Failing Grades For Most Anti-Spyware Tools

serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."

Ars Report

[cow_licker (172474)]

Ars-technica also just did a review. Check it out.

http://arstechnica.com/reviews/apps/spyware-remo va l.ars

It's interesting

[by Anonymous Coward]

The attitude to directed advertising programs or "spyware" on Slashdot. Especially when you step outside the parochial echochamber that is Slashdot discourse and speak to people who actually use these programs. On the whole, they are actually happy to get these novelties for "free", like the funny little desktop buddy, or the search bar, weather report or stopwatch.

I used to work for one of the companies that distributed a "spyware" program through download.com, and we had continual PR problems with being lumped in with the worst offenders of the spyware world. We didn't do drive by installations, or hide our intentions: we just traded our customers data for use of our program. What, exactly is wrong with that? Why is Slashdot pretending all of us are as bad as each other, as if in this, as with all fields, there isn't a spectrum of behaviour?? Even some linux users are bad, just look at the DDOS at sco.com. I'm sure noone here would condone that behaviour.

(Posted anonymously, not interested in karma bonus.)

Re:It's interesting

[by Anonymous Coward]

no they are not 'happy' with all that crap. that's why the developers go to such extreme lengths to get make the damn things next to impossible to remove without dedicated removal tools (which even then, as we see in the article, often fail).

if your program had a smooth uninstall that actually did something, was called WarningNastyEvilSpyware.exe, flashed up a new warning everytime it ran that evil crappy spyware it installed, and clearly documented everything it did, then I guess it was ok (though you'd have to pay me to use it).
otherwise you were working for evil.

(and what made you think you'd get karma for admitting to writing spyware?)

Re:It's interesting

[cheezemonkhai (638797)]

Regardless, I don't see a problem with giving users the option to remove these things which trade their personal details.

• Who actually reads all the agreement to use the software?
• How many of them know their personal details are being sold?
• How many people know what is actually being collected.
• How many people got these "tools" from a random e-mail saying look this is cool?

I can hear what your saying, but I think the user is allowed the right to remove the spyware.
If the company doesn't want them to use the tool without the spyware then make it break without it and inform the user they removed the spyware which collects their details and would they like to reinstall it or remove the free "tool".

Sure some spyware is worse than others, but the user deserves the choice.

Re:It's interesting

[Erik Hensema (12898)]

• spyware almost always hides its true intentions deeply into some EULA nobody reads
• spyware usually is very hard to uninstall

Especially the last point is important. If my browser is infected with spyware, I simply want to go to controlpanel->software, select the program and uninstall it. Nearly always this is completely impossible. Lots of spyware nowadays actively combats uninstalling. And when software does that, it always is written by the Bad Guys.

Unfortunately you don't say what product your company was/is making, but I guess that was to be expected.

Re:It's interesting

[asadsalm (647013)]

Of course!

They would be really happy to install these free utilities and games. They really wouldn't care why their computer takes 30 minutes to start, and keeps crashing every so often, randomly. They wouldnt care, because they dont "know".

Its absolutely wrong to create awareness, since ignorance is bliss isn't it? For them, all they need to do when their computer becomes a constantly-rebooting over-sized paperweight is to call me and spend a day to have it "formatted".

I mean, c'mon, the funny-little-desktop-buddy is OK. All it does is reduce my computer to a 0.5 frame per second 1956 batch-processor.

Its funny how, when your bread comes from a shady source, that source becomes morally right. Like, for example, in my religion, interest based financial transactions are not allowed. The only people who say its ok are bankers!

Re:It's interesting

[Hobophile (602318)]

When you loan an amount on INTEREST, you always make a profit. The more money you have the more profit you can make. The rich get richer - faster.

This line of reasoning is absolutely misleading. With any loan there is a significant possibility of default. Profit is not guaranteed, and the interest provides economic motivation for people with surplus cash (the "rich") to loan money to people who need it.

Furthermore, this completely ignores the benefits that the borrower obtains from loaned capital. The ability to leverage money not your own is incredibly powerful, though not without significant risk. You can borrow funds to invest in a business or real estate, and done properly you have a good chance of making yourself quite a bit more wealthy. In many cases your return will far outstrip that of your lender.

