BleepingComputer.com: CWS Shredder 2.0 is now available from InterMute

CWShredder Version 2.0 is now available as a free cleaning tool against the latest CoolWebSearch variants. Hopefully, this updated tool can help the HJT team here which provides a valuable service for users.



What's New With CWShredder?

Originally developed by Merijn Bellekom of the Netherlands, CWShredder is now owned and maintained by InterMute. CWShredder has been updated to include new CoolWebSearch variants. Use in conjunction with SpySubtract for the strongest defense against Spyware threats.

CWS Shredder 2.0 is now available from InterMute
http://www.intermute.com/spysubtract/cwshr...r_download.html

This new version of CWShredder targets a new variant that they call CWS.HiddenDLL. This HiddenDLL variant we assumed was for the Appinit_DLLs version.

It turns out that if you have certain entries in your Hosts file, it will say you have this HiddenDLL variant, and remove those entries from your hosts file. These entries are as follows:

ad.ca.doubleclick.net
ad.uk.doubleclick.net
ads.x10.com
leader.linkexchange.com
ln.doubleclick.net
m.doubleclick.net
m2.doubleclick.net
focusin.ads.targetnet.com
ads-03.tor.focusin.ads.targetnet.com
ads.fortunecity.com
media19.fastclick.net
media.fastclick.net
media.popuptraffic.com
adserv.internetfuel.com
ads.specificpop.com
iv.doubleclick.net
banners.valuead.com
webpdp.gator.com
ads.specificclick.com
a.tribalfusion.com

These entries are common to find in HOSTS files and we are not sure why Cwshredder is seeing them as bad. For now I am seeing it as a false positive and am not advising people use this version as of yet, but continue to use the version found here:

CWShredder 1.59.1 Download Link

Please use this thread for discussing other issues you may find.

Here is a question I havn't seen addressed yet in the many threads I'm watching.............Does the new Shredder work on the old stufff? Variants we know the old one did? Guess I'll post this in the other forums too.

Thats a really good question. I am not sure too be honest. I have not put it to use on any of the older variants. If I run into one, I will give it a try and see how it works

I received this information from someone:

Saturday 12-11-2004
From: Jack Gulley

This morning I downloaded the CWShredder.exe version 2.11 file directly from the InterMute web site and ran a Scan on my system. It reported the following infections:

CWS.Svchost32
CWS.Therealsearch
CWS.Aboutblank
CWS.Jksearch

I think NOT!
CWShredder v1.59.1 runs clean without any detection on the same system.

I then removed my HOSTS file and ran a CWShredder v2.11 Scan again, and it showed no infections.
Sounds like there is still a problem with "false positives" because of valid HOSTS file entries.

My HOSTS file is dated 8-4-2003 when I last removed an entry from it, and is otherwise much older than that. A compare with a CD-R backup copy made a year ago shows no changes to my file. So there is no way any recent version of CWS could have altered my HOSTS file. Period.

However, I then ran CWShredder v2.11 in FIX mode.
It reported that if "fixed" the above listed infections.

Hum... Nothing showed up in the Recycle Bin.

Oops.. My 386K HOSTS file is now 677K in size.

15 blank lines have been added between every existing line including between the comments at the start of the file. Not good. It is hard to read now and wastes memory when loaded!

And what is this??? CWShredder v2.11 at the same exact time created a HOSTS.BAK at 508K size with "only" seven blank lines between each original entry line. Go figure that game plan, of going from zero to 7 to 15 blank lines while destroying the original?

Ooooh S**T.. There are a lot of entries missing from my now over bloated HOST file.

Entries like: 0.0.0.0 ad.yahoo.com

All YAHOO.COM entries are gone but not those like ad.img.yahoo.co.kr
And a lot of others.

Attitude = ON
Restore HOSTS file from CD-R
Add polite warning about CWShredder v2.11 to web page.
http://users.adelphia.net/~jgulley/me/index.html#CWShredder
Pour Stiff drink.

I DLed standalone 2.11, ran a scan only, came up clean, nothing found. Most others have not found any troubles with it.

Here is another thread where they(CWShredder suppport) say what they are removing, tho, no one in the wild can validate that yet.

http://forums.spywareinfo.com/index.php?showtopic=36207&st=0


And the one I mentioned about most not having troubles:
http://forum.aumha.org/viewtopic.php?t=10023&highlight=

I seem to have had the same false positives. I know that in the past certain entries in the hosts file that Spyblocker generates have caused problems for CWS...

Like CLJ's comment, though I'd checked the "save in Recycle bin", the bin is empty.

I've got a few things that update the hosts file, in the main I think that it's Spyblocker, as from what I remember, IESPyAd & SpywareGuard/ Blaster work in a slightly different way.

It would be interesting to know, of those who have had the false positives, what other software you have on the PC, as that might help to work out why most aren't having it. (I'm inclined to think that it's Spyblocker - as it's not free, fewer people have it than SpywareGuard etc.)