• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
fmdb

CWS.Bootconf & hosts file recreation

6 posts in this topic

I have a client running a Windows XP machine. I have run every conceivable spyware removal utility - Ad-Aware, SpyBot, CWShredder, Hijack This, Kill2Me, Pest Patrol, etc. but I cannot remove CWS.Bootconf. Everytime I run CWShredder, it tells me that CWS.Bootconf has been removed but it immediately comes back. Also, whenever I delete the hosts file, it gets recreated immediately with redirected entries. There are no obvious bad startup entries and Ad-Aware, Pest Patrol and SpyBot are telling me the machine is clean.

 

Has anybody seen this behavior before and know what to do to eradicate it? I've never had this much trouble cleaning a machine before.

 

Thank you.

 

-fd

Share this post


Link to post
Share on other sites

HERE IS THE HIJACKTHIS LOG:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:29:13 AM, on 6/16/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\myCIO\VScan\McShield.exe

C:\WINDOWS\myCIO\Agent\myAgtSvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\system32\stisvc.exe

C:\WINDOWS\myCIO\Agent\swAgent.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\myCIO\Agent\myagttry.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINDOWS\Java\chatlnk.exe

C:\DOCUME~1\BURTS\LOCALS~1\Temp\~CL49.tmp\g2a_customerchat2w.exe

C:\Documents and Settings\BURTS\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe

O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mycio.com/VS2/SonicWa...in/myCioAgt.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8146.6139351852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://livevault.webex.com/client/latest/webex/ieatgpc.cab

 

HERE IS THE HOSTS FILE:

 

69.20.16.183 ieautosearch

127.0.0.1 www.igetnet.com

127.0.0.1 code.ignphrases.com

127.0.0.1 clear-search.com

127.0.0.1 r1.clrsch.com

127.0.0.1 sds.clrsch.com

127.0.0.1 status.clrsch.com

127.0.0.1 www.clrsch.com

127.0.0.1 clr-sch.com

127.0.0.1 sds-qckads.com

127.0.0.1 status.qckads.com

69.20.16.183 auto.search.msn.com

69.20.16.183 search.netscape.com

 

HERE ARE THE RESULTS OF NETSTAT -a:

 

Microsoft Windows 2000 [Version 5.00.2195]

© Copyright 1985-2000 Microsoft Corp.

 

C:\Documents and Settings\BURTS>netstat -a

 

Active Connections

 

Proto Local Address Foreign Address State

TCP burts:epmap burts:0 LISTENING

TCP burts:microsoft-ds burts:0 LISTENING

TCP burts:1028 burts:0 LISTENING

TCP burts:1029 burts:0 LISTENING

TCP burts:1099 burts:0 LISTENING

TCP burts:1105 burts:0 LISTENING

TCP burts:1110 burts:0 LISTENING

TCP burts:1112 burts:0 LISTENING

TCP burts:1114 burts:0 LISTENING

TCP burts:1115 burts:0 LISTENING

TCP burts:1116 burts:0 LISTENING

TCP burts:1117 burts:0 LISTENING

TCP burts:1121 burts:0 LISTENING

TCP burts:1122 burts:0 LISTENING

TCP burts:1123 burts:0 LISTENING

TCP burts:1126 burts:0 LISTENING

TCP burts:1127 burts:0 LISTENING

TCP burts:1128 burts:0 LISTENING

TCP burts:1129 burts:0 LISTENING

TCP burts:1149 burts:0 LISTENING

TCP burts:1218 burts:0 LISTENING

TCP burts:6515 burts:0 LISTENING

TCP burts:1184 burts:microsoft-ds TIME_WAIT

TCP burts:netbios-ssn burts:0 LISTENING

TCP burts:1026 burts:0 LISTENING

TCP burts:1026 ISELIN:netbios-ssn ESTABLISHED

TCP burts:1127 broker.gotoassist.com:https CLOSE_WAIT

TCP burts:1149 66-151-158-37.expertcity.com:https ESTABLISHED

TCP burts:1206 69.20.20.161:http TIME_WAIT

TCP burts:1207 web1.nictechnetworks.com:http TIME_WAIT

TCP burts:1218 66-151-158-37.expertcity.com:https ESTABLISHED

UDP burts:microsoft-ds *:*

UDP burts:6514 *:*

UDP burts:6515 *:*

UDP burts:6516 *:*

UDP burts:59152 *:*

UDP burts:1086 *:*

UDP burts:netbios-ns *:*

UDP burts:netbios-dgm *:*

UDP burts:isakmp *:*

UDP burts:4500 *:*

 

C:\Documents and Settings\BURTS>

Share this post


Link to post
Share on other sites

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINDOWS\system32\@bantageUI.dll

C:\WINDOWS\system32\@fantageUI.dll

C:\WINDOWS\system32\@mantageUI.dll

C:\WINDOWS\system32\aktiveds.dll

C:\WINDOWS\system32\amsetupc.dll

C:\WINDOWS\system32\aosetupc.dll

 

 

Guardian Key--- is called: GuardianFVQED

Asynchronous 000

DllName C:\WINDOWS\system32\@fantageUI.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {33412F0F-6BF6-4FAE-BAF4-322BA85084B4}

IDex DS3

 

User Agent String---

{33412F0F-6BF6-4FAE-BAF4-322BA85084B4}

Share this post


Link to post
Share on other sites

=== Delete Hidden dl, Guardian key, User Agent; Restore Security Policies ===

Sign off and stay off the internet until the entire procedure is complete.

 

Run vx2finder.exe

Press 'Click to Find VX2.BetterInternet'

Select all the files found

Press 'Delete These Files'

 

The program will delete all files but one that will be deleted on reboot

Allow program to reboot

 

Once Restarted:

a. Press 'Guardian.reg'

b. Press 'User Agent'

c. Press 'Restore Policy'

 

=== Remove Remaining Infection ===

Download and install the latest version of Ad-Aware at

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

 

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

 

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

 

 

=== Verify Removal ===

Run vx2finder.exe

Press 'Click to Find VX2.BetterInternet'

Press 'Make Log' and post it in this thread for review

 

Run HiJackThis and post a new log in this thread

Share this post


Link to post
Share on other sites

It seems better. I was able to delete the hosts file (without recreation) and there aren't anymore pop-ups. Thank you.

 

--------------------------------------------------------------------------------

 

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

 

___________________________________________________________

 

Logfile of HijackThis v1.97.7

Scan saved at 11:02:22 AM, on 6/22/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\myCIO\VScan\McShield.exe

C:\WINDOWS\myCIO\Agent\myAgtSvc.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\system32\stisvc.exe

C:\WINDOWS\myCIO\Agent\swAgent.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\myCIO\Agent\myagttry.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe

C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE

C:\WINDOWS\Java\chatlnk.exe

C:\DOCUME~1\BURTS\LOCALS~1\Temp\~CL52.tmp\g2a_customerchat2w.exe

C:\Documents and Settings\BURTS\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe

O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mycio.com/VS2/SonicWa...in/myCioAgt.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8146.6139351852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://livevault.webex.com/client/latest/webex/ieatgpc.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0