I Ran CW Shredder This Morning

Hi Everyone:

This morning when I turned on my computer monitor
I saw a strange sight. My desktop background picture
was magnified to about 10 times its normal size. It
was distorted and was so large it was showing only
about four of the icons on my desktop. I rebooted
and the desktop returned to its normal size. I did
notice that Avast auto protect was turned off.

I got busy and scanned with Avast, Spybot, and
Ad-Aware. Nothing showed up.

A note about Avast. I had it scan in archives.
At the end of the scan I looked at the log.
It had about 2400 files that Avast said it could
not scan because they are password protected.
I looked at Avast's website. They say this
is a normal occurance. However, could I ask,
how did these files become password protected?
Is that a function of Windows XP?

Finally I ran CW Shredder. The results are below.
Do I need to go back into CW Shredder and
have it fix all those things?

Thanks!

Maggie

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, -)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (1107 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (227 bytes, A)

- END OF REPORT -

 

these are bad and need to go bye bye.

 

I am supprised that spybot did not get rid of those already. Another good program for this stuff is Pest Patrol.

 

HI Kodo, Hi Luma,

Thanks for your messages.

Kodo: Do I need to edit my registry to
get rid of those entries that begin
with CWS.Oslogo and CWS.Googlems. ?
Here is what I did. I scanned once again
with CW Shredder and used "Fix" command.
Results of that scan said the program did not
find anything wrong. What I'm wondering
is that maybe I just don't understand the
concept of this program.
Anyway, any comments about CW Shredder, I'd
really appreciate.

Luma, I was also surprised that Spybot didn't show
any results. I checked for updates before scanning
and the program told me that I had the latest updates
already installed.Did same thing with Ad-Aware and Avast.
I'll take a look at Pest Patrol.

Thanks!!!

Maggie

 

I'm sorry to report that I was not able
to run Pest Patrol using my Opera Browser.
I was also not able to run Pest Patrol
using Mozilla/Firefox.

Maggie

 

I'm afraid I must disagee with Kodo on this one. Those lines are very easy to misinterpret. I get the same results on my machine which I know is clean.

I'm no expert on this, but I believe what CWShedder is doing is checking some registry key values against known bad values that the CWS hijackers set. Where it says "(if value is 2)" means if the dword value is 2 there's an infection, but "dword:4" means the dword value is actually 4, so no infection exists. It's generally safe to click "Fix" and let it fix whatever it finds - if it finds nothing then that's good, no registry editing in needed. If Ad-ware, Spybot, CWShedder and Avast all turn up nothing that's a good thing.

As far as the password protected archives that Avast finds, I think that's a limitation of Avast. But 2400 files seems like quite a lot to me. I think I'd post a question at their forum about that.

That "desktop magnified X10" thing was probably some weird video driver anomaly. If it doesn't happen again I wouldn't worry about it.

You could probably fire up IE and successfully scan at Pest Patrol.

 

well that's horribly displayed then and yes, easy to misinterpret. I'll just add that to my list of programs not to recommend to new users.

Pardon my rant, but this stuff needs to be Dead Balls informative. Tell me "YES! get rid of it" in plain friggin english instead of this crypitc if then crap. I see what you're saying now alanc and I didn't take notice of that comparison before.. I must give that a thumbs down.

 

I agree totally. That 'Scan only' option shouldn't even be there if it can't give an understandable report.

 

Update:

I have posted a question on the AVAST forum
regarding the large number of files in archive
and the fact that they are password protected.
One person there is interested in having the
log file emailed to him. I've posted back
saying the log file is rather large but that
I am willing to email it if he is still interested
in viewing it. Other than that I don't know anything
yet. If I find out more information will be sure
to pass it along to you all.

Maggie