When you invest that same amount in a business, you can loose that money. You cannot sit on your ass all day and hope to make money.

By any measure, buying stock in a company is investing in its future growth potential. The average shareholder can do very little to guarantee this return except sit around all day. Further complicating this worldview is the notion of "investing" in the bond market, which essentially involves purchasing shares in interest-bearing loans.

Delve deep enough, and you get to the core concepts of capital, investment, and return on investment. What you are essentially suggesting is that one kind of ROI is "bad" (interest) while others are "good" (dividends earned through hard work). While this is an intriguing premise, there is no logical method of obtaining this conclusion.

It should be noted that much of the utility of wealth lies in its ability to let you choose to work hard only for the things you want to. There is no great benefit in suggesting that hard work itself is moral; people can and do work very hard for extremely selfish or malicious purposes.

Re:It's interesting

[NoMercy (105420)]

1/4 the time your probably breaking the law when you do that, there are strict laws governeing what you can and can't do with information about european citizens. I know any 'information handler' which operates with the UK has to have a data protection statement, be registered as a data handler, and needs to keep all it's data on file for several years as any person must be able to get a copy of all the information held on themselves for no more than 10 pounds (about 30 dolars).

Sure your actions are still legal?

Re:It's interesting

[IO ERROR (128968)]

There's a big difference between an ad that someone can choose to click on or ignore, and a program you install on their computer which sends all of their data to your servers for you to do with whatever you want.

First of all, your program probably didn't disclose to the users that it was collecting personal information, or if it did, it was buried near the bottom of the license, which is to say you may as well not have disclosed it.

You may not have hid your intentions, but I'll bet you didn't show them either. How many of your users would have installed your program if you said right on the first screen "We collect your personal information and do whatever the hell we want with it"? Uh huh, that's what I thought.

There's a huge difference between a banner ad on someone's site and your typical spyware program.

Re:It's interesting

[Ilgaz (86384)]

If you state directly that program will sell your private habits, you are off to go.

I don't have problem with that myself.

I _hate_ one little, clever company named Limewire. Limesoft to be exact.

Those assholes recently tested SPYWARE on Mac OS X knowing the fact that mac users aren't so advanced on such things.

They used same tactic as they did on Top Moxie, on Win32 years ago. Coded it so system part (java.exe) will run it and if user runs an advanced firewall (not usual on mac too!) , Java will ask for permission to connect to net, NOT the spyware itself.

Advanced users figured it (thank god) and that "Adam" guy from Limesoft (boss) said "they were testing technology on macintosh, its pulled from installation now"

Do I remember that kind of answer and shameless response from somewhere? YES! It was same deal on Win32 topmoxie!

Notice something, I use "spyware" for Limewire, not whatever your product is. If you show users your intentions, you won't get much protest from them.

BTW, as mac users turned out to be "not that stupid", they removed "limeshop control panel" installation from later releases.

Limewire, on mac, while doing such "great inventions" as first spyware on OS x is currently number 1 on download.com mac edition... :)

When are you bundling your shit again Adam Fisk?

Re:It's interesting

[Ilgaz (86384)]

It was a real funny chance myself getting infected in fact.

Its in just couple of Limewire 3.7.2 beta and 3.7.3 releases for mac. When they figured mac forums getting reports, they immediately pulled it from installation.

I am one (c) freak guy using all original dvds, cds, programs etc. Its really funny I got infected with spyware because of Limewire I mean...

I left a friend alone with my Mac G5, knowing my root pwd and I really didn't think he could be THAT GOOD on macs or forgot how easy macs are used :)

Guy installed limewire to get a rare mp3 he likes and boom, I had java asking permission to connect at morning (netbarrier running here)

What drove me nuts is, I am one of the FIRST guys figured TopMoxie on Win32 and alerted press (Wired etc) about it.

