CWShredder 1.2 Update

[siljaline]

><snip>
Another update:
* CWShredder 1.2 *
* Updated for possible new 'info32.exe' variant
* Updated for new SlawSearch variant (CTFMON32.EXE)
* Updated to remove some more policy restrictions removing tabs in IE options
* Now has instructions on patching the hole in MS Java VM!
* 437 affiliate domains on the blacklist (we're still going strong)

There is a new variant just surfacing that uses info32.exe, but I haven'treceived a
complete sample of this. CWShredder may not completely remove this variant, and I'd
appreciate it if anyone infected with it contacted me.
></snip>

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

http://www.spywareinfo.com/~merijn/



--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Jim Byrd]

Hi Siljaline - An FYI - CWSShredder also detects and removes re-direction of
lavasoft and spywareinfo, etc. from HOSTS files. That's fine as long as the
HOSTS file is only being used for blocking, but it also deletes them if you
use it (or also use it) for URL translation of your Favorites, for example.
In this case, you'll need to restore them after running CWSShredder.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In news:lrbbnv4r15p47l0po10522q72n04cq5k53@4ax.com,
siljaline <siljaline@invalid.com> typed:
>> <snip>
> Another update:
> * CWShredder 1.2 *
> * Updated for possible new 'info32.exe' variant
> * Updated for new SlawSearch variant (CTFMON32.EXE)
> * Updated to remove some more policy restrictions removing tabs in IE
> options
> * Now has instructions on patching the hole in MS Java VM!
> * 437 affiliate domains on the blacklist (we're still going strong)
>
> There is a new variant just surfacing that uses info32.exe, but I
> haven't received a
> complete sample of this. CWShredder may not completely remove this
> variant, and I'd
> appreciate it if anyone infected with it contacted me.
>> </snip>
>
> http://www.spywareinfo.com/~merijn/files/cwshredder.zip
>
> http://www.spywareinfo.com/~merijn/

[siljaline]

On Sat, 27 Sep 2003 18:08:05 GMT, "Jim Byrd" <jrbyrd@spamlesscomcast.net>wrote:

>Hi Siljaline - An FYI - CWSShredder also detects and removes re-direction of
>lavasoft and spywareinfo, etc. from HOSTS files. That's fine as long asthe
>HOSTS file is only being used for blocking, but it also deletes them if you
>use it (or also use it) for URL translation of your Favorites, for example.
>In this case, you'll need to restore them after running CWSShredder.

Hi Jim,
How are you?

I'm not quite following you, Shredder protects HOSTS? Don't quite see thecorrelation with
Lavasoft and Spywareinfo... :}}


--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Jim Byrd]

Hi R. - Well, I don't know that I would say that it protects HOSTS. What it
apparently does do is to check and see if re-directs for certain "good guys"
like AdAware and spywareinfo.com have been added to the HOSTS file by one of
the bad guys to prevent you from getting there, and removes them if these
URL's are found. (These two are just examples from my case in which they
happened to be in my Favorites and had been added to my HOSTS file - see
below). That's OK if the HOSTS is only being used for Ad/Malware blocking.
In that case, such a re-direct would represent a "bad" thing. However, when
HOSTS is being used for its original purpose of speeding up DNS by doing
local translation of URL's to IP addys (or for this in addition to
blocking), then those "good guy" URLs can be in HOSTS quite legitimately (as
for example if you've used CIP or somesuch to put your Favorites in HOSTS
for this purpose), and when Shredder removes them, they'll need to be
replaced. This isn't theory, BTW - I tested it to be sure that this was
what was occuring. I don't have a list of which ones it checks for,
but Shredder tells you at the end which ones it removed, so just make note
of them (if this case applies to you) and edit them back in in Notepad. Be
sure to save HOSTS back with the name HOSTS (all caps, no extension).

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In news:uhlbnvg59ljs449mvc66123ns7ei1cr4eg@4ax.com,
siljaline <siljaline@invalid.com> typed:
> On Sat, 27 Sep 2003 18:08:05 GMT, "Jim Byrd"
> <jrbyrd@spamlesscomcast.net> wrote:
>
>> Hi Siljaline - An FYI - CWSShredder also detects and removes
>> re-direction of
>> lavasoft and spywareinfo, etc. from HOSTS files. That's fine as
>> long as the
>> HOSTS file is only being used for blocking, but it also deletes them
>> if you
>> use it (or also use it) for URL translation of your Favorites, for
>> example.
>> In this case, you'll need to restore them after running CWSShredder.
>
> Hi Jim,
> How are you?
>
> I'm not quite following you, Shredder protects HOSTS? Don't quite see
> the correlation with
> Lavasoft and Spywareinfo... :}}

[siljaline]

On Sat, 27 Sep 2003 2334 GMT, "Jim Byrd" <jrbyrd@spamlesscomcast.net>wrote:

>Hi R. - Well, I don't know that I would say that it protects HOSTS. What it
>apparently does do is to check and see if re-directs for certain "good guys"
>like AdAware and spywareinfo.com have been added to the HOSTS file by one of
>the bad guys to prevent you from getting there, and removes them if these
>URL's are found. (These two are just examples from my case in which they
>happened to be in my Favorites and had been added to my HOSTS file - see
>below). That's OK if the HOSTS is only being used for Ad/Malware blocking.
>In that case, such a re-direct would represent a "bad" thing. However, when
>HOSTS is being used for its original purpose of speeding up DNS by doing
>local translation of URL's to IP addys (or for this in addition to
>blocking), then those "good guy" URLs can be in HOSTS quite legitimately(as
>for example if you've used CIP or somesuch to put your Favorites in HOSTS
>for this purpose), and when Shredder removes them, they'll need to be
>replaced. This isn't theory, BTW - I tested it to be sure that this was
>what was occuring. I don't have a list of which ones it checks for,
>but Shredder tells you at the end which ones it removed, so just make note
>of them (if this case applies to you) and edit them back in in Notepad. Be
>sure to save HOSTS back with the name HOSTS (all caps, no extension).

Hi Jim,
Mike Burgess has a batch file in Beta that will lock HOSTS to a read-onlyattribute.
I'm running in debug mode prior to upload to his site, seems to work fine.

Thanks for your comments, frankly, I leave the semantics of the design and function
of the shredder to the developer side of things




--
siljaline

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[|3iff //ullins]

Blick auf wie gut "Jim Byrd" <jrbyrd@spamlesscomcast.net> goh, a
hundert LKWAS in einer Reihe geht, einige mit Kühen und einige mit
Enten on Sat, 27 Sep 2003 18:08:05 GMT:

>CWSShredder also detects and removes re-direction of
>lavasoft and spywareinfo, etc. from HOSTS files. That's fine as long as the
>HOSTS file is only being used for blocking, but it also deletes them if you
>use it (or also use it) for URL translation of your Favorites, for example.
>
eh?... please elaborate.