[CWShredder Service]

Discussion in 'other anti-malware software' started by flinchlock, Mar 16, 2005.

Thread Status:
Not open for further replies.
  1. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi flinchlok,

    From reading your post at dslr (though I am having some trouble refreshing the page over there at the moment) it does appear you've downloaded CWShredder from the correct location: http://www.intermute.com/spysubtract/cwshredder_download.html

    It maybe that you have ran the program (pressed *fix) and it requires a reboot to finish cleaning your system? Have you tried a reboot yet?
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Doing another quick search from other logs that show CWShredder.exe running as a service, they also have the program from Intermute, SpySubtract Pro that includes CWShredder. Do you have SpySubtract Pro installed and running? It does look like CWShredder runs as a service under the SpySubtract app, though I am not that familiar with SpySubtract since I don't have that program installed myself. I just use the standalone CWShredder file.
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    flinchlok - I have moved your thread over into the Privacy Software forum as this seems more like a 'service' (CWShredder) that is installed and runs under the program SpySubtract Pro.

    Services that install as part of a software package are sometimes set up by default to run at system startup. These services will show up in the 023 line of a hijackthis log. Yes, many malware 'services' also put themselves into the windows startup group, but many legitimate services run there too.

    If you indeed do have SpySubtract Pro installed and set to startup when you start your computer, then I would look at the startup options in SpySubtract Pro and see if that sheds anymore light on it. It may be that CWShredder starts up as a service to check for updates and you may be able to turn that option off within the SpySubtract program.

    Definitely do examine it in more detail, and let us know what you find.

    Regards,

    snap
     
  5. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Sorry for the late reply... geez, the kids need the phone to call friends! :))

    The only security programs I have at the moment (I'm in the middle of a rebuild), are Symantec Corp Anti-Virus 9.0.3, HiJackThis 1.99.1, and CWShredder 2.13.

    I don't have SpySubtract anything. Also, evertime I reboot, I "hear" Dr Watson crash before I login.

    Does your CWS program have the same md5sum ( http://etree.org/md5com.html ) as i do? ( d6a1efc99c7908c1f8092ee5ac8e0b3b )

    Is it possible InterMute has links or programs crossed between their products?

    I just DL Microsoft AntiSpyware Beta, and it found nothing.

    Mike
     
    Last edited: Mar 16, 2005
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Mike,

    I have been following your episode here and at BBR. The CWS file I have matches yours md5 wise.
     

    Attached Files:

  7. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just ran Spybot S&D 1.3 (newest updates 2005-03-03 )... no problems.

    Do you guys/gals/whatever have this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CWShredder Service ?

    Mike
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    No registry key like that for me....and my testing\md5 was done via the file you downloaded from cwshredder.net/bin/CWShredder.exe
     
  9. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just ran Sysinternals RootkitRevealer 1.20 (with Scan Registry check)... no problems.
     
  10. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just ran Symantec Corp AntiVirus 9.0.3.1000 (with defs 3/16/05 rev. 9) and got this error message (but the defs updated OK)...

    It's late... I give up... I'll just reload XP/SP2 tomorrow... time for popcorn and dark beer...

    THANKS for everone's help.

    Mike
     

    Attached Files:

  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi flinchlok,

    I just checked my CWShredder.exe (version 2.13 downloaded on Feb 8/05) with PepiMK's FileAlyser:

    File: CWShredder.exe
    Size: 465040
    Version: 2.13.0.0
    CRC-32: FEB2A784
    MD5: D6A1EFC99C7908C1F8092EE5AC8E0B3B

    So mine is the same as your's and Bubba's. I do not have that entry in the registry that you have. I am not sure why you have CWShredder running as a service though. I will keep checking and hopefully we'll come up with some answers. Meanwhile...go have that beer.

    Regards,

    snap
     
  12. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I just remember something, the FIRST time I ran CWShredder, there is that long list of threats that scroll by... we'll I *think* I remember seeing the last line say, "CWS.Look2Me Present". I then checked Fix... and I didn't see the CWS.Look2Me as Present... hmmm.

    According to Symantec http://securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html, the registry key starts with "DDFFA75A"... my regedit can't find that.

    See, I've NEVER EVER have had any virus/crapware/trojans/..., so I'm not really familiar with the "Fix" button... hmmmm.... (I've been surfing since some college in Illinois was programing a GUI thing for the Internet... look live Gopher!)

    Wouldn't you know it, I was 99.99999% done with my rebuild, when I decided to add IE-SPYAD, HiJackThis, and CWShredder! I was within about 5 minutes of doing my GHOST image!!