They figured mac users are aware of what that thing does and pulled it.

here is a forum posting for you, on a real popular mac website.
http://forums.macnn.com/showthread.php?s=&threadid =195695 [macnn.com]

About Top Moxie? Oh man, that thing was more evil than satan... Can't imagine how much money went to wrong hands instead of non spyware legit referrers of Amazon.com etc.

http://www.symantec.de/avcenter/venc/data/adware.t opmoxie.html [symantec.de]

Looks like Symantec analysed a recent version. That thing is written by very advanced java authors itself, read: Limesoft. It was first bundled with Limewire/Windows and OS integrated firewalls like Symantec firewall AUTOMATICALLY granted ALL rights to it since it was using SIGNED Microsoft JView to run. So, Jview, signed app, you get alert from firewall which RECOMMENDS to enable access since its signed microsoft system part.

Understand the trick? Since its SAME trick used on Limeshop/OS X

Oh it did one "cool" thing on windows...:) You know there are poor coders, freelance authors etc making money to run their sites via referring books,cds from amazon etc? It rendered such URLs (childs toy to get current url from IE) and REPLACED it with some limewire referrer.

Looks like they changed that attitude since Amazon and major, LEGIT referrers threatened a lawsuit against them.

We _must_ keep an eye on that Limeshop and TopMoxie, especially Java fans and developers. This is one cool(!) and evil way to unleash Java "run anywhere" potential. As its written in java, imagine 1 year later we speak about J2ME (java micro edition) spyware which is installed to Cell Phones, PDA's and Nokia, Ericcson give option to their customers to DISABLE Java via firmware.

Or lets say, you see people bragging about Linux,BSD is free of Spyware? It can easily change with that java sneaky thing.

Re:It's interesting

[gad_zuki! (70830)]

I've found the opposite to be true and I've done tech support in a variety of atmospheres. Once "spyware" became a common word and we were able to talk about it, I have yet to hear anyone say "Yeah, I love the GAIN suite of helper apps." What I have heard is stuff like "I dont even know what that is, it just appeared one day." Sometimes I hear some pissed off outrage when they find out all those delays and crashes theyve been dealing with were caused by these semi-stealth installed programs and their privacy has been violated the whole time.

I think I met one dude who didn't care then the spyware kept multiplying. Afterall these vendors don't care about their customers, in fact they are hostile to thme, so why not abuse the system and turn that one downloaded app into more installs during an "update."

On top if it, a lot of these apps append the sig line in your mail client and professionally its makes the users who use email for work look bad. It makes them look stupid and incompetent. This kind of thing embrasses them quite a bit, and rightly so. A client is going to see a email full of multicolor characters with 4 links to GAIN and think, 'This guy is a moron.'

>Especially when you step outside the parochial echochamber

And once you step out of your "people are stupid/ignorant and dont deserve disclosure" stage you'll understand.

I am very glad both socially (people deserve disclosure and a legalese 10 page EULA isnt) and personally (Im sick of fixing computers) that spyware/adware is the kiss of death and now in the same league as spam and other scams.

Spyware

[cheezemonkhai (638797)]

Well Spybot may not do great, but it certainly does enough to clean up a persons PC so it works again without crashing every 5 minute.

My reccomendation is firefox or mozilla or even opera if you prefer it.

I do however note that if you take a clean system and then visit msn.com, then run spybot etc you will find that there are little evils that appear on your system.

It now appears that the best option is to wave goodbye to MS if you can. Pick a nice linux distro (eg Ubuntu or whatever suits you) or even MacOS X and feel that little bit safer.

Re:Spyware

[MoonFog (586818)]

A lot of the spyware you get is just cookies from servedby.com or something that registers what sites you visit etc. You're not safer from them on Linux than you are on Windows.As long as you accept cookies, they'll be there.

I just use Firefox's cookie handling. I disable cookies and choose to allow only certain sites to set cookies (such as gmail, online banking etc).

Re:Spyware

[dave420 (699308)]

What the heck are you on about? I run Windows, and I've had no problems with spyware ruining my PC or crashing it. I'm fed up with all this "ooh better stop using microsoft, otherwise your face will melt clean off" bullshit. I thought you guys were professionals? Why are you spouting this FUD about microsoft? If it was as bad as everyone here says, no-one would be able to use it at all, as their computers would be simultaneously blowing up and sending their credit card information to north korea.

