Hi With CW-Shredder ver 2.19, I've try my hardest to get rid of CWS.msconfig.exe. CW-Shredder removes it ok, and running it again shows it's gone even after a reboot, but if I run msconfig.exe and click on the OK button it's back, but not clicking on the OK button doe's not bring it back. I've changed the msconfig.exe from my orginal windows Xp disk, but it still returns.

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed. Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Thanks jabuck Logfile of HijackThis v1.99.1 Scan saved at 22:57:13, on 04/02/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\AVGFRE~1\avgamsvr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG Free\avgemc.exe C:\Program Files\AVG Free\avgcc.exe C:\Program Files\SpywareBlaster\spywareblaster.exe C:\Program Files\ZoneAlarm\zlclient.exe C:\Program Files\Keylogger Hunter\KeyloggerHunter.exe C:\Program Files\ntlDial\ntlDial.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\The Cleaner\tca.exe C:\Program Files\The Cleaner\tcm.exe C:\Program Files\SpybotS&D\TeaTimer.exe C:\Program Files\MultiProxy\MProxy.exe C:\PROGRA~1\AVGFRE~1\avgupsvc.exe C:\Program Files\Internet Explorer\iexplore.exe H:\TEMP\DOWNLOADS\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.surfeu.at/org2/org2.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ntlworld.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file) O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\fdcatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\SpoofStick\SpoofStickBHO.dll O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\SpoofStick\SpoofStick.dll O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [ET Phones home] C:\WINDOWS\etph3.exe /v O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: FreshDownload - {90E03E79-C632-4126-9229-BB9624FB450A} - C:\Program Files\FreshDownload\fd.exe O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120084582354 O16 - DPF: {713AE1D4-897C-11D2-B2A0-00C04F94B4D5} (WUCorpSuppControl Class) - http://corporate.windowsupdate.microsoft.com/en/wucorpct.CAB O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - O17 - HKLM\System\CCS\Services\Tcpip\..\{02341454-D886-4FCB-82B1-42AE83417877}: NameServer = 194.168.4.100 194.168.8.100 O17 - HKLM\System\CS1\Services\Tcpip\..\{02341454-D886-4FCB-82B1-42AE83417877}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

I believe you are getting a false positive from cwshredder.Go to start>run>type "msconfig"without the quotes>ok>startup tab>if msconfig.exe is not listed you don't have it. Is msconfig working? I'm guessing that this is an ISP or a start page you have set up. (R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.surfeu.at/org2/org2.htm) You can remove these with HT: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (If you did not set this policy remove it) Run Ewido and post it's results.Download Ewido Security Suite then set it up this way Ewido Setup Instructions reboot into safe mode by following the directions here and run Ewido When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later. Please reboot into normal mode and post the ewido log.

Hi jabuck Msconfig runs ok. No msconfig.exe running in startup My startup page http://members.surfeu.at/org2/org2.htm NetPal is an dialer I use when my ISP is down or slow, I've had it for years. But if you think I should remove it alltogether, it's no big deal. thats why I ignored it the first time. The last one sounds dangerous. Edido seems a very good program to buy. Thanks again for you help. -------------- ewido anti-malware - Scan report + Created on: 05:36:13, 05/02/2006 + Report-Checksum: 3F5CD348 + Scan result: C:\Program Files\NetPal\NetPal.exe -> Heuristic.Win32.Dialer : Ignored D:\Downloads\NetPal\np15a_beta2.exe/netpal.exe -> Heuristic.Win32.Dialer : Cleaned with backup D:\WebSites\www.onecomputerguy.com\reg\no_desktop.txt -> Trojan.Nodesktop : Cleaned with backup ::Report End

NetPal is adware and all major antispyware programs will detect it and most will at least quarantine it. I would suggest removing it and keep a copy on a CD for emergencies. For a good triple check on your cws problem run aboutbuster 6.0 then install spywareblaster as suggested at this link http://www.besttechie.net/forums/index.php?showtopic=1488

Hi jabuck Thanks for all your help. I've get rid of netpal and download aboutbuster 5, I already have spywareblaster. Thanks dtech10