CWShredder FP's

Discussion in 'other anti-malware software' started by The Hammer, Oct 26, 2005.

Thread Status:
Not open for further replies.
  1. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Has this program ever generated false positives?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Some....but not that many.

    A recent one that was mentioned here at Wilders for the 2.15 can be found in this post.
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Well I think the new 2.18 has one. It says I have a variant of CWS.Qttasks first discovered in 2003. I ran 2.15 first and it found nothing. followed that up with Spybot which found nothing. Also I have not had the symptoms described. Anyway I created a report and sent it to Trend. Followed up with Panda Activescan and got nothing.
     
    Last edited: Oct 27, 2005
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  5. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    CWShredder 2.18.0.1006 is identifying the following registry as CWS.Qttasks:

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    The executable qttask.exe is the Apple’s QuickTime tray icon and is not connected with CWS.Qttasks.

    Certainly looks like a false positive to me!!!
     
  6. damn host files always cause false positives. Spybot does them too, much like cwshredder and lots of others.

    Top causes of FPs

    #1 Host file entries
    #2 "Immunization" entries
    #3 Restricted zone sites entries
    #4 add your own

    You would think by now they would have figured out how to avoid #1 and #2. Okay admittedly things are not so simple for #1
     
  7. And i find it ironic that you need cwshredder to tell you have cwshredder. Doesnt adware insist on telling you of its existence by bombarding you with stuff, making tyour browser go wacky etc I suppose there are some ignorant people around who wouldnt care less.

    Okay okay i know cwshredder can also remove stuff.
     
  8. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    deviladvocate:

    Look again.

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    Is a HKLM registry startup entry not a HOSTS file entry.
     
  9. Look again. I'm talking about bubba's post and the post he linked to.
     
  10. If you know the history of cwshredder and antispyware you will know hosts file entries as always being a problem with cwshredder.
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Never had a problem with my 1.2 MB Hosts file with regard to CWShredder, however, Spybot does trigger a false positive with regard to the entry:
    127.0.0.1 ZeroSpyware.com which is a safe entry, and thus a false positive!
    I even sent email to the developers about it this summer, but no response and the false positive still occurs.

    Note: I have to disable my DNS Client service with such a large Hosts file on my WinXP Pro SP2 computer in order to avoid long bootup and ISP login times on the order of 3 minutes vs 30 sec otherwise.

    -- Tom

    P.S. I use the hosts file from: http://remember.mine.nu/
     
  12. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    I personally don’t think that this is a false positive. There is no reason that ZeroSpyware.com is being blocked in your HOSTS file. ZeroSpyware was probably being blocked because it was originally listed in the following:
    However, ZeroSpyware has been delisted and therefore no longer warrants being blocked.

    Quote from Rogue/Suspect Anti-Spyware Products & Web Sites:

     
    Last edited: Oct 27, 2005
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Hi,

    Thanks for the update - its not that zerospyware.com was being blocked in my Hosts file, but that it would have been blocked by the entry had my browser been directed there (given the possibility of getting there), so the entry itself in the Hosts file was a safety measure entry in that respect.

    Although, the entry itself in the Hosts file still triggers a false positive in Spybot instead of being ignored.

    -- Tom
     
  14. this just proves my point. :)

    Whether it is a false positive or not is a matter of opinion. You chose to put the entry there, it wasnt put by malware , you don't have malware, so arguably it is a FP. Did you know it caused someone here to format? Not FP my foot.

    I really wish AS programs should tell you "we found a host entries to blah blah, this means such domain will be blocked, do you want to unblock?"

    Rather then scaring users by yelling "You got superspyware variant xyz", just because it's one of the minor things superspyware variant xyz does.

    Helllo? If i really had superspyware variant xyz, that would not be the only thing you found! These programs are really dumb :(

    Of course we super cool power users know how to read the entries, but most people including many here just see the name and panick, saying that despite their impressive protection software, they still get nailed.

    Then there are cases of sheer incompetence, some AS can't tell the difference between a site in a restricted zone and trusted zone, while others dont seem to know how to read a cslid killbit.
     
  15. I not really a "… super cool power user …", I am just a buffoon who comes here to cause trouble because Wilders Security Forums allows me to post as an unregistered user.
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    A lot of what you say is very plausible DA....even the part about the buffoon.
    To me I see positives out of FP's but not in the respects others might look at them. I see users having the problem coming to Forums and possibly before they leave they have learned something about a Hosts file or were made aware of where to look in the registry for a possible solution. In a way totally removed from the problem at hand. A way of learning the basics of computing which many users are sorely lacking in. Yes....some FP's are sloppy on the programmers part....I mean even tho I ain't even close to being a programmer how hard is it to look for a 2 instead of a 4 when it comes to a Domains entry....or how hard is it to see a 127.0.0.1 entry and move on. So yes....I agree with alot of what you are saying but I personally view it in a differnt light also.
     
  17. The comment about a buffoon Sounds a lot like something I would say, but I think i prefer the term fool. Third time this (where someone used the alias DA to post something that superficially might seem to come from me in the same thread I'm on) happened already.In addition i see people posting as deviladvocate2 in threads I'm not involved in. Cool to see the alias catch on.

    I don't really agree with this. Whatever positive that comes out of this FP can possibily be outweighted by all the negatives that a FP brings. Besides, sometimes I wonder if the person actually learns anything, other than some expert tells him , he is not infected.
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    As the name of the CWS infection indicates the name of the executable was qttasks.exe

    The startup entry would look like:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    QuickTime Task = %Windir%\qttasks.exe

    Where %Windir% is the Windows directory
    Example: http://www.spywareinfoforum.com/index.php?showtopic=2549

    On the positive side: it shows work is being done on CWShredder. :D
     
  19. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    FP has been fixed in CWS 2.19
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Fixed?

    I note that CWS Qttasks is listed in CWS 2.15 and 2.18.

    I too had FP with qttask in 2.18.

    Now in CWS2.19 Qttasks is no longer on the list of detected CWS variants as far as I can see.

    Is this a fix or an ignore?:doubt:

    Regards
     
  21. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Over last week I was in contact with Intermute about two possible false positives, one of which I see in the above messages. I ran Intermute's Dr. Diag to collect infomation about my system, and suggested they might need my registry as well which I provided by uploads. When one of their engineers suggested the problem might be with my Hosts file, I became curious and did the following:

    1) Renamed Hosts file and ran cwshredder v 2.18 - and the problem disappeared!
    2) Since I had modified my Hosts file, I imported a new version, and ran cwshredder v 2.18 and no problem.
    3) While running v2.18 previously, I had always immediately experienced the return of the detection of CWS.Svchost32 and CWS.SmartSearch aka BHJK_CoolwebSearch, however, for some reason I now was seeing sometimes one of the above being removed - I think once I removed the Read-Only attribute from the Hosts file. So, over the weekend I was able to narrow the FPs down to:

    64.91.226.241 www.wilderssecurity.com <- CWS.SmartSearch
    216.239.37.147 news.google.com <- CWS.Svchost32

    I left my Hosts file with modifications including the Spybot S&D mods on Intermute's website for my ticket regarding Trend Micro's AntiSpyware 3.0 which I have been trialing (it only had CWShredder v2.15 packaged).

    Since the above IP addresses are valid, I suppose Intermute will need some time to analyze all of the permutations (i.e. range) of valid (IP addresses) in order to eliminate these FPs - the CWShredder v2.19 update did not include a fix for the above FPs.

    -- Tom
     
Loading...
Similar Threads
  1. FanJ
    Replies:
    10
    Views:
    779
Thread Status:
Not open for further replies.