There are PLENTY of things people can do in windows to protect themselves as much as they want. Suggesting moving to another operating system shows your real intentions here.

I apologise if this sounds pretty harsh, but I'm pissed off with the lack of professionalism or objectivity on this site.

Re:Spyware

[RoloDMonkey (605266)]

...I'm pissed off with the lack of professionalism or objectivity on this site.

Your new here, aren't you?

Re:Spyware

[blackest_k (761565)]

first of all who's professional? Some readers of slashdot may be professional but I am certain a lot are not. your asking a lot of a readership that has a number of posters who just post for creating havoc if you read slashdot at -1 you will soon see that comments on slashdot pump through the site like raw sewage with the occassional gem which moderators reach in and retrieve.

While you may be able to run a windows operating system without getting infested with spyware it seems to be the case that many people can't.
perhaps if people could be educated into looking for "open source" instead of "free" when looking for a tool or utility then they might improve their Pc's health.

Spyware often uses two parallel processes to maintain control of a pc, when you go to kill one process the partner process restarts it. these tricky beasts can be killed by booting in safe mode and finding the programs on the harddrive and deleting them. These are the most common ones I have to deal with once I have educated users to run spybot and adaware to remove the easy stuff.

It doesn't help that users like to run things like kazaa instead of kazaalite as an alternative and seem clueless and overly trusting of the files they download- often not even running an up to date antivirus program such as avg (free edition).

Finally while windows is a mess of worms trojans and spyware, suggesting that these same users run linux instead, is pointless they struggle hard enough with windows. linux isn't friendly to clueless users ect...

Maybe a Mac is the real answer for these people but few will migrate to another o/s or buy new hardware so the problem will remain.

perhaps it might help if it was possible to launch linux from within the windows environment. similar to the experience of running amiga os under emulation.
then users can venture into linux as and when they find applications to run under linux and don't have to reboot into windows to run something which doesnt have a linux alternative.

To be objective you can't look at windows and say it is not vunerable to these problems (no matter how well you look after your system). It is equally valid to say Linux isn't a pain free alternative yet.

hope you find this post a little more balanced.

Ad-Aware and HijackThis

[krumms (613921)]

I've always found a combination of Ad-Aware and HijackThis do an excellent job of keeping all things spyware under control. Ad-Aware for more frequent scans, and the odd hit of HijackThis when things seem screwy. Admittedly, I don't know how much spyware I actually miss but it seems to keep XP happy for most part :)

if you don't log and analyze traffic

[Sai Babu (827212)]

you never know where your internet connected peecee might be sending it's bytes.

hmmm why is that activity LED blinkin?

Is Windows fit for the internet?

[Viol8 (599362)]

This isn't a standard issue MS bashing troll but you do have to question whether given the ease at which programs (which is what spyware is) can install themselves on someone elses computer with little or no user intervention , Windows is fit to be allowed on the internet. If all windows systems were taken offline then almost all viruses and the like would disappear almost immediately along with spambots and other unpleasent creations of the black hat fraternity. I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.

Re:Is Windows fit for the internet?

[Skyfire (43587)]

As much as we like to say bad things about Windows' security here on /. (and I won't argue with the poor security of Windows), I don't really think that most spyware is a security issue. Most of the spyware that gets installed is installed hidden in amongst other downloaded programs, and the only warning that the user has might be one or two lines in the EULA, which no one bothers to read. I think that the real culprit behind spyware is the companies that play these dirty tricks, and also to some extent the users that blindly click every little button. I've learned to carefully look through the installer instructions on random programs that I download, and I very rarely have problems with spyware.

Gary Grocer, Billy Butcher...

[Dogtanian (588974)]

HOwever , these programs could do anything which is the worrying part. 99% of them may just be Gary Grocer trying to make some extra money

I think you're underplaying the seriousness of Gary Grocer's nefarious activities. After all, he's an internationally-wanted credit card fraudster who is also notorious for using zombified PCs to send spam.... that's how he makes his "extra money". (Note: There is a reward for the capture of him and his money-laundering associate, Freddy Firefighter).

