SmartSearch Homepage

  • Thread starter Thread starter Michael
  • Start date Start date
M

Michael

Every time I load up IE, my homepage is automatically
set to www.smartsearch.ws no matter what. If I try to
change it, it just resets itself (yes, I hit APPLY and
then OK :-). Also, whenever I try to type in an address
into the nav bar, it sends me to (guess what!)
www.smartsearch.ws again.

I tried e-mailing SmartSearch, but they said that I had
visited a "warez" site and probably brought the problem
on myself. They basically told me I was screwed. What
is a warez site? I've never been to one...purposefully,
anyway...and is there anyway to fix my problem?

Thanks
 
Hi Michael - Sounds like this might be a variant of some malware called
CoolWebSearch. Do the following:

Download and run: http://www.merijn.org/files/cwshredder.zip to remove the
parasite. Be sure to close all instances of IE and OE.

Then download and run:
http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to restore your
tabs and remove any restrictions that the parasite has put in place.

Be sure that you also download and install hotfix Q816093, here:

http://support.microsoft.com/?kbid=816093#appliesto

which blocks the exploit upon which this parasite family depends.

Now download and run:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to restore
your search functions.


However, this also indicates that you may have acquired some other malware
along the way. If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in Zone
Alarm 3.x, if present or any other Ad Blocking software which interferes
with Java Scripting for this scan to work. You should get a message between
the two lines of **** giving the results of the scan.

Get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. UPDATE and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove
things which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.

Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm



If they don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).




Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it UPDATED) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Both Very Highly Recommended


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
wow. ok. thanks a lot. I think it'll take a while to
get this all up and running, but thanks for the info.
Also, I have Webroot's SpySweeper installed on my PC.
Will that work just as well as any of the others you have
mentioned?
 
Hi Michael - I'm not familiar with it personally, however, if you only have
the trial version, as I understand it you don't get updates, which IMO would
make it practically useless. If UPDATED, it may or may not be useful. The
ones I pointed you to are all free and, when kept UPDATED, are very
effective in combination. AdAware and Spybot handle different things and
should both be UPDATED and used regularly. CWShredder, can be redownloaded
each time (UPDATED) and run regularly also to handle this very fast mutating
parasite (although you should block this exploit ASAP). HijackThis,
redownloaded (UPDATED) each time, with help from the fora I cited will catch
most other things, while the last two - SpywareBlaster and SpywareGuard -
will go a long way toward keeping you from getting infected in the first
place.

If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

You might also want to have a look here:
http://www.mvps.org/winhelp2002/hosts.htm A HOSTS file (named all caps, no
extension, BTW) can also be used [as with the lists UPDATED here] to block
malware as well as ads)

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
OK, thanks R. - Glad to have it confirmed, since I'm seeing more posts about
that particular one.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
Jim Byrd said:
OK, thanks R. - Glad to have it confirmed, since I'm seeing more posts about
that particular one.
Click to expand...

NP - Jim, you know where to reach me if you need anything ;)

~Silj


--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)
 
Well, I downloaded everything like you said, and I
believe it will work. However, every time I try to run
Ad-Aware and Spybot, they just exit automatically and out
of the blue. I have a few seconds to click on things,
but given enough time, the programs close without my
assistance. The same goes for theor websites, too. IE
just exits whenever I go to that site. What's odd,
though, is that it's only THEIR websites and programs
that do it. It's as if this virus or whatever it is is
trying to keep me from deleting it! So I haven't been
able to run any of the anti-spyware stuff yet. What can
I do?
 
Hi Michael - Sounds like you've been hijacked and the parasite is disabling
AdAware and Spybot. First, install SpywareBlaster (below at bottom - UPDATE
first thing before you run it, however.), and then see if AdAware and/or
SpyBot will work, and also download and run CWShredder again -
http://www.merijn.org/files/cwshredder.zip to remove theparasite. Be sure
to close all instances of IE and OE.. If no joy, then you kinda need to
know what the parasite(s) is/are before you can do much about fixing them
except to apply some general tools like AdAware and/or SpyBot S&D (see
below). Since they're blocked and don't fix it then start here:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip (Always download a
new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

or Tom Coyote here:
http://tomcoyote.org/forums/index.php?act=ST&f=10&t=495&s=2c6e92805e310b519b9fa61cc7098fba

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).


