32\direct
c:\Windows\system32\uninst
c:\Windows\system32\volume
c:\Windows\system32\autoru
c:\Windows\system32\users3
c:\Windows\system32\win64.
c:\Windows\system32\inetin
c:\Windows\system32\time.e
c:\Windows\system32\systee
Its a bit long but very efficient,
Pacificlog
ASKER
So basically you want me too search for every one of these filenames and if i find any of them delete it???
I will try this tonight and see if i can find any of these files present
I will try this tonight and see if i can find any of these files present
Personal oppinion: No, not needed in any way.
pacificlog is talking about the wrong version of CWS... your question might have been a bit confusing as you mentioned Smartsearch... none of those entries are in your hijackthis logfile, so that's not the hijacker on your system.
Take a look at what I posted above: http:#11489355
LucF
pacificlog is talking about the wrong version of CWS... your question might have been a bit confusing as you mentioned Smartsearch... none of those entries are in your hijackthis logfile, so that's not the hijacker on your system.
Take a look at what I posted above: http:#11489355
LucF
ASKER
I checked the ctfmon file and it is exactly 8192 bytes or 8 kb
I also checked for the presence of every one of those filenames and none are present
Here is a new hijack log
Logfile of HijackThis v1.97.7
Scan saved at 2:22:35 AM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\WINNT\system32\wisptis.
C:\WINNT\system32\zstatus.
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
Does anyone know of a utility besides all of the standards to get rid of this bugger???
I also checked for the presence of every one of those filenames and none are present
Here is a new hijack log
Logfile of HijackThis v1.97.7
Scan saved at 2:22:35 AM, on 7/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\Symantec\pcAnywhere\
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\r_server
C:\WINNT\system32\MSTask.e
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\PCCNTMON.EXE
C:\WINNT\Mixer.exe
C:\Program Files\Castelle\FaxPress\Fa
C:\Program Files\Castelle\FaxPress\Ex
C:\WINNT\system32\ctfmon.e
C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\SpywareGuard\sgmain.
C:\Program Files\SpywareGuard\sgbhp.e
C:\WINNT\system32\wisptis.
C:\WINNT\system32\zstatus.
F:\Client software\Spyware Cleaner and Protection\spyware toolz\HijackThis.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\Fa
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\Ex
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.
O4 - Global Startup: Atomic TimeSync.lnk = C:\Program Files\AnalogX\Atomic TimeSync\ats.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
Does anyone know of a utility besides all of the standards to get rid of this bugger???
CWShredder should be able to get rid of it without any problems, so I'm wondering why it doesn't, have you tried the latest version?
ASKER
All I know is that every time I start IE it goes to a about:blank page and that it displays a screen saying smartsearch.ws
If i delete the first and last entries in the hijack files it goes away temporarily, or run adaware, or run S&d, they all find the same thing and fix it temporarily but after every reboot it comes back. So all i know are the symptoms and a temp resolution.
If i delete the first and last entries in the hijack files it goes away temporarily, or run adaware, or run S&d, they all find the same thing and fix it temporarily but after every reboot it comes back. So all i know are the symptoms and a temp resolution.
ASKER
I have tried CWShredder 1.591
But what is wierd is that it will never update itself on either site attempt.
But what is wierd is that it will never update itself on either site attempt.
That's the latest version.... so it should work, did you close all browser windows before cleaning? And followed all other instructions?
ASKER
I got CWS to verify that it was current and I most definitely had all browsers closed.
And it appeared to be clean
but then I rebooted it and the **** thing came right back
They just keep getting better and better at making these progs harder and harder to disable and clean
And it appeared to be clean
but then I rebooted it and the **** thing came right back
They just keep getting better and better at making these progs harder and harder to disable and clean
Since I still don't really trust ctfmon.exe, can you try temporarily disabling it:
Start => Run => type "MSCONFIG" and press enter
Look at the startup tab, untick the checkbox in front of ctfmon.exe
Run hijackthis and fix both
O1 - Hosts: 213.159.117.235 auto.search.msn.com
and
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
(not the ctfmon line, so you can enable it again if needed with msconfig)
Try rebooting now, see if the hijack still occurs.
LucF
Start => Run => type "MSCONFIG" and press enter
Look at the startup tab, untick the checkbox in front of ctfmon.exe
Run hijackthis and fix both
O1 - Hosts: 213.159.117.235 auto.search.msn.com
and
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
(not the ctfmon line, so you can enable it again if needed with msconfig)
Try rebooting now, see if the hijack still occurs.
