CWShredder FP's

Has this program ever generated false positives?

 

Some....but not that many.

A recent one that was mentioned here at Wilders for the 2.15 can be found in this post.

 

Well I think the new 2.18 has one. It says I have a variant of CWS.Qttasks first discovered in 2003. I ran 2.15 first and it found nothing. followed that up with Spybot which found nothing. Also I have not had the symptoms described. Anyway I created a report and sent it to Trend. Followed up with Panda Activescan and got nothing.

 

Like the post linked to above....it is still burping on some entries that it thinks is CWS.SmartSearch.

209.123.109.175 www.dslreports.com
64.91.226.241 www.wilderssecurity.com

 

CWShredder 2.18.0.1006 is identifying the following registry as CWS.Qttasks:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

The executable qttask.exe is the Apple’s QuickTime tray icon and is not connected with CWS.Qttasks.

Certainly looks like a false positive to me!!!

 

damn host files always cause false positives. Spybot does them too, much like cwshredder and lots of others.

Top causes of FPs

#1 Host file entries
#2 "Immunization" entries
#3 Restricted zone sites entries
#4 add your own

You would think by now they would have figured out how to avoid #1 and #2. Okay admittedly things are not so simple for #1

 

And i find it ironic that you need cwshredder to tell you have cwshredder. Doesnt adware insist on telling you of its existence by bombarding you with stuff, making tyour browser go wacky etc I suppose there are some ignorant people around who wouldnt care less.

Okay okay i know cwshredder can also remove stuff.

 

deviladvocate:

Look again.

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

Is a HKLM registry startup entry not a HOSTS file entry.

 

Look again. I'm talking about bubba's post and the post he linked to.

 

If you know the history of cwshredder and antispyware you will know hosts file entries as always being a problem with cwshredder.

 

Never had a problem with my 1.2 MB Hosts file with regard to CWShredder, however, Spybot does trigger a false positive with regard to the entry:
127.0.0.1 ZeroSpyware.com which is a safe entry, and thus a false positive!
I even sent email to the developers about it this summer, but no response and the false positive still occurs.

Note: I have to disable my DNS Client service with such a large Hosts file on my WinXP Pro SP2 computer in order to avoid long bootup and ISP login times on the order of 3 minutes vs 30 sec otherwise.

-- Tom

P.S. I use the hosts file from: http://remember.mine.nu/

 

I personally don’t think that this is a false positive. There is no reason that ZeroSpyware.com is being blocked in your HOSTS file. ZeroSpyware was probably being blocked because it was originally listed in the following:

• Rogue/Suspect Anti-Spyware Products & Web Sites
  by Eric L. Howes
  http://www.spywarewarrior.com/rogue_anti-spyware.htm

However, ZeroSpyware has been delisted and therefore no longer warrants being blocked.

Quote from Rogue/Suspect Anti-Spyware Products & Web Sites:

 

Hi,

Thanks for the update - its not that zerospyware.com was being blocked in my Hosts file, but that it would have been blocked by the entry had my browser been directed there (given the possibility of getting there), so the entry itself in the Hosts file was a safety measure entry in that respect.

Although, the entry itself in the Hosts file still triggers a false positive in Spybot instead of being ignored.

-- Tom

 

this just proves my point.

Whether it is a false positive or not is a matter of opinion. You chose to put the entry there, it wasnt put by malware , you don't have malware, so arguably it is a FP. Did you know it caused someone here to format? Not FP my foot.

I really wish AS programs should tell you "we found a host entries to blah blah, this means such domain will be blocked, do you want to unblock?"

Rather then scaring users by yelling "You got superspyware variant xyz", just because it's one of the minor things superspyware variant xyz does.

Helllo? If i really had superspyware variant xyz, that would not be the only thing you found! These programs are really dumb

Of course we super cool power users know how to read the entries, but most people including many here just see the name and panick, saying that despite their impressive protection software, they still get nailed.

Then there are cases of sheer incompetence, some AS can't tell the difference between a site in a restricted zone and trusted zone, while others dont seem to know how to read a cslid killbit.

 

I not really a "… super cool power user …", I am just a buffoon who comes here to cause trouble because Wilders Security Forums allows me to post as an unregistered user.

 

A lot of what you say is very plausible DA....even the part about the buffoon.
To me I see positives out of FP's but not in the respects others might look at them. I see users having the problem coming to Forums and possibly before they leave they have learned something about a Hosts file or were made aware of where to look in the registry for a possible solution. In a way totally removed from the problem at hand. A way of learning the basics of computing which many users are sorely lacking in. Yes....some FP's are sloppy on the programmers part....I mean even tho I ain't even close to being a programmer how hard is it to look for a 2 instead of a 4 when it comes to a Domains entry....or how hard is it to see a 127.0.0.1 entry and move on. So yes....I agree with alot of what you are saying but I personally view it in a differnt light also.

 

The comment about a buffoon Sounds a lot like something I would say, but I think i prefer the term fool. Third time this (where someone used the alias DA to post something that superficially might seem to come from me in the same thread I'm on) happened already.In addition i see people posting as deviladvocate2 in threads I'm not involved in. Cool to see the alias catch on.

I don't really agree with this. Whatever positive that comes out of this FP can possibily be outweighted by all the negatives that a FP brings. Besides, sometimes I wonder if the person actually learns anything, other than some expert tells him , he is not infected.

 

As the name of the CWS infection indicates the name of the executable was qttasks.exe

The startup entry would look like:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
QuickTime Task = %Windir%\qttasks.exe

Where %Windir% is the Windows directory
Example: http://www.spywareinfoforum.com/index.php?showtopic=2549

On the positive side: it shows work is being done on CWShredder.

 

FP has been fixed in CWS 2.19

 

Fixed?

I note that CWS Qttasks is listed in CWS 2.15 and 2.18.

I too had FP with qttask in 2.18.

Now in CWS2.19 Qttasks is no longer on the list of detected CWS variants as far as I can see.

Is this a fix or an ignore?

Regards

 

Over last week I was in contact with Intermute about two possible false positives, one of which I see in the above messages. I ran Intermute's Dr. Diag to collect infomation about my system, and suggested they might need my registry as well which I provided by uploads. When one of their engineers suggested the problem might be with my Hosts file, I became curious and did the following:

1) Renamed Hosts file and ran cwshredder v 2.18 - and the problem disappeared!
2) Since I had modified my Hosts file, I imported a new version, and ran cwshredder v 2.18 and no problem.
3) While running v2.18 previously, I had always immediately experienced the return of the detection of CWS.Svchost32 and CWS.SmartSearch aka BHJK_CoolwebSearch, however, for some reason I now was seeing sometimes one of the above being removed - I think once I removed the Read-Only attribute from the Hosts file. So, over the weekend I was able to narrow the FPs down to:

64.91.226.241 www.wilderssecurity.com <- CWS.SmartSearch
216.239.37.147 news.google.com <- CWS.Svchost32

I left my Hosts file with modifications including the Spybot S&D mods on Intermute's website for my ticket regarding Trend Micro's AntiSpyware 3.0 which I have been trialing (it only had CWShredder v2.15 packaged).

Since the above IP addresses are valid, I suppose Intermute will need some time to analyze all of the permutations (i.e. range) of valid (IP addresses) in order to eliminate these FPs - the CWShredder v2.19 update did not include a fix for the above FPs.

-- Tom