Jump to content


Photo

CWS.Bootconf & hosts file recreation


  • Please log in to reply
5 replies to this topic

#1 fmdb

fmdb

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 15 June 2004 - 09:56 PM

I have a client running a Windows XP machine. I have run every conceivable spyware removal utility - Ad-Aware, SpyBot, CWShredder, Hijack This, Kill2Me, Pest Patrol, etc. but I cannot remove CWS.Bootconf. Everytime I run CWShredder, it tells me that CWS.Bootconf has been removed but it immediately comes back. Also, whenever I delete the hosts file, it gets recreated immediately with redirected entries. There are no obvious bad startup entries and Ad-Aware, Pest Patrol and SpyBot are telling me the machine is clean.

Has anybody seen this behavior before and know what to do to eradicate it? I've never had this much trouble cleaning a machine before.

Thank you.

-fd

#2 fmdb

fmdb

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 08:33 AM

HERE IS THE HIJACKTHIS LOG:

Logfile of HijackThis v1.97.7
Scan saved at 9:29:13 AM, on 6/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\myCIO\Agent\swAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\Java\chatlnk.exe
C:\DOCUME~1\BURTS\LOCALS~1\Temp\~CL49.tmp\g2a_customerchat2w.exe
C:\Documents and Settings\BURTS\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8146.6139351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://livevault.we...bex/ieatgpc.cab

HERE IS THE HOSTS FILE:

69.20.16.183 ieautosearch
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com

HERE ARE THE RESULTS OF NETSTAT -a:

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\BURTS>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP burts:epmap burts:0 LISTENING
TCP burts:microsoft-ds burts:0 LISTENING
TCP burts:1028 burts:0 LISTENING
TCP burts:1029 burts:0 LISTENING
TCP burts:1099 burts:0 LISTENING
TCP burts:1105 burts:0 LISTENING
TCP burts:1110 burts:0 LISTENING
TCP burts:1112 burts:0 LISTENING
TCP burts:1114 burts:0 LISTENING
TCP burts:1115 burts:0 LISTENING
TCP burts:1116 burts:0 LISTENING
TCP burts:1117 burts:0 LISTENING
TCP burts:1121 burts:0 LISTENING
TCP burts:1122 burts:0 LISTENING
TCP burts:1123 burts:0 LISTENING
TCP burts:1126 burts:0 LISTENING
TCP burts:1127 burts:0 LISTENING
TCP burts:1128 burts:0 LISTENING
TCP burts:1129 burts:0 LISTENING
TCP burts:1149 burts:0 LISTENING
TCP burts:1218 burts:0 LISTENING
TCP burts:6515 burts:0 LISTENING
TCP burts:1184 burts:microsoft-ds TIME_WAIT
TCP burts:netbios-ssn burts:0 LISTENING
TCP burts:1026 burts:0 LISTENING
TCP burts:1026 ISELIN:netbios-ssn ESTABLISHED
TCP burts:1127 broker.gotoassist.com:https CLOSE_WAIT
TCP burts:1149 66-151-158-37.expertcity.com:https ESTABLISHED
TCP burts:1206 69.20.20.161:http TIME_WAIT
TCP burts:1207 web1.nictechnetworks.com:http TIME_WAIT
TCP burts:1218 66-151-158-37.expertcity.com:https ESTABLISHED
UDP burts:microsoft-ds *:*
UDP burts:6514 *:*
UDP burts:6515 *:*
UDP burts:6516 *:*
UDP burts:59152 *:*
UDP burts:1086 *:*
UDP burts:netbios-ns *:*
UDP burts:netbios-dgm *:*
UDP burts:isakmp *:*
UDP burts:4500 *:*

C:\Documents and Settings\BURTS>

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 20 June 2004 - 03:54 PM

Download the following tool and install it in its own folder:
http://tools.zerosre...m/VX2Finder.exe


=== Get Name of Hidden dll ===
Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 fmdb

fmdb

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 June 2004 - 12:19 PM

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\system32\@bantageUI.dll
C:\WINDOWS\system32\@fantageUI.dll
C:\WINDOWS\system32\@mantageUI.dll
C:\WINDOWS\system32\aktiveds.dll
C:\WINDOWS\system32\amsetupc.dll
C:\WINDOWS\system32\aosetupc.dll


Guardian Key--- is called: GuardianFVQED
Asynchronous 000
DllName C:\WINDOWS\system32\@fantageUI.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {33412F0F-6BF6-4FAE-BAF4-322BA85084B4}
IDex DS3

User Agent String---
{33412F0F-6BF6-4FAE-BAF4-322BA85084B4}

#5 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 21 June 2004 - 02:16 PM

=== Delete Hidden dl, Guardian key, User Agent; Restore Security Policies ===
Sign off and stay off the internet until the entire procedure is complete.

Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files but one that will be deleted on reboot
Allow program to reboot

Once Restarted:
a. Press 'Guardian.reg'
b. Press 'User Agent'
c. Press 'Restore Policy'

=== Remove Remaining Infection ===
Download and install the latest version of Ad-Aware at
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp....dref/index.html

Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.


=== Verify Removal ===
Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Run HiJackThis and post a new log in this thread
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#6 fmdb

fmdb

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 10:03 AM

It seems better. I was able to delete the hosts file (without recreation) and there aren't anymore pop-ups. Thank you.

--------------------------------------------------------------------------------


Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

___________________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 11:02:22 AM, on 6/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\myCIO\Agent\swAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\Java\chatlnk.exe
C:\DOCUME~1\BURTS\LOCALS~1\Temp\~CL52.tmp\g2a_customerchat2w.exe
C:\Documents and Settings\BURTS\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8146.6139351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://livevault.we...bex/ieatgpc.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button