CWS.smartsearhc.2/removing MS Java VM/Hijack This log

Dan · Aug 10, 2004

I have win2k sp4. Today I ran CWShredder. It opened in a window with a
set of random characters as its title, and informed me it did this
because cws.smartsearch.2 had infected my machine & was preventing it
from opening under it's own name. I was unable to update cwshredder
(couldn't connect to server at either site), so I ran shredder anyway.
It said my system was uninfected, including saying "not present" for
cws.smartsearch.2. I'm wondering if there is a definitive way of
telling if this or any similar parasite is present. Also, how can I
remove MS Java VM from my machine? I would prefer to do this manually
rather than with an MS patch, since the last one I ran crashed my machine.

BTW I run spysweeper, adaware, spybot sd & Norton av, all up to date &
all say no problems (other than the odd tracking cookie). Also I ran
hijack this, here is the log. I hope it's ok that I include this, all
looks well to my moderately informed eye, I do try to keep services &
other backgrond crap to a minimum, I'd like to know if anyone sees
anything suspicious:

TIA,

Dan

Logfile of HijackThis v1.97.7
Scan saved at 1:07:52 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\WINNT\system32\mspmspsv.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
E:\WINNT\Explorer.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\1stClock\1stClock.exe
E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
E:\Program Files\Norton Internet Security\ATRACK.EXE
e:\Program Files\hotmail popper\hotpop.exe
E:\Program Files\Winamp\Winamp.exe
E:\Program Files\CWShredder.exe
E:\HijackThis.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Mozilla Thunderbird\thunderbird.exe

F1 - win.ini: load=F:\CDSETUP.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet
Security\IAMAPP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: explorer.exe.lnk = C:\WINNT\explorer.exe
O4 - Startup: Shortcut to Ad-watch.exe.lnk = E:\Program Files\Ad-aware 6
Pro\Ad-watch.exe
O4 - Startup: Shortcut to Main.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .bcf: E:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38202.6722222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TIA

Steven L Umbach · Aug 10, 2004

See the link below on a program that may help, I am not sure.

http://www.snapfiles.com/get/aboutbuster.html

Last I heard CWShredder is no longer being updated and as such will not remove newer
variants. It may help to try and run your spyware removal tools in safe mode. If that
does not help go into IE advanced options and disable " enable third party browser
extensions". After a reboot that will disable BHO's including ones that you want
such as Adobe and Norton which may require reinstall of those applications. Then try
your spyware tools again. Of course make sure they are updated. AdAware updates
almost daily. Also use the customize option for AdAware and select all options for
registry and memory scan. You may also have to clean up unwanted BHO's with
something like the free BHODemon. There is so much new spyware, I can not keep up
with it. I also suggest you post in a spyware/parasite related newsgroup forum some
of which specialize in Hijack this logs, offhand I do not see anyhting that stands
out as being suspicious. Good luck. --- Steve

http://www.aumha.org/a/quickfix.htm

Dan said:
I have win2k sp4. Today I ran CWShredder. It opened in a window with a
set of random characters as its title, and informed me it did this
because cws.smartsearch.2 had infected my machine & was preventing it
from opening under it's own name. I was unable to update cwshredder
(couldn't connect to server at either site), so I ran shredder anyway.
It said my system was uninfected, including saying "not present" for
cws.smartsearch.2. I'm wondering if there is a definitive way of
telling if this or any similar parasite is present. Also, how can I
remove MS Java VM from my machine? I would prefer to do this manually
rather than with an MS patch, since the last one I ran crashed my machine.

BTW I run spysweeper, adaware, spybot sd & Norton av, all up to date &
all say no problems (other than the odd tracking cookie). Also I ran
hijack this, here is the log. I hope it's ok that I include this, all
looks well to my moderately informed eye, I do try to keep services &
other backgrond crap to a minimum, I'd like to know if anyone sees
anything suspicious:

TIA,

Dan

Logfile of HijackThis v1.97.7
Scan saved at 1:07:52 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\WINNT\system32\mspmspsv.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
E:\WINNT\Explorer.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\1stClock\1stClock.exe
E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
E:\Program Files\Norton Internet Security\ATRACK.EXE
e:\Program Files\hotmail popper\hotpop.exe
E:\Program Files\Winamp\Winamp.exe
E:\Program Files\CWShredder.exe
E:\HijackThis.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Mozilla Thunderbird\thunderbird.exe

F1 - win.ini: load=F:\CDSETUP.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet
Security\IAMAPP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: explorer.exe.lnk = C:\WINNT\explorer.exe
O4 - Startup: Shortcut to Ad-watch.exe.lnk = E:\Program Files\Ad-aware 6
Pro\Ad-watch.exe
O4 - Startup: Shortcut to Main.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .bcf: E:\Program Files\Internet
Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38202.6722222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TIA

I've really been hammered w/ Spyware	1	Jun 1, 2004
HiJack this log:	2	Apr 29, 2009
hijhack this log	1	Jun 29, 2008
HiJack This Log	6	Sep 20, 2005
Windows XP Regedit and taskmanager will not stay open	3	Oct 27, 2011
Hijack This	3	Oct 9, 2009
Unable to remove Spyware	13	Aug 28, 2007
IE6 slow and hangs when launched	4	Dec 24, 2008

CWS.smartsearhc.2/removing MS Java VM/Hijack This log

Dan

Steven L Umbach

Ask a Question

Similar Threads