cannot get rid of cwsmsconfig trojan

read and did everything in read and run me first,and special sticky removal procedures.I removed everything from my computer and it was running fine. Then a thought occured to me and i restarted my computer in safe mode using the f8 key. i ran cwshredder twice and it said nothing was present. rebooted normally and then tried getting to safe mode via the run msconfig command. ran cwshredder and cwsmsconfig shows up and is removed. SO now i know everytime i run msconfig, somehow that trojan is embedded in that file and reappears. needless to say when i was using the run command to use safe mode and then to reboot normally, i was removing and immediately reinfecting my computer. how can i get this out of msconfig permanently?

i have a dell pentium4 3.00GHz,512 mem,80gigHD, running windows xp home edition 2002 service pack2

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

i am going to try and send the hijackthis log and spysweeper session summary as attachments. Bear with me as it has been awhile since i have done this.

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Downloaded ewido and here is the ewido scan report and the hjk log.

 

The first thing I notice is that your running more than one antivirus. This is not recommended as this will cause conflicts on your computer. Pick one and uninstall the other, then continue with the rest of this fix!

Please look in Add or Remove Programs for the following and Uninstall them if found:

Spy Sweeper

Ewido

WeatherBug

MyWebSearch (or anything similiar)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\MyWebSearchWB ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I used Add/Remove to remove A2 and AVG. I also removed Spy Sweeper. Weather Bug, and MYWebSearch. When I tried to remove Ewido,it said thaere was an error and it could not find it and that it could have already have been removed. Although I don't know how, since I did not do it. Anyway, another clue is the desktop icon and taskbar icon still show up. I was going to right clik on them and delete before I went on with your other directions. But somewhere along the line I was told deleting doesn't work as well as Add/Remove. But since Ewido no longer shows up on the Add/Remove list that is not even an option is it? Any suggestions as to what I can do next before I do the rest of your instructions?

 

Just procede with the rest of the fix.

 

when I ran HijackThis I could not find 02 - BHO:My Web Search Bar BHO .....
I did fix the others and deleted the MyWebSearchWB folder. Ran CCleaner, Ad-Aware SE & Spybot S& D. Then did clean mgr and checked temp internet files and recycle bin which were not checked. Ran HijackThis and here is the scan log.

 

Scan with HJT and have it fix the below entries:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - Unknown owner - C:\Program Files\ewido\security suite\ewidoguard.exe (file missing)

After you complete the above, your log will be clean. Are you having any further problems?

 

I scanned with HJT and fixed the entries you indicated. Then just to test I resarted the computer in safe mode using the f8 key and ran cwshredder which said there was nothing on the computer. then I restarted and when the computer had booted up I ran msconfig to change the boot.ini file to safe mode and restarted in safe mode that way. then ran cwshredder and it removed CWSMS.config. Now when you get into safe mode that way the only way back to normal startup is by using msconfig and changing the boot.ini back to normal. So of course, when you restart now I have reinfected with CWSMS.config. Would it work if I got to safe mode with networking with msconfig and then ran a hijack this scan to see if you can see anything. Because at that point I have not run the cwshredder scan so the CWSMSconfig virus or trojan whatever it is should still be there. What do you think?

 

This post is in addition to the last one that I added about the safe mode and cwsmsconfig. I was running all the scans on my computer and ran spybot, but updated it first. All the updates when I tried to download them would not sownload and the error message said bad checksum. So I uninstalled spybot, tried to reinstall, but the update reamined the same. Tried it a third time and still get the bacd checksum message. What am I doing wrong or is it something else wrong here.

 

Just choose another download site and retry downloading updates.

 

I did not request you run CWShredder, the System Configuration Utility is not a toy and should not be opened unless your having problems and need to make some changes. Set your computer to "Normal Startup" and reboot. Leave it at this setting!

Now in normal mode, run CWShredder and select the option to "Scan and Fix" then create a report and attach it to your next log.

 

this is the log to the cwshredder scan

 

Still doesnt show what the utility found, I need to know what exactly its finding. File or a registry entry?

 

so what do I do next?

 

Are you running version TM CWShredder 2.19? Run another scan, click SCAN ONLY, after the scan see if you can find out what exactly its detecting so we can manually remove it.

 

i was running merijen version 1.59.1. So i went to the major geeks site and downloaded the trend micro version 2.19. so I am including another scan here since the last scan was with the wrong version.

 

Does the new version detect cwsmsconfig? Are you selecting FIX when you scan? If so, what does it do? If not please do so.

 

The first time I ran the MT CWShredder, I ran fix first and it detected nothing. then I ran a scan which I forwarded to you. The only time it detects cwsmsconfig is when I run it in safe mode after getting to safe mode via the run/msconfig method. If I go into safe mode via the f8 key, it detects nothing. The last time I had a problem which major geeks, helped me solve, I was told to periodically run scans in safe mode because when things are running, they cannot always be deleted. That was the problem I had about a year ago. My husband gets emails from people he used to work with and ever since he has been getting these, we get virus' and trojans and worms. So to keep up with the onslaught, I run scans every day and about once a month in safe mode.

 

If you go in Safe Mode by pressing F8 and it doesnt detect it but it does when you use the msconfig method, I would be willing to bet you dont have any infection just a false detection.

Are you having any further problems?

 

why would that happen? It didn't used to do that.

 

There have been many reports that this is a false detection. All of these utilities have some little bugs in them, nothing is perfect.

Are you having any current problems?

 

the only other problem is the bad checksum issue. I have unistalled spybot 6 or 7 times already and then reinstall from one of your sites. and it takes several reinstalls before I get one that doesn't do the bad checksum. but now it has been working for a couple weeks and today once more when I try to download updates I am getting the bad checksum message.

 

Choose a different download server and this wont happen.