Win 2k sp4: CWS.smartsearch.2/removing MS Java VM/Hijack This log

[Dan Mitchell]

I have win2k sp4. Today I ran CWShredder. It opened in a window with a set of random characters as its title, and informed me it did this because cws.smartsearch.2 had infected my machine & was preventing it from opening under it's own name. I was unable to update cwshredder (couldn't connect to server at either site), so I ran shredder anyway. It said my system was uninfected, including saying "not present" for cws.smartsearch.2. I'm wondering if there is a definitive way of telling if this or any similar parasite is present. Also, how can I remove MS Java VM from my machine? I would prefer to do this manually rather than with an MS patch, since the last one I ran crashed my machine.

BTW I run spysweeper, adaware, spybot sd & Norton av, all up to date & all say no problems (other than the odd tracking cookie o now & then). Just ran Miniremover as suggested by Budfred in another thread (http://www.safer-networking.org/files/delcwssk.zip) it says "CollWWWSearch.smartkiller (v1/v2) has not been found on your system". Also I ran hijack this, here is the log. I hope it's ok that I include this, all looks well to my moderately informed eye, I do try to keep services & other backgrond crap to a minimum, I'd like to know if anyone sees anything suspicious:

TIA,

Dan


Logfile of HijackThis v1.97.7
Scan saved at 1:07:52 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\WINNT\system32\mspmspsv.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
E:\WINNT\Explorer.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\1stClock\1stClock.exe
E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
E:\Program Files\Norton Internet Security\ATRACK.EXE
e:\Program Files\hotmail popper\hotpop.exe
E:\Program Files\Winamp\Winamp.exe
E:\Program Files\CWShredder.exe
E:\HijackThis.exe
E:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Mozilla Thunderbird\thunderbird.exe

F1 - win.ini: load=F:\CDSETUP.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: explorer.exe.lnk = C:\WINNT\explorer.exe
O4 - Startup: Shortcut to Ad-watch.exe.lnk = E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
O4 - Startup: Shortcut to Main.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...202.6722222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[classicsoftware]

How is your drive partitioned?

What drive is the OS installed on?

It appears your OS is on drive C and programs are on drive E and your CD-ROM is on drive F

This entry concerns me:

F1 - win.ini: load=F:\CDSETUP.EXE

Were you in the middle of installing a program from a CD?

Please post the properties of this file

[Dan Mitchell]

Thanks for the reply. The system has 2 hdd's, the original 40 gig (C:) and a 120 gig partitioned into D: & E:. I have win2k on both C & E & use D & the remainder of E: for storage & the programs for that os. The os in question is on E:. The entry "F1 - win.ini: load=F:\CDSETUP.EXE" refers to drivers I was loading for my scanner, did this yesterday, unfortunately I misplaced the disk so I can't put it in & boot to satisfy the damned thing. Dumb, I know, but the trouble preceded this event. Other than the cw shredder business the only problem I'm having is WE crashes frequently on routine tasks, as when renaming files. I posted about this in the windows forum. It gives the error "Explorer.exe has generated errors and will be closed by windows. You will need to restart the program. An error log has been created" Finally found the log file, haven't had a chance to look it over well, on first blush it appears like the usual stuff only a CS engineer would understand.

Dan

[classicsoftware]

You may have disguised things by running the CWShredder w/o having an expert look at it.

This is another item that concerns me:

O4 - Startup: explorer.exe.lnk = C:\WINNT\explorer.exe

If you are running off of the E drive why is it calling explorer from the C-Drive?

Do you get the same message if you boot from the iteration if Windows installed on the C-Drive?

[Dan Mitchell]

Thanks for the reply. That's a very good question about O4 - Startup: explorer.exe.lnk = C:\WINNT\explorer.exe. I have we open on start because I use it so frequently, and I have it set to expand the E: drive portion by default. The target is "E:\WINNT\explorer.exe /e, e:", and the target is E:WINNT. I have no clue as to why it would say C:, nor how it would manage to open E: SAYING C:. I'm going to remove that one & redo the startup item. I found the scanner driver disk which was being called for. You're gonna love this; I finally remembered I had placed it ON THE SCANNER to test it (something to scan) & forgot I had left it there! How stupid. After I rebooted with the disk in place the request has disappeared.

Dan

[classicsoftware]

Remove the explorer with HJT and re-post your log.

Please also describe the symptoms you are getting.

[Dan Mitchell]

Removed the weird we startup entry & reentered it, it now reads appropriately, as reflected in the following HT log. The only operational problems I'm having is WE crashes randomly, as I described earlier. It appears to happen only when right clicking or attempting to execute a right click command (rename, search, etc). Only other anomaly is the CWShredder report. I have a window with program shortcut icons (ala the old "program manager") as reflected in the HT entry "O4 - Startup: Shortcut to Main.lnk = ?". The icons in this window are large, but revert to small after each we crash.

Thanks for taking a look.

Dan

Logfile of HijackThis v1.97.7
Scan saved at 4:55:34 PM, on 8/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\mspmspsv.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\Program Files\1stClock\1stClock.exe
E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
E:\Program Files\Norton Internet Security\ATRACK.EXE
e:\Program Files\hotmail popper\hotpop.exe
e:\Program Files\mozilla firefox\firefox.exe
E:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\Program Files\Winamp\Winamp.exe
E:\WINNT\explorer.exe
E:\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKCU\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: 1st Clock.lnk = E:\Program Files\1stClock\1stClock.exe
O4 - Startup: explorer.exe.lnk = E:\WINNT\explorer.exe
O4 - Startup: Shortcut to Ad-watch.exe.lnk = E:\Program Files\Ad-aware 6 Pro\Ad-watch.exe
O4 - Startup: Shortcut to Main.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Researcher (HKLM)
O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...202.6722222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[classicsoftware]

I would try to run SFC and see if you can replace any corrupted Windows files. I see nothing in the HJT log and since your errors are in explorer as opposed to internet explorer, I don't think it's a browser hijack issue.