For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
UPDATE and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After UPDATING and fixing things with SpyBot S&D, be
sure to re-boot and rerun SpyBot again and repeat this cycle until you get a
clean "no red" scan. The reason is that SpyBot sometimes has to remove
things which are currently "in use" before it can then clean up others.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm


Once you get things cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:

http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed for 1073 parasites, and it provides information and
fixit-links for a variety of parasites.

http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.



--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
Ok, I have everything installed now, but none of it will
work. I updated SpyBlaster before I ran it, and
allegedly it ran fine (It said "Successful" in a pop-up
box), but nothing has changed. In fact, CW Shredder will
begin it's fixing process and get as far as
SmartSearch.ws adware (or whatever it is) and THEN
exits. It never actually fixes the file. The only
things that work right now are Spy Guard and SpyBlaster.
I have updated both to the most recent. I will try to re-
download HijackThis and install it again, but I have a
feeling it will do the same thing.

Anyway, I have included my e-mail address this time if
you would like to contact me that way instead of having
to try to find this post every time. I will still check
here though.

Oh, and Silj's link describes my problem exactly.
Should I try to download that Virus checker, update it
and run it that way?

michael
 
michael said:
Ok, I have everything installed now, but none of it will
work. I updated SpyBlaster before I ran it, and
allegedly it ran fine (It said "Successful" in a pop-up
box), but nothing has changed. In fact, CW Shredder will
begin it's fixing process and get as far as
SmartSearch.ws adware (or whatever it is) and THEN
exits. It never actually fixes the file. The only
things that work right now are Spy Guard and SpyBlaster.
I have updated both to the most recent. I will try to re-
download HijackThis and install it again, but I have a
feeling it will do the same thing.

Anyway, I have included my e-mail address this time if
you would like to contact me that way instead of having
to try to find this post every time. I will still check
here though.

Oh, and Silj's link describes my problem exactly.
Should I try to download that Virus checker, update it
and run it that way?

michael
Click to expand...

The CWShredder is your best bet against this Spyware.

If you have Norton anti-virus installed it should pick it up but again,
run the latest CWShredder - http://www.merijn.org/files/CWShredder.exe
Close all instances of Internet Explorer and Outlook Express, click on the
executable and follow the prompts.


--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)
 
CW shredder doesn't work. It gets to SmartSearch and
exits. I will try to download a version of Norton and
see if that helps, but so far, no luck.

Thanks for the help, though! I have a feeling we're
getting close.
 
michael said:
CW shredder doesn't work. It gets to SmartSearch and
exits. I will try to download a version of Norton and
see if that helps, but so far, no luck.

Thanks for the help, though! I have a feeling we're
getting close.
Click to expand...


Hi Michael,
I hope we're getting close, what puzzles me is why the CW Shredder
is *not* working in your case. Try running the latest version :-)
http://216.180.233.153/~merijn/files/CWShredder.exe
Again, close *all* instances of Internet Explorer and Outlook or
Outlook Express, click on the CW executable and follow the prompts.
If the CW Shredder doesn't work, download and run "Hijack This".
You'll find all the instructions were to download the tool and how
to use it here: http://mvps.org/winhelp2002/unwanted.htm

Note that I may not be around that much until next week - one of the other
knowledgeable folks that frequent this group will be here to help.

Regards,

--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)
 
Pardon me while I scream in frustration. No programs
will run on my computer if they start to affect this
virus. Everything exits before I can click 'OK'. I
can't even download trial versions of virus protectors
because IE exits before the page even loads. Even if I
did have a copy, it wouldn't matter because it wouldn't
be able to run.

