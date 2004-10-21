Thread display:
Collapse /
Expand
14 total posts
Collapse -
Re: CWShredder Hidden_DLL Poll
by
roddy32
/
October 21, 2004 8:03 AM PDT
I've been wanting to join the forum because I enjoy learning so I just did and I voted. I'm showing clean on the hidden_.DLL (It says not present)but I've had a problem with the new version of the shredder closing on me, telling me that cool web search trojan "cws.smart.search.2" is trying to close the program(or something to that effect) and to click OK if I'm not really infected (which I'm not)and rescan. I do that and the whole second scan comes up clean. I DO have the new version 2.0. I haven't checked on the forum to see if the error is an issue or not yet.
Thanks Grinler
Collapse -
Re: CWShredder Hidden_DLL Poll
by
dlhan
/
October 21, 2004 8:29 AM PDT
I keep having the problem of CW Shredder removing some entries from my HOSTS file. I don't feel they should be removed. This problem was suppose to have been corrected in an earlier version of CW shredder. Anyone else seeing this problem?
Collapse -
Re: CWShredder Hidden_DLL Poll
Hi,
Be sure that your host files were not altered. A user discovered the same before. His host file was altered that is why CWShredder is finding CW variant. See - http://forums.spywareinfo.com/lofiversion/index.php/t13070.html
I suggest that you download Hoster from http://members.aol.com/toadbee/hoster.zip
Extract Hoster.exe in your desktop. Open Hoster folder. Run Hoster.exe.
Press 'Restore Original Hosts' and press 'OK'
Exit the program when done.
Run Hoster.exe again, If it's not protected, you will see at the right pane --> "Your Host file is editable. Click the button to make it read only". Click if you want to protect your host file. If not, leave it. Use a program like WinPatrol that will alert you every time there is a new entry added or if the host file has been edited with or without your knowledge.
Reboot the system. Run CWShredder. See if it will still find anything again
Collapse -
Re: CWShredder Hidden_DLL Poll
by
dlhan
/
October 22, 2004 2:33 AM PDT
Followed your instructions, it always finds cws.svchost32
cws.smartsearch
cws.jksearch
cws.hiddendll
in the HPguru's host file but when I switch to MVP's host file it is always clean.
Collapse -
Re: CWShredder Hidden_DLL Poll
Hi,
AFAIK, that bug in CWShredder was found in earlier versions of CWShredder but was fixed when 1.49.1 was released last February 2004.
To make sure you are clean now or no other applications will interrupt, you might want to run CWShredder in Safe mode or send a HijackThis log in any forums listed in http://www.a-sap.org that offers HijackThis log assistance. One of them is Grinlers' site - http://www.bleepingcomputer.com/forums/
Collapse -
Re: CWShredder Hidden_DLL Poll
by
dlhan
/
October 22, 2004 3:26 AM PDT
Donna, I tried this first. I redownloaded another copy of HP's host file to be sure it was a clean copy. Installed it as my hosts file. Copied it to a separate text file, then ran CWShredder, copied the new hosts file to a text file. I then used a file comparer to compare the before and after HOSTS files.CW Shredder had deleted many entries including almost all that had the word search in it. I also found that if I disable the HOSTS file CWShredder finds no coolweb variants.
Collapse -
Good work in testing it! :-)
Then that can be a proof that CWShredder doesn't play nice with hpgurus since you got new copy of host file (un-altered copy).
I still want to suggest that you post your HijackThis log in forums that offer the assistance if you want to be 90% that there is really no CW variant there
Collapse -
Re: CWShredder Hidden_DLL Poll
Hi Roddy
Thanks for voting there. It will sure help the HJT experts to find out whether the Hidden_dll that the v2 is finding is false positive or not.
With regards to cws.smart.search.2 that it is alerting you, this was reported in previous version of CWShredder too. Try to check whether you have this entry:
HKCU\Software\CWShredder
If yes, backup your registry then delete the CWShredder entry from HKCU\Software
Reboot when done. Run CWShredder v2 again.
If none, try running CWShredder in Safe mode. Let if fix what it will find. See if there's an alert again.
Collapse -
Re: CWShredder Hidden_DLL Poll
by
roddy32
/
October 21, 2004 9:56 PM PDT
I'm showing my ignorance here Donna. LOL Where would I look for HKCU\Software\CWShredder? I can't find anything named HKCU anywhere on the computer and I have never been into the registry before. I did a search of the computer and I also don't see anything like that on the Task Manager anywhere. I only get this alert every 3rd of 4th time that I run CWshredder. If I run it again, it shows everything clean. Also Ad-Aware SE, Spybot S&D, Trend Micro Housecall and NAV 2004 aren't showing anything either. I'm having absolutely no trouble with the computer at all.
Collapse -
Re: CWShredder Hidden_DLL Poll
Sorry for incomplete info on how to find it.
Open Registry Editor by typing REGEDIT in Run box. Navigate thru the keys at the left to verify that there is no such key there.
Collapse -
Re: CWShredder Hidden_DLL Poll
by
roddy32
/
October 22, 2004 3:16 AM PDT
Hi Donna
I went to Microsoft earlier today and figured out how to get to the Registry but I was still a little confused. I've never had a reason to go there before.LOL This is what I did. I went to the registry and went to
HKEY_CURRENT_USER I scrolled down and found the software key and expanded it. I see nothing there for CWSHREDDER at all. I realize that Intermute just bought them so I checked for that too which was under HP. This computer is a Compaq which was bought out by HP and it came with a trial version of PopSubtract from Intermute which I didn't like so I uninstalled it so there is nothing in that folder. Could it be listed under anything else? Like I said before, I think it's just a glitch with CWShedder but I want to make sure LOL I should know all this stuff because I've had computers for quite a few years but I've never had anybody teach me anything so I learn as I go along. I DO remember things when I learn them though. LOL
Collapse -
Good to hear that there's no such entry Roddy :)
That's the only place where Merijn ask a user last time in another forum.
You can try to verify that all is ok by doing the following:
1. Get HijackThis from http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Scan then save the log in your desktop.
2. Run CWShredder v2.0 again
3. Run HijackThis again and save the log in another location or save the file as hijackthis2.log in the desktop
If CWShredder v2 found anything again, post the copies of the log in http://www.dozleng.com/updates/index.php?showtopic=2331 - CWShredder v2 Hidden_dll file poll that will be checked by Grinler and other HijackThis Experts that is watching that poll.
If CWShredder v2 will say you're clean again, just send the copy of your 2nd log to any forums that offers HijackThis analysis. This forums is listed in http://www.a-sap.org
One of them is Grinlers' site - http://www.bleepingcomputer.com/forums/tutorials.html
Collapse -
Re: Good to hear that there's no such entry Roddy :)
by
roddy32
/
October 22, 2004 4:05 AM PDT
OK Donna, I did ran Hijack this and saved the log, ran CWShredder again and I was clean so I ran it again I got the same error so I ran it a third time and I was clean again. I ran another HijackThis and saved that log and compared the 2 and they look identical to me and I see nothing suspect at all in the logs. I recognize everything in the logs. I am positive that this is a glitch of some sort. (I think LOL)