"These people are scum, " says Florida's Head of Anti-Fraud Investigations, Calvin Criminal.

"Damn right, " adds his colleague, Alvin Arsonist.

Re:Is Windows fit for the internet?

[by Anonymous Coward]

I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.

Windows is a relatively secure OS if you know how to run it. Unfortunately, most people who run it are dumbasses who install all programs they find and click YES to every prompt they see. If you run it with a decent firewall (whether that be software or hardware), antivirus software, and diligence then Windows won't give you any problems.

BTW I recommend Ad-Aware and Spybot: S&D for clearing out just about any crap if the spyware does somehow "install themselves" onto a system.

My time is preciouss.

[Maljin Jolt (746064)]

These test results are well worth your time.

No they are not. I already burned all Windows CDs in the fire. You wan't believe how much time I gained by doing this!

Re:My time is preciouss.

[BinLadenMyHero (688544)]

My time is preciouss.

And you're not only reading, but also posting in slashdot.
Riiiiiiiight.... :)

And if they fail...

[Tuxedo Jack (648130)]

That's what SpywareInfo's for.

http://www.spywareinfo.com [spywareinfo.com]

It's arguable that they're the biggest antispyware site out there, and if nothing else, they can get the CoolWebSearch strains that even Ad-Aware and Spybot can't get (real-yellow-pages, linklist, et cetera).

(Disclaimer: I'm a Trusted Advisor there.)

hitman pro

[by Anonymous Coward]

This is a very good solution :

http://www.freedownloads.nl/hitman_pro.htm

It's dutch and it runs Ad-aware, Spysweeper , Spybot S&D, Stinger, Spywareblaster , ect...automaticly....

Horses for Courses

[One Childish N00b (780549)]

The anti-spyware game is a real case of horses for courses - one tool will detect some spyware and miss others, while another will find all the bits the other missed, but miss off a couple it didn't. There really is no 'definitive' spyware removal tool and it's foolish to say there is. I advise people to run both Ad-Aware and Spybot with latest updates at least once a week to ensure almost all spyware is found and removed, as I've had too many instances of one of the two missing out five or six items on every sweep that the other one found straight away.

You could probably get even better performance by running more than those two, but I'm not going to harrass my clients to start running half a dozen programs just to remove spyware and it's a pretty rare thing to come across a piece of spyware, even a humble cookie, that both of those two miss. Anyway, my point is this; You can't just run Ad-Aware or Spybot and think you're protected. Until an anti-spyware tool has a 100% record against all known spyware, I won't consider them anything near a definitive tool, or a licence to behave recklessly on the net, something which too many naive people seem to do.

The problem with anti-spyware tools is three-fold;

a) They are made by private companies and individuals who's credentials and/or decency cannot be guaranteed. They could easily take kickbacks from spyware companies in exchange for 'excluding' their programs from the scan list. Sure, it might not be happening now, but what's to stop Lavasoft suddenly to start taking kickbacks to let the less insiduous spyware through? Unless you're on the inside of a company like that, you can never be sure. I'm sure Lavasoft aren't doing anything like that, as these results prove, I'm merely using them as an example - any anti-spyware app people trust is in an immensely powerful position on the user's computer, and any money-seeking company can theoretically be bought out.

c) When they remove a spyware .dll that a program the user makes use of hooks into, the program may stop working, and who would get blamed? the anti-spyware vendor. Hey presto, Spybot looks like pure evil because they just killed off Joe User's cool new P2P app because keylog32.dll got wiped. This happened a lot when Kazaa was big - naive users getting told by techy types to run Spybot every now and then to clear spyware ended up bitching because it nuked the spyware that Kazaa checked for before starting up. They didn't seem to care about privacy when protecting it stopped them getting their MP3s and porn.

c) People do, as I mentioned above, use them as an excuse to behave recklessly on the internet - they will install random .exes, they will visit dodgy sites and they will do all manner of things because they believe they are safe. They don't understand that spyware blockers only work against known types of spyware, not all spyware in total. Naive users seem to think it's an agreement between spyware vendors and anti-spyware companies when it is, to all intents and purposes, an arms race which the anti-spyware groups will always in second place.

