Subscribe RSS
Home > Unable To > Unable To Remove "CWS: Bootconf"

Unable To Remove "CWS: Bootconf"

We invite you to ask questions, share experiences, and learn. Users started reporting that when they went to Google, Yahoo or Altavista to search for something, popups appeared that (most of the time) advertised bogus 'enhanced results'. View Answer Related Questions Os : Email Attachments Incoming = VirusEs Is there a solution so that sales teams can receive electronic documents from 3rd parties that is as convenient as The style sheet files are marked read-only, system and hidden.

CWS.Alfasearch Variant 19: CWS.Alfasearch - Child's Play Approx date first sighted: November 5, 2003 Log reference: Symptoms: IE pages changed to, possibly porn sites being redirected to (, CWS.Aff.Winshow.2: The second variant of this one also used the BHO and filename, but added a hosts file hijack that redirected mistyped domains/URLs to a porn site, and reloaded a IE CWS.Alfasearch.2: A mutation of this variant exists, that hijacks IE to, drops 7 porn bookmarks in the IE Favorites, and causes error messages concerning 'Win Min' at system shutdown, as However, I have run the program at least 10 times, and each time the program runs, it claims to find and remove the same two items: CWS.Bootconf and CWS.Svchost32.

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.3 CWS.Msoffice Variant 13: CWS.Msoffice - HTA exploit revisited Approx date first sighted: October 12, 2003 Log reference: Symptoms: Homepage changed to, hijack coming back after a reboot, slow scrolling It's ran from 3 places at boot, as well as merging a .reg file that reinstalls the hijack, and adding an adult site to the Trusted Zone.

View Answer Related Questions Os : Gentlemen.. Consistently helpful members with best answers are invited to staff. It drops 4 porn bookmarks in the Log in or Sign up Tech Support Guy Home Forums > Security & Malware Removal > Virus & Other Malware Removal > Computer This file reinstalled the hijack when ran.

It's 100% free. Checking %WinDir% folder... The variant is always accompanies by a hijack to Checking %ProgramFilesDir% folder...

It works invisible, changing links from Google search results to other pages. Document last updated: April 17, 2004 CoolWebSearch variants CWS.Datanotary CWS.Bootconf CWS.Oslogo CWS.Msspi CWS.Vrape CWS.Oemsyspnp CWS.Svchost32 CWS.Dnsrelay CWS.Msinfo CWS.Ctfmon32 CWS.Tapicfg CWS.Svcinit CWS.Msoffice CWS.Dreplace CWS.Mupdate CWS.Addclass CWS.Googlems CWS.Xplugin CWS.Alfasearch CWS.Loadbat CWS.Qttasks CWS.Msconfd CWS.Therealsearch Since it had two running processes, it looked like the Peper virus, that was very hard to remove. You solved in four posts a situation I have been working to alleviate for months.

Please note that this article was written originally by the creator of a program designed to remove all CoolWebSearch related infections, Merijn Bellekom. Two domains were added to the Trusted Zone to ensure CWS could do its dirty work and install any updates if they ever became available.

But most of all, IE start This was the one and only symptom.

After looking over the log, it was quickly concluded the msspi.dll file was to blame. Here's how it works.

When the computer was started, there was a 1 in 5 chance the hijack was re-installed and changed the IE start page and search pages to, once the hijack was Variant 17: CWS.Googlems - We have a payload! CWS.Msoffice.:3 A mutation of this variant exists that hijacks IE to and, and reinstalls through a file named fonts.hta using the name TrueFonts. Anyway, here's my hijackthis log:Logfile of HijackThis v1.98.2Scan saved at 5:22:23 PM, on 1/2/05Platform: Windows 98 Gold (Win9x 4.10.1998)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\PROGRAM FILES\ENCOMPASS\MONITOR.EXEC:\WINDOWS\SYSTEM\SA3DSRV.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\RUNDLL32.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\ATICWD32.EXEC:\WINDOWS\SYSTEM\ATITASK.EXEC:\WINDOWS\STUTFIX.EXEC:\COMPAQ\INTERNET\WATCHDOG.EXEC:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXEC:\WINDOWS\SYSTEM\SHPC32.EXEC:\PROGRAM FILES\SED\SED.EXEC:\WINDOWS\QYOVQU.EXEC:\PROGRAM

Back to top LonnyRJonesSWW ExpertJoined: 09 Dec 2004Last Visit: 07 Nov 2007Posts: 340 Posted: Thu Aug 04, 2005 6:19 pm Post subject: Start Hijackthis and place a check next to these Good that you got the fix. In the last few months, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop. Register now!

Thu Aug 04 11:42:09 2005 => AV Library Loaded... Problem with windows. [SOLVED] Trend-net TEW-PS1U Wireless USB... We strongly recommend you install the patch, available from this MS security bulletin.

Once reported, our moderators will be notified and the post will be reviewed.

PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys Checking the Windows folder for system and hidden files within the last 60 days... 8/2/2005 12:46:58 PM 54156 C:\WINDOWS\QTFont.qfn 7/19/2005 10:06:00 AM 0 C:\WINDOWS\INF\oem24.inf 8/1/2005 It has only been connected with CWS since it appeared together with it in a few logs.

The only good thing about this variant is that the domain has been If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members. OR IS IT?

Discussions cover Windows 2003 Server, Windows installation, adding and removing programs, driver problems, crashes, upgrading, and other OS-related questions.Real-Time ActivityMy Tracked DiscussionsFAQsPoliciesModerators General discussion Pop-up problem on Win 2000 Professional by I'm serious. *Yawn* Variant 22: CWS.Msconfd - Finally using rundll32 Approx date first sighted: November 26, 2003 Log reference: none, local test Symptoms: IE pages being changed to, bogus error Variant 21: CWS.Qttasks - Even more simple than CWS.Alfasearch Approx date first sighted: November 23, 2003 Log reference: Symptoms: IE pages being changed to Cleverness: 2/10 Manual removal difficulty: I Have A Virus Os : Good Anti-Virus For Terrible User Os : Blank Screen With Mouse Arrow - Virus Os : Email Attachments Incoming = Viruses Os : I Think

Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"] Norton Also note that this web page is currently hosted on my ISP free webspace bandwidth, which in turn means its probably going to get hosed right quick. It will only report but is very thurough. *Dont* post sections if they are in antimaleware backups, Quarantine or Restore folders, or in C:\System Volume Information. Thank you, kind stranger.

View Answer Related Questions Network : Cws.Shredder Damn man, I am about to kill sometng.A "friend" brought me s rig....what a pal, he was infected with 108 different adware, spyware, jackers, Only when this code was decyphered it became clear that CoolWebSearch was behind this all. This variant is the first one that is not visible in a HijackThis log.


© Copyright 2017 All rights reserved.