 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | CWShredder 1.56.3 Update »www.spywareinfo.com/~merijn/file···dder.zip |
|
 SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand
3 edits | I think I have finally resolved the false positive (FP) of CWShredder continuously "finding and removing" CWS.Msconfig from my OS.
When a user specified change is made in msconfig under the Startup tab by checking or unchecking a startup item from the list, (in my example, I checked "AdeptecDirectCD" to run at Startup, and chose "Exit Without Restart"), the Edit String for:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
contains the new entry of
C:\WINDOWS\PCHEALTH\HelpCtr\Binaries\MSConfig.exe /auto.
CWShredder seems to be picking this change up as CWS.Msconfig.
I will appreciate if a few other people would verify this by checking a new entry in Start > Run > msconfig > Startup > Exit Without Restarting, and then running CWShredder to see if it picks up the entry as CWS.Msconfig.
Running: XP Pro - SP2 v.2096
EDIT Please add what OS you are running.
I've bothered Merijn enough about this already, so any help here will be taking a nuisance (me) off his back. 
--
Security Forum FAQs .. ♥ .. Computer Cops - Symantec Forum .. ♥ .. Starfire "5 in 4" |
|
| Right on the money Crystal! Yep, same result. |
|
 BubbaGIT-R-DONEPremium,MVM
join:2002-08-19
St. Andrews
 ·DIRECTV
 ·Pickwick Cablevi..
·Comcast
1 edit | reply to dp
CS....I followed your verification steps.... Start > Run > msconfig > Startup > ....made a change and then Exit Without Restarting....I then ran CWS v. 1.56.3 and nothing was found.
OS= Win 98 SE all MS Critical updates installed.
edit: SP
--
*Team Z* Member |
|
|
|
| XP Home here. |
|
| reply to Sparrow
said by Sparrow:
I will appreciate if a few other people would verify this by checking a new entry in Start > Run > msconfig > Startup > Exit Without Restarting, and then running CWShredder to see if it picks up the entry as CWS.Msconfig
i wanted to do the above to give you another look (xphome), but msconfig shows only the startup entries and there are none unchecked that i can check. i must be missing something....
--
look out kid they keep it all hid |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | You can also "uncheck" one of the items and "Exit without restart," which will still change the Edit String in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Checking or unchecking an item doesn't matter, and should produce the same result. I get the same results from either scenario.
After running a "test scan" with CWShredder, you can "check" the item again in msconfig if you want it running at startup.
--
Security Forum FAQs .. ♥ .. Computer Cops - Symantec Forum .. ♥ .. Starfire "5 in 4" |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to Sparrow
I wasn't able to duplicate this either. So far it appears to be affecting only XP. I unchecked an app from starting from the 'Run' key and exited w/o reboot. Ran CWS and nothing was found. Running WinME.
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
| reply to Sparrow
said by Sparrow:
I will appreciate if a few other people would verify this by checking a new entry in Start > Run > msconfig > Startup > Exit Without Restarting, and then running CWShredder to see if it picks up the entry as CWS.Msconfig
confirmed in winxp SP1
--
look out kid they keep it all hid |
|
 dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18 | reply to Sparrow
Nope, nothing found... |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | hmm, so much for the XP theory  |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | I thought the same thing, dp  . Let's wait for a few more checks.
Apparently the only thing it is doing is removing the entry from the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run;
but if a user makes a change to the msconfig startup list, and runs CWShredder after the change, it will not take effect.
It's just one of those little bugs that really bugs me! 
--
Security Forum FAQs .. ♥ .. Computer Cops - Symantec Forum .. ♥ .. Starfire "5 in 4" |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to dp
Anyone else interested in trying to duplicate what Crystal Sky has posted at »CWShredder 1.56.3 Update
The more input the better 
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
| reply to dp
said by dp:
hmm, so much for the XP theory
why do you say that? so far 3 people with winxp have confirmed and 1 has not been able to confirm. doesn't that indicate a stronger likelihood that Sparrow is on the right trail? maybe if dadkins tried again, his results might change. i found it to be the case and so did chachazz .
you're right, though... the more the merrier
--
look out kid they keep it all hid |
|
dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | said by boblandy2:
doesn't that indicate a stronger likelihood that Sparrow is on the right trail
Oh, I definitely think Sparrow is on to something. That's why we need some more input to provide to Merijn so he can fix it
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
| then i misunderstood. i thought you were saying that her xp theory was not valid
--
look out kid they keep it all hid |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to dp
Just for the record, FP still occurring in 1.57.0. |
|
dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18
2 edits | reply to dp
Don't let me hold you up, but I tried with this newer version and well, still nothing. I even killed a couple of them and exited...
EDIT: If it's doing this on your systems, Please do contact Merijn and let him fix it. I don't wan't it to start doing that(or worse) on mine. |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | I sent Merijn a link to this thread the day I started it, so he can keep tabs here. |
|
| reply to dp
Did ya'll know that Merijn has his hands full with real threats to contend with? Like the new variant we don't have a fix for yet?
Plus, he does have a life
quote:
About me
I am a student from the Netherlands that codes in his free time, and especially CWShredder and HijackThis have become quite popular around here. You can download those here, as well as some other apps I wrote.
If you just need help with some piece of (suspected) spyware/foistware, or want someone to take a look at your HijackThis logfile, you are very welcome on the SpywareInfo forums.
If you would like to take a look at my old Geocities page, which has more text, some rants, howtos and more interesting stuff to read, visit
»www.geocities.com/merijn_bellekom/new/.
Note that my handle there is Klont. It's still the same guy reading your emails though.
quote:
April 25, 2004:
Tomorrow I'm moving. Last time we moved, our ISP took 3 weeks to setup Internet access, so I'm just posting it here in case I drop off the net for another month.
Suffice it to say I can't reply to emails during the move.
»www.spywareinfo.com/~merijn/index.html
He does a really terrific job at removing the real threats from people's PC's. He does this on his own time and charges you all NOTHING!
Debate here all you want, but please do not burden him with your splitting-hairs emails. That I see as a waste of time when he could be developing cures for the real nasties out there. I don't see a wide-spread mass amount of people complaining except one false positive - ONE (who is not infected BTW). Do you really want to hold up progress for the thousands who are infected for ONE?
If you are having a problem with CWShredder and you are NOT infected - please just delete the program and stop bothering him. That would leave him time to develop cures for those who are infected.
So does this FP create any kind of problem on your PC?
If you think you can write a better program and offer it for free and continue to develop it with the latest threats, then please - go for it and let us know!
Thanks
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/ |
|
