Hi all I have the same problem as Response Number 5 could not find O4 - HKLM\..\Run: [SystemEmergency] C:\Windows\explore.exe O4 - HKCU\..\Run: [SystemEmergency] C:\Windows\explore.exe hen after that I could not find C:\Windows\explore.exe so was unable to delete that I am running winxp sp1. any help plz Thx Frasse

0

I got infected with this thing (clicked ok on some dialog box while being in a hurry) and this is how I got rid of smartsearch.ws: - disable system restore - close all IE windows - the virus is "systemcritical.exe". Make sure you kill it with task manager. - search for "systemcritical.exe". Make sure you can view hidden files (it is hidden). Mine was in "C:\Games", together with a netsomething.sys file (don't remember the name exactly, but both were created at the same time). Delete them both. - open the registry editor with "regedit" and search the entire registry for "smartsearch", making sure you start from the top. You'll find it in a bunch of keys called "SearchURL" and the such. Delete every instance (remove the keys). - open IE and make sure to reset the home page, if it's still "smartsearch". It shouldn't, after the registry clean-up. - re-enable system restore. This did it for me! I hope these as****es will get a DoS their way pretty soon.

0

I don't have system restore because I have Windows ME, what should I do?

0

I just had to remove smartsearch from my computer, and from the looks of it, it is gone. I used cwshredder to remove it available here http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder Smartsearch was shutting down programs such as adaware, and also cwshredder before I could use them. I had read that the process that was running was explore.exe, and a couple of others. For me, it was systeem.exe(not system.exe). End this process, or other suspicious processes such as explore.exe, and others that are similar to normal processes, but seem to just be spelled slightly different. Then run cwshredder, the I would advise restarting, and setting the homepage for Internet explorer in control panel(if it wasnt set to blank by cwshredder). Worked for me, but I think they are updating this thing to make it harder to get rid of. All I ask is why. Do they really think you're going to buy something from them after they take your computer hostage?

0

Alright, my version of it. I use Windows ME. Logfile of HijackThis v1.97.7 Scan saved at 5:14:19 PM, on 1/11/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\AIM95\AIM.exe C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.exe C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.exe C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.exe C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\HJT\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q= R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q= R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = , R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = , R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,8,0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [UserSystem] C:\WINDOWS\IEXPLORER.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.exe O4 - HKLM\..\RunServices: [UserSystem] C:\WINDOWS\IEXPLORER.exe O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe" O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent O4 - HKCU\..\Run: [UserSystem] C:\WINDOWS\IEXPLORER.exe O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe" O4 - HKCU\..\RunServices: [Steam] "c:\progra~1\steam\steam.exe" -silent O4 - HKCU\..\RunServices: [UserSystem] C:\WINDOWS\IEXPLORER.exe O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Encarta Encyclopedia (HKLM) O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM) O9 - Extra button: Define (HKLM) O9 - Extra 'Tools' menuitem: Define (HKLM) O10 - Broken Internet access because of LSP provider 'lsp.dll' missing O13 - DefaultPrefix: http://smartsearch.ws/?q= O13 - WWW Prefix: http://smartsearch.ws/?q= O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37962.0092939815 O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Mx0n11n3.cab Can someone please help me to get rid of it? This is like driving me crazy.

0

I have windows 2003 server and to remove it from my machine today I first killed the process iexplorer.exe iexplorer.exe was spelled correctly but was being run from c:\windows not c:\program files\... and I did not even thave internet explorer running and it was listed in the task manager. I then deleted the iexplorer.exe from c:\windows and ran the cwshredder to clean the registry and it appears to be gone even after 4 test reboots.

0

thx fuzzylogic Det problem was iexplorer.exe. the problem is gone now. /Frasseff

0

I had that MFer too, but on Win2k. I removed it by: Boot into safe mode, search your registry for "smartsearch". Delete all the keys with this in them. There will be a bunch. Search your system for files created since the problem started. On my system, the virus was duplicated itself into two executables named "systeem.exe" and "directxx.exe". both will start up and replace the registry keys unless you're in safe mode. Be aware, they may be named something else on your system. That is why the date is so important. I knew I didn't install anything like this and didn't update my directx (one X), so I deleted them. Reboot and the thing is gone. You have to believe in Karma and know that whoever built the damn thing will hopefully get hit by a truck and live the rest of their horrible life drinking through a straw and crapping into a bag!!! RELOAD

0

I used the solution from response number 2 but i used : O4 - HKLM\..\Run: [SystemEmergency] C:\Windows\system\internet.exe O4 - HKCU\..\Run: [SystemEmergency] C:\Windows\internet.exe then i removed C:\Windows\internet.exe and it worked !!!! so perhaps the hijacker has many names good luck claudio

0

found this useful http://www.ram-jaane.com/help/remove.html

0

I got hit with the latest SMARTSEARCH Jan 18th 2004 variation and my problem was that when I ran CWShredder.exe the program would close automatically before it got to SMARTSEARCH thus CWShredder.exe would not fix the problem. I read all the POSTS above and saw the one mentioning http://www.ram-jaane.com/help/remove.html so I read that and using both CWShredder and remove.html I was able to fix/Remove SmartSEARCH for good. Here are the steps - using WinXP Sp1a 1). Start TASK Manager 2). End Process on IEXPLORE.exe 3). Found IEXPLORE.exe in C:\Windows Folder and DELETED it. 4). Go to Control Panel and Internet Options and Enter a preferred Default Web Address such as http://www.merijn.org or http://www.ram-jaane.com and APPLY and OK. 5). Finally - Run "CWShredder" and it will stay running and click on "FIX". That is it! problem solved ... for now ... Credits: I can't thank Merijn or Ram-Jaane enough for their efforts. Thank you ! Download CWShredder.exe http://www.merijn.org/files/CWShredder.exe Vist: http://www.ram-jaane.com/help/remove.html for more detailed explanation. Oh and can some change the Subject line misspelling of SMART ? See you next time :))

0