Anyway, what was my point again? Oh yes, that these statistics are misleading for naive users. Ad-Aware and the others are now going to start shouting from the rooftops about how they're one of the top 3 anti-spyware apps on the market, and thousands of lusers will trust themselves to it implicitly solely because of that blurb, while the reality is Ad-Aware still misses stuff, and it is more than fallible. That 'lowly' Spybot has turned up half a dozen items Ad-Aware failed to find at least three times for me, but I wouldn't run that on it's own either - Everybodyb knows it's a good idea to get a second opinion, especially when it's free.

Also, does anybody else find it funny that /. are now serving ads to the Microsoft 'Get the Facts' campaign? Is this Slashdot putting one over on Microsoft by taking the money they throw at them when they know no-one here will believe it, or have they reached a new low, actually showing not just Microsoft ads, but ones that feature blatant FUD against FOSS?

Arguments to the contrary...

[Spoing (152917)]

Oh, not from me. While the failure rate is much higher than I'd expect, that they do fail on a regular basis is not a surprise.

The reasons seem to be simple;

1. Spyware detectors find and remove known spyware.
2. Spyware creators know about the spyware scanners. If they decide that being detected is a big enough problem, they work on ways to not be detected.
3. As the new spyware revision comes out, they are discovered and the spyware detectors are updated.
4. Rinse and repeat.

Yet, the test results show that the spyware detectors aren't in the arms race against spyware that I described above. Instead, many spyware revisions aren't detected at all. Either they don't know about the spyware revisions, the spyware is not being tested for, or the spyware is being ignored on purpose.

Right now, the bar that the spyware creators have to leap is very low. Both social engineering and direct injection onto systems make spreading these things fairly easy to do for the spyware maker. Tie that in with many spyware detectors not detecting completely, and not being used consistantly, and I don't see an end to this problem soon for most people.

What to do? I'll leave that to others for now. I have my own lists. It is a security issue so the systems should be considered to be on hostile networks and hostile users. I consider 2 hours to lock down a Windows XP system to be a reasonable minimum amount of time to spend on each system -- unless automation tools are used.

Spyware tips I've picked up

[cybergibbons (554352)]

I run a small IT consultancy, and nearly every internet connected PC we work on has a significant spyware infection on it. It's not only our job to remove it, but to prevent it coming back. The things that I've noticed after fixing a lot of problems:

• People don't know they have spyware on their computers. They are crawling along, at a stage I would call barely usable, and it doesn't bother them in the slightest. Or, better still, they find those new toolbars really useful...
• A combination of Spybot S&D and Adaware will clean up most problems. Hijackthis will then allow you to remove anything else. Some people say that Hijackthis is the only tool you need - but it can only remove very apparent problems, whereas the other tools will remove nearly all associated keys, files etc.
• To prevent re-infection, you need to lock down the machine whilst it remains usable. People really do not want to change, or put any effort in. You can try putting Firefox and Thunderbird on the PC, but most people will choose IE, or complain if you hide IE, so they don't have the option.
• Change the settings for the zones in IE to be more secure.
• Add a big list of bad sites to the restricted zone in IE. This includes some sites that have content, but it's generally porn, and as our users are business users, they won't call us back to give them access to a porn site.
• Add an even bigger list of ActiveX CLSIDs to not run.
• Stop the default action on windows scripting host files, scr files etc. from "run" to "edit". A lot of problems start with some user interaction, and this has cut down on quite a few (mainly non spyware) problems.
• A lot more small registry tweaks can be done... most of the above is done automatically by scripts we have writen. One of the problems we found was adding keys once to each HKCU hive - you don't want to overwrite them at each login, or the user changes will be forgotten, but none of the Run, RunOnce etc. keys do it per user.
• Add some buttons to the IE toolbar to put sites in the trusted or restricted zones, for when people have problems.
• Install Spyware Guard - this provides some active protection against spyware.

This won't stop everything by any means, but it slows down reinfection. End users need to change habits - reading EULA, not just clicking OK, using passwords - but this isn't something you can do with a couple of hours work, so people aren't willing to do it. I have no solution to that problem.