    Later,
    Mike
     
  13. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    At least they are quick to respond

    I sent the following to InterMute support...
    And this is their "answer"...
    I guess I was expecting some sort of technical detail about why it might be setup as a service, and if there is a bug in the program, a new version posted. :( Oh well, I'll just finish my rebuild and make a Ghost image this weekend. :'(

    Thanks for everone's help, and even though I/family do "Practice Safe Hex!", I'm sure I'll need help again sometime in the future! :eek: !

    Mike
     
  14. Risk3

    Risk3 Guest

    I have encountered the same problem with CWShredder version 2.13 and now with 2.14. CWShredder 2.14 also produces false positives for Vx2.look2me and after every time I run it I need to reinstall Symantec AV as it corrupts the definition files.

    Do you know which registry keys I need to delete to get rid of CWShredder Service?
     
  15. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    A most unusual case I've read about so far, CWShredder runs as a service!? :eek:o_O

    Some things I've thought of:
    1) You don't have Spysubtract at all.
    2) There is a bug in CWShredder.
    3) A hidden/stealth variant of CWS is pretending to run as a service with the name CWShredder.
    4) Mysterious Dr. Watson crashes happening...
     
  16. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Well, I think there is still a false positive bug in CWShredder.exe (2.13 & 2.14).

    After I did a total/format rebuild of my system (XP/SP2 slip-stream), CWShredder "Scan Only", again, said it found VX2.Look2Me!

    When I re-ran CWShredder, it didn't find VX2.Look2Me! I also have "Move CWS files found to the Recycle Bin instead of deleting them", but, there was no deleted files listed in the Recycle Bin.

    During the first stages of my rebuild, I ONLY connected the network cable during the Windows Update and loading new Symantec Corp Anti-Virus 9.0.3 updates.

    After those updates, again, I only connected when absolutly necessary.

    Last nite I installed the demo/trial of CounterSpy, and it fould ZERO things on my system.

    Autoruns from SysInternals shows no odd/weird stuff (image attached).

    I DO NOT ever surf to "bad" sites.

    Here is my HijackThis log...


    Mike
     

    Attached Files:

    Last edited by a moderator: Mar 31, 2005
  17. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    See the 7th post in this thread.
     
  18. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Aahhh, what do I win? ;)

    Yes, I do not have Spysubtract.

    Probably.

    Not likely.

    Nope.

    I *think* CWShredder installs itself as a service IF it does find a problem, and you click "Fix"o_O?

    Mike
     
  19. Mephisto

    Mephisto Guest

    To Delete A Service
    Start | Run and type cmd in the Open: line. Click OK.
    Type: sc delete <service name>
    Reboot the system


    If you prefer to work in the registry rather than through the command prompt to delete services;

    Click Start | Run and type regedit in the Open: line. Click OK.

    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Scroll down the left pane, locate the service name, right click it and select Delete.

    Reboot the system
     
  20. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    I think ad-aware SE Personal has a vx2 add on tool that you can run frm the program, you have to obtain it from there website... have you tried to run that? It might work. Really it sounds like some other program is causing this.
    you should see what hijack this finds and submit it to a help forum.
     
  21. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
  22. Risk 3

    Risk 3 Guest

    Technical Support at InterMute confirmed that CWShredder install itself as a service to "fix" a problem. However, there is a bug in version 2.13 & 2.14 of CWShredder (which they did not confirm) as it issues a false positive for Vx2.Look2me and then runs as service to fix a non-existing problem even under a "Scan Only" mode. To remove CWShredder Service you should disable it first (In WinXP type services.msc in the Run Command window, locate the service, right click the service and select properties and change the startup type to disabled in the widow that opens up.), and then try to let CWShredder Service start again. You will get a failure message and the entry would disappear from the Services window as well as the related registry keys.
     
  23. scott lang

    scott lang Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    211
    Location:
    claremore,ok
    actually i was told by another person on another forum that since i was doing hjt log training that i needed the version before it sold out and it would allow me to run cwshredder in debug mode. either waya, debug or normal it has never found anything and thus never gave me a problem as of yet.
     
  24. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    CWshredder should NEVER be used or run unless you have a definite CWS hijack and you would know if you had one as your home page would be changed and ot would show in an HJT log

    I have seen too many people wreck their computers by running CWshredder when it wasn't needed

    Merijn who originally developed it always said DO NOT use it unless it is confirmed as CWS first. It is not a general cleaning tool and all through it's history it has had some false positives
     
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    There is absolutely no point in attempting to use an old version of CWshredder or any other security cleaning tool

    ALL the cws varients get updated so quickly that a new version of the cleaning tool is needed and old out of date versions do not work

    would you use an antivirus with 1999 definitions to try to cure a worm/virus that was created for the first time in 2005?
     
Thread Status:
Not open for further replies.