LucF
ASKER
CWS.JKSearch and CWS.Svchost32
are detected and removed with CWS after a fresh reboot BUT
As soon as I open IE for the first time they come back again and again(and my Spywareguard notifies me of the attempt and I do not allow it to make the change) BUT
If i run hijack this and delete the first and last entry
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
They go away for the remainder of the Boot
are detected and removed with CWS after a fresh reboot BUT
As soon as I open IE for the first time they come back again and again(and my Spywareguard notifies me of the attempt and I do not allow it to make the change) BUT
If i run hijack this and delete the first and last entry
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F81-0
They go away for the remainder of the Boot
ASKER
I disabled ctfmon and they still come back....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think that did it
There is no smartsearch.ws page on reboot or the listings in the hijackthis log on another scan of cwshredder
There is no smartsearch.ws page on reboot or the listings in the hijackthis log on another scan of cwshredder
ASKER
Thanks for all your help LucF
These things are getting more and more complicated every day to cleanup and without the help of people that have experienced these probelmsit is about impossible to always know where to turn next.
Thanks Again
These things are getting more and more complicated every day to cleanup and without the help of people that have experienced these probelmsit is about impossible to always know where to turn next.
Thanks Again
I'm very glad to hear we finally got rid of this hijacker :o)
Take care,
LucF
Take care,
LucF
Someone has written a little prog specifically to dice up this little hijacker.. The hijacker restores itself on reboot and sometimes even quicker by having a hidden dll module hooked in the background.. This little app (best run after removing the offending hijacker with hijackthis.exe and cwshredder.exe) scans the system for all loaded modules that match the variant it was designed for..
http://ducky.atribune.org/
about:buster.. for anyone else give this a shot.. remove the hijacker with hijackthis.exe, run cwshredder.exe, then run about:buster.. you may need to repeat the steps in safe mode, but you wanna try regular mode first.
http://ducky.atribune.org/
about:buster.. for anyone else give this a shot.. remove the hijacker with hijackthis.exe, run cwshredder.exe, then run about:buster.. you may need to repeat the steps in safe mode, but you wanna try regular mode first.
xsgwiseman,
I fully agree with you, now there is this new tool to get rid of those new annoying hijackers, but this one was allready included in CWShredder, so I was wondering why it wasn't fixed by just using it. So finally I decided to just use the manual way by changing the protocol back to the default setting. This one was a bit too tight to the TCP/IP stack :(
Take care,
LucF
I fully agree with you, now there is this new tool to get rid of those new annoying hijackers, but this one was allready included in CWShredder, so I was wondering why it wasn't fixed by just using it. So finally I decided to just use the manual way by changing the protocol back to the default setting. This one was a bit too tight to the TCP/IP stack :(
Take care,
LucF
I was always under the impression that the CWShredder 1.59.1 update DID catch one of the about:blank variants.. the one beginning with res:// or somesuch.. there is another variant however that includes some numbers after the dll file name IE blah.dll#23872 in the hijack this log. Apparently CWShredder doesnt catch this one, and thats why about:buster was made. Another variant with another hidden dll :(
Correct me if I'm wrong! :)
Correct me if I'm wrong! :)
Ahh, I see what you mean.. Smartsearch.ws is one that CWShredder.exe will remove. My post was simply to help those that were looking for help with an about:blank variant before actually posting the question. The page seemed to have a ton of views.
Yep, you're right, like Merijn noted on his site, his programming skills aren't good enough to handle the newest versions of CWS or in his words for removal: "Sledge hammer or chainsaw recommended" :o) And he had to go back to school. He's studying Computer science in Amsterdam AFAIK. Thankfully another person took over where he had to let go and programmed About:Buster, but that tool doesn't include the old versions of CWS, so CWShredder will still do it's job perfectly in a lot of cases.
LucF
LucF
>>Smartsearch.ws is one that CWShredder.exe will remove.<<
This was not Smartsearch.ws (check the hijackthis log and you'll see :) ) but the first version of CWS that changed the About:blank protocol. The newer versions are far more advanced...
This was not Smartsearch.ws (check the hijackthis log and you'll see :) ) but the first version of CWS that changed the About:blank protocol. The newer versions are far more advanced...
Together with the one you pointed to, this one also has to go, it belongs to the CoolWeb bug.
> O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
Unless you have the "Alternate User Text Input Processor (TIP) and the Microsoft Office XP language bar." installed...
The file is located at C:\WINNT\system32\
Check the filesize, if it's exactly 13,312 bytes big, get rid of that line, otherwise keep it and post a fresh logfile after a reboot.
Greetings,
LucF