Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CWS Shredder 2.0 is now available from InterMute


  • Please log in to reply
6 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:18 PM

Posted 20 October 2004 - 05:15 AM

CWShredder Version 2.0 is now available as a free cleaning tool against the latest CoolWebSearch variants. Hopefully, this updated tool can help the HJT team here which provides a valuable service for users. :thumbsup:

Posted Image

What's New With CWShredder?

Originally developed by Merijn Bellekom of the Netherlands, CWShredder is now owned and maintained by InterMute. CWShredder has been updated to include new CoolWebSearch variants. Use in conjunction with SpySubtract for the strongest defense against Spyware threats.

CWS Shredder 2.0 is now available from InterMute
http://www.intermute.com/spysubtract/cwshr...r_download.html

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:18 PM

Posted 22 October 2004 - 04:54 PM

This new version of CWShredder targets a new variant that they call CWS.HiddenDLL. This HiddenDLL variant we assumed was for the Appinit_DLLs version.

It turns out that if you have certain entries in your Hosts file, it will say you have this HiddenDLL variant, and remove those entries from your hosts file. These entries are as follows:

ad.ca.doubleclick.net
ad.uk.doubleclick.net
ads.x10.com
leader.linkexchange.com
ln.doubleclick.net
m.doubleclick.net
m2.doubleclick.net
focusin.ads.targetnet.com
ads-03.tor.focusin.ads.targetnet.com
ads.fortunecity.com
media19.fastclick.net
media.fastclick.net
media.popuptraffic.com
adserv.internetfuel.com
ads.specificpop.com
iv.doubleclick.net
banners.valuead.com
webpdp.gator.com
ads.specificclick.com
a.tribalfusion.com

These entries are common to find in HOSTS files and we are not sure why Cwshredder is seeing them as bad. For now I am seeing it as a false positive and am not advising people use this version as of yet, but continue to use the version found here:

CWShredder 1.59.1 Download Link

Please use this thread for discussing other issues you may find.

Edited by Grinler, 23 October 2004 - 08:48 PM.


#3 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:06:18 PM

Posted 25 October 2004 - 11:57 AM

Here is a question I havn't seen addressed yet in the many threads I'm watching.............Does the new Shredder work on the old stufff? Variants we know the old one did? Guess I'll post this in the other forums too.
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:18 PM

Posted 25 October 2004 - 12:08 PM

Thats a really good question. I am not sure too be honest. I have not put it to use on any of the older variants. If I run into one, I will give it a try and see how it works

#5 CLJ

CLJ

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 December 2004 - 04:00 AM

I received this information from someone:

Saturday 12-11-2004
From: Jack Gulley

This morning I downloaded the CWShredder.exe version 2.11 file directly from the InterMute web site and ran a Scan on my system. It reported the following infections:

CWS.Svchost32
CWS.Therealsearch
CWS.Aboutblank
CWS.Jksearch

I think NOT!
CWShredder v1.59.1 runs clean without any detection on the same system.

I then removed my HOSTS file and ran a CWShredder v2.11 Scan again, and it showed no infections.
Sounds like there is still a problem with "false positives" because of valid HOSTS file entries.

My HOSTS file is dated 8-4-2003 when I last removed an entry from it, and is otherwise much older than that. A compare with a CD-R backup copy made a year ago shows no changes to my file. So there is no way any recent version of CWS could have altered my HOSTS file. Period.

However, I then ran CWShredder v2.11 in FIX mode.
It reported that if "fixed" the above listed infections.

Hum... Nothing showed up in the Recycle Bin.

Oops.. My 386K HOSTS file is now 677K in size.

15 blank lines have been added between every existing line including between the comments at the start of the file. Not good. It is hard to read now and wastes memory when loaded!

And what is this??? CWShredder v2.11 at the same exact time created a HOSTS.BAK at 508K size with "only" seven blank lines between each original entry line. Go figure that game plan, of going from zero to 7 to 15 blank lines while destroying the original?

Ooooh S**T.. There are a lot of entries missing from my now over bloated HOST file.

Entries like: 0.0.0.0 ad.yahoo.com

All YAHOO.COM entries are gone but not those like ad.img.yahoo.co.kr
And a lot of others.

Attitude = ON
Restore HOSTS file from CD-R
Add polite warning about CWShredder v2.11 to web page.
http://users.adelphia.net/~jgulley/me/index.html#CWShredder
Pour Stiff drink.

#6 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:06:18 PM

Posted 12 December 2004 - 11:14 AM

I DLed standalone 2.11, ran a scan only, came up clean, nothing found. Most others have not found any troubles with it.

Here is another thread where they(CWShredder suppport) say what they are removing, tho, no one in the wild can validate that yet.

http://forums.spywareinfo.com/index.php?showtopic=36207&st=0


And the one I mentioned about most not having troubles:
http://forum.aumha.org/viewtopic.php?t=10023&highlight=
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

#7 Emmadw

Emmadw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 30 January 2005 - 05:46 PM

I seem to have had the same false positives. I know that in the past certain entries in the hosts file that Spyblocker generates have caused problems for CWS...

Like CLJ's comment, though I'd checked the "save in Recycle bin", the bin is empty.

I've got a few things that update the hosts file, in the main I think that it's Spyblocker, as from what I remember, IESPyAd & SpywareGuard/ Blaster work in a slightly different way.

It would be interesting to know, of those who have had the false positives, what other software you have on the PC, as that might help to work out why most aren't having it. (I'm inclined to think that it's Spyblocker - as it's not free, fewer people have it than SpywareGuard etc.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users