Re:Spyware tips I've picked up

[cybergibbons (554352)]

I should ad (hoho) that one major advantage of Spybot S&D is that you can schedule it to run quietly in the background... this just isn't possible with any of the other free tools. The command that does it:

spybotsd /autoupdate /autocheck /autofix /autoclose /autoimmunize /taskbarhide

There are other tools that help massively with spyware. As a consultant, it's equally important to understand the ways and means spyware gets onto the system, so that you can prevent and cure effectively, and respond to new spyware before the automated tools do it or before it appears on the many forums.

• Sysinternals Utils are free and great. Process Explorer replaces the crippled useless tasklist in XP, and is quicker and easier to use than the command line utils. Filemon, Regmon, and Diskmon allow you to monitor files, registry keys, and disk access - you can see how, when, and why spyware is getting in.
• WhoLockMe - appears on the right click menu in explorer, and shows what is causing a file to be locked. Again, this can be done at the command line, but this makes life that little bit easier.
• Knoppix - for when it all goes very very wrong.... recover files, partition tables, reset passwords, even edit the registry

Re:Spyware tips I've picked up

[FullCircle (643323)]

Since Captive NTFS was written to use the Windows DLL's to read and write NTFS partitions.

http://www.jankratochvil.net/project/captive/

Knoppix can find the needed DLL's and mount the drive as RW. It isn't 100% guaranteed safe, but when the system is already damaged it is definately worth a shot.

I've used it once to move data to a second drive for a customer and it worked flawlessly.

An ounce of prevention worth a pound of cure

[gtkuhn (823989)]

Seriously guys, none of these spyware removers are even remotely perfect and they all suck time and CPU cycles. I disavow any knowledge of this guy, Mike Lin, but his itty-bitty FREEWARE program kicks butt.http://www.mlin.net/StartupMonitor.shtml [mlin.net] It does one tiny little thing with almost zero overhead, it tells you what wants to insinuate itself into one of the several startup vectors of Windows. And gives you the option of not allowing it. Any spyware must have some part that runs at startup. This gives you a warning and a filename for googling to remove whatever you have contracted. Probably works for many worms, viruses, and trojans too.

Watch out for newer spyware's startup routines...

[Akardam (186995)]

I've recently seen a rash of new spyware that registers a .dll or ten into the TCP/IP stack, or even in some cases a device driver. Those are truly the beasts. And, of course, the normal Windows startup routines don't necessarily apply, since Windows will include the dll's at launch, and once they're hooked into a process, they'll go about their nasty business as part of what may otherwise be considered a legitemite executable. The line between spyware and a virus/worms/trojans these days is so incredibly thin, it's hard to see anymore.

If it hasn't already become obvious I'm all in favor of dropping large objects on the scumbags that make this kind of stuff. Say, a super-large special order 1000 ton ACME anvil, to start?

Becareful not to shoot yourself in the foot

[DigiShaman (671371)]

About half the time a user removes spyware from a PC that is running really sluggish, I've found that it the spyware removal utilities does NOT repair the winsock registry keys. Thus, you can't even get TCP/IP connectivity. You will know it's broken if you get an IP of 0.0.0.0 or will fail instantly to repair the LAN connection in XP and just get a 169.x.x.x address.

If you do plan on removing a heavly invested PC, be sure you know how to fix repair winsock.

If the customer is running XP with SP2, then you can run the "netsh winsock reset catalog" command (without quotes) to repair the connection and reset the winsock settings back to defaults. However, if the PC does not have SP2 installed, you will have to check out this link http://support.microsoft.com/default.aspx?scid=kb; en-us;811259 [microsoft.com]

For Win9x users, check out this link http://support.wadsnet.com/winsock/winsock98.asp [wadsnet.com]

End User License Agreements and Privacy Policies

[NoMercy (105420)]

"Moreover, users should learn to practice safe computing habits, which include avoiding web sites and programs of unknown or dubious provenance and carefully reading End User License Agreements and Privacy Policies."

Am I the only one who doubts that will come true any time soon, we all know how to click on a button as a reflex action, reading a lengthy EULA full of lawyerspeek... that's a headache.

SINGLE BEST SOLUTION

[dioscaido (541037)]

Stop running your daily desktop account as Administrator. Most, if not all, of the spyware will fail when it attempts to infect your system. It's just general good practice anyway. No one runs KDE/Gnome as root, or log into their OSX machine as root. Neither should we.

• http://www.techproblemsolver.com/limited.html [techproblemsolver.com]
• http://www.dotnetdevs.com/articles/RunningAsNonAdm in.aspx [dotnetdevs.com]
• http://blogs.msdn.com/aaron_margosis/ [msdn.com]
• http://www.pluralsight.com/keith/book/html/howto_r unasnonadmin.html [pluralsight.com]
• http://support.microsoft.com/default.aspx?scid=kb; en-us;305780 [microsoft.com]

Cycles

[(arg!)Styopa (232550)]

I'm not surprised Spybot did badly.

These things go in cycles, kind of like the Darwinism that didn't work quickly enough on the germ plasm that somehow evolved into the amoral mockeries of humankind that write spyware/malware.

Adaware was widely used for a while, then I started noticing that it wasn't working so well.
Then Spybot is/was hugely popular and extremely effective, so I've started to notice that it too is missing stuff now (or is unable to remove what it finds).

Virus...er...spyware writers are working against these programs, and it's only natural that they are evolving their code to defeat at least the most successful/widely used anti-spyware programs out there.

You wouldn't expect the flu inoculation from 5 years ago to protect you this year, would you? Spyware - and it's counteragents - are the same.

Re:none here

[by Anonymous Coward]

I gonna get firefox and ad-aware asap. I also want to get screwed! No more than 2 weeks right?

I wonder what it is like...

Re:none here

[afd8856 (700296)]

I've seen spyware targeted at firefox and java applets that would want me to install something I was not curious enough to see. Fortunately, I was always asked if I want to install (security mechanism in Java and Firefox). I think grandpa' will click ok on those boxes, without reading them first.

Re:none here

[NoMercy (105420)]

Seems to be more and more firefox is leaning towards the 'Weve blocked this, click here to find out why' approach, would be nice if this was extended to all areas including dangerous java programs/etc.

Re:none here

[26199 (577806)]

What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone.

Unfortunately that's a long way from the truth. But I think you should blame the engineers and computer scientists, not the end users.

Re:none here

[rudy_wayne (414635)]

What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone. Unfortunately that's a long way from the truth. But I think you should blame the engineers and computer scientists, not the end users.

It's that attitude that's the problem. The computer IS NOT supposed to be a 'generic consumer product'. That's marketing bullshit. For years, companies that sell computers have been pushing the idea of the computer as an appliance. You don't need to know anything ... you just push a button ... just like your toaster.

User stupidity is still the number one security problem.

Nonsense.

[brunes69 (86786)]

A car is a generic end-user product as well. But if the engine catches on fire because the owner hasn't changed the oil in 12 months, despite the car manual prescribing a change every 5,000, documentation from the dealer saying the same, and red blinking light in the dashboard, no one blames the engineers. The exact same thing is true of sypware and viruses - it is a well known problem, the user's companies and ISPs tell them not to open the attachments, Windows XP even issues a warning prompt, but they do

Re:none here

[dasunt (249686)]

What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone.

That would work if a computer had about the same features and abilities of a toaster.

Unfortunately, a computer is mixture of hardware and computer software that can do office tasks, multimedia, file sharing, communications, and gaming. The feature set is easy to upgrade and expand through software installations.

In addition, due to most computers being connected to the rest of the world, the cost benefits of spyware/viruses (creating spamming relays is big money) and the fact that trying to infect an individual computer is effectively free, the problem is apparent.

Any product with a ton of features and abilities requires user training. Its possible to easily design a car that doesn't require knowledge to drive -- as long as everyone will only go to the mall or the grocery store. But people use their autos for many destinations, over many different roads, and thus we require people to learn how to use cars.

A computer is no different.

Want to write documents? A typewriter works. Some of the electric