CWShredder question.

Printable View

October 24th, 2004, 12:00 AM
nganvu

CWShredder question.

I ran Ad-Aware, SpyBot&Destroy : my PC came out clean.
I ran CWShredder, out of curiosity: it found "alcfdrtm.exe". Is this file a malware?
I ran HiJackThis: the file alcfdrtm.exe is not listed on the HJT list.
I ran "windows Search" : it did not find the file either.
Here is the screenshot of the CWShredder message: I hope it is readable.
October 24th, 2004, 07:57 AM
crunchie

I ran a search and found a log with this ;

O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE

You may want to look in the Windows folder directly to see if you can find it.

CWShredder pulled the file up because it was a random named file. I have not seen it before, but that does not mean it is malware.
Looks like it has something to do with a monitor.
If you manage to locate it, go here and have it scanned.
October 24th, 2004, 08:51 AM
nganvu

Thank you ! Crunchie.
Did you choose "yes" to remove it?
To be in the safe side I chose the "no" option.
October 24th, 2004, 02:07 PM
Welshjim

nganvu--Seems to be a Realtek Audio file
http://www.reger24.de/prozesse/ALCFDRTM.EXE.php
BTW, as a general rule it is not a good idea to run CWShredder unless you know you have a problem it can solve, specifically CoolWebSearch spyware.
And there is now a new version of CWShredder. I have not used it. It seems to be endorsed by Merijn, the writer of the original CWShredder, but just how much more it does than his last version I do not know.
http://www.intermute.com/spysubtract..._download.html
You do not have to also download SpySubtract to use it.
October 24th, 2004, 07:14 PM
nganvu

Hi, WelshJim,
Now you mentioned it. I do have the RealTek Audio. You seem to be right on the money.
No, I will not delete anything:) . Does CWShredder have a feature "ignored product" like SB&D has? Just a thought.
I've heard that CWShredder was bought by someone.
October 24th, 2004, 08:02 PM
Welshjim

nganvu--I have never run CWShredder, since thank heavens, I have never been infected with CoolWeb spyware. So I do not know if CWShredder allows you to selectively have it delete or ignore specific spyware. I suspect not. I have heard it is pretty "crude" when it comes to deleting CoolWebSearch spyware--at least the CoolWebSearch spyware in its data base. Remember CWShredder is not a diagnostic tool. It is a file removal tool.
Yes, it has been taken over (sold?) to Intermute.
October 24th, 2004, 08:52 PM
nganvu

Thanks, WelshJim, for your FYI.:)
October 25th, 2004, 04:39 PM
Welshjim

nganvu--You are welcome.
October 26th, 2004, 09:34 AM
Badger

There has been a little concern over the new version of CWShredder and advice given on some security forums just now is to continue to use the old version of CWShredder until a few false positives are sorted out. There are several threads on various forums about this one of which can be read at DSL Reports
Just thought it is best to add this in case any problems arise.
October 26th, 2004, 01:48 PM
Welshjim

Badger--I was about to write a defense of CWShredder2, but I have come across two articles which also lead me to the conclusion that it may be best not to use it. The issue is really not whether the "new" version detects false positives but rather that it causes alterations to the HOSTS file.
http://www.dozleng.com/updates/index.php?showtopic=2299
http://forum.aumha.org/viewtopic.php?p=53871#53871
P.S. The "new" CWShredder apparently also detects only one more CWS variant than did the old version, so perhaps not much of a loss not to use it. Sadly, the old CWShredder is probably pretty out of date by now anyway, so it is questionable how valuable its use is. But at least it does not seem to introduce problems.
P.P.S. The problem of losing connection to the internet is not uncommon when removing certain spyware. The removal can also corrupt the Winsock. Fortunately that can usually be repaired
http://www.cexx.org/lspfix.htm
October 26th, 2004, 02:04 PM
Badger

Thank you for these further links as it confirms to me the 'snippets' I have been reading about this new version.

I had read about someone losing their Internet connection and yet again this has been confirmed. Even though a backup of ths HOSTS file could be reinstated and the Winsock repaired I would prefer to advise use of the original. If used by someone who did not think to backup any HOSTS file etc then it would be very problematic. These tools are powerful even when used under supervision. Thankfully we have these reports to help us make our decision about the new version.

I appreciate the confirmation through these links, thanks.
October 26th, 2004, 02:39 PM
Welshjim

Badger--The Winsock problem is common to many spyware removal programs (including AdAware, SpybotS&D and the old CWShredder). Some spyware just does it as a "parting gift" when removed.
However, the messing with the HOSTS file is something new.