Outlook Express has been rendered unusable now, too. I
can't check my mail without it trying to receive over 150
messages PER DAY from MAILER-DAEMON saying that my mail
cannot be sent. I haven't sent anything - this sounds
like the work of spyware to me. I also recieved a
message today saying that a virus had been detected in a
message I had sent yesterday. I never even opened
Outlook yesterday. Anyway, the virus was
called "W32/Swen@MM".

My Favorites menu is filling up with links to random
stupid crap I don't need. I try to delete it and it just
comes right back. I'm getting very, very angry at the
inconsiderate, friendless fool who thinks it's funny to
put a virus on someone else's personal property.

Do I need to send my computer in to the shop to have a
professional work on it? If that's what it takes, I'm
willing to do it.

Thanks for your help so far, even though it hasn't really
worked. Its good to know that somebody cares.
 
Is it safe for me to post the results of my HiJackThis
search on here? This is all I got out of it before it
exited.
 
michael and all others who have this trojan.

you have to end the process running in the backgound that stop
cwshredder from completing its task.

mine was called time.exe, for others it was iexplorer.exe, it might b
different for you, just look for the one that looks out of place.

once you end this program, cwshredder should get rid of it

ufeebo
 
SWEET MOTHER OF GOD!!! It's fixed!!! I just had to
exit out of all background programs. Then everything ran
fine and I got it all deleted!!!

Thank you all so much for your help. I really mean
it. Thanks.

michael out.
 
There is a way manually delete the smart search.


Adware.Smartsearch program

Developer :BGCORP
Publisher: Smart Search Asia Ltd.
Systems Affected: Windows 95, Windows 98, Windows Me, Windows NT
Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x


Adware.Smartsearch changes the default prefix of Internet Explorer.

The effect of this is that any URLs typed without a http:// prefix wil
be redirected to http:/ /smartsearch.ws/q= , also the program close
any webpage that has the name of any smart search file, to preven
gathering info on how to destroy this program.

It also sets the Internet Explorer home page to http:/ /smartsearch.ws


To remove definitely delete the main program and their exes:

File names: C:y.exe
C:Program Files/Windows Media Player/wmplay.exe
C:Windows/explore.exe
C:Windows/system32/internet.exe
C:Windows/system/internet.exe
C:Program Files/directx/directx.exe
C:Program Files/Common Files/System/systeem.exe
C:WindowsMedia/wmplayer.exe
C:WindowsHelp/helpcvs.exe
C:Program Files/Accessories/accesss.exe
C:Games/system/critical.exe
C:funny.exe
C:/windows/system32/iexplorer.exe
c:/windows/window.exe
c:/windows/system32/uninstall.exe
c:/windows/system32/netinf.exe
c:/windows/system32/directx32.exe
c:/windows/system32/critical.exe
c:/windows/system32/users32.exe
c:/windows/system32/clrssn.exe
c:/windows/system32/systeem.exe
c:/windows/system32/autorun.exe
c:/windows/system32/win32e.exe
c:/windows/iexplorer.exe

Main code c:/windows/notepad32.exe
It starts the other exe programs everytime you delete one,
and also makes them autostart with the PC.

Remeber most of those files are hidden by a russian program called
HidePE ,select show all files and system files to see them.

If one of those little exes is left the auto smartsearch
registry homepage will continue.

Note:If u see a process that u dont know , and has your windows use
name (not SYSTEM) in the task manager , search for that program an
convert it to .txt
to read ,and if it says -=[ HidePE by BGCorp ]=- delete the file.

Finally delete the smartsearch.ws pages from the registry
with regedit.exe

Dam BGCORP... along Smartsearch in China.... like someone will buy
from their clients

Tdmast
 
It's fixed!!! I just had to exit out of all background
programs. Then everything ran fine and I got it all
deleted!!!

Thank you all so much for your help. I really mean
it. Thanks.

michael out.
 
nope! not fixed. It was for a day or two, but it came
back. I think Outlook Express might have something to do
with it because I keep having to download over 50 e-mails
a day saying my mail couldn't be sent when I never sent
anything.

It's really annoying me.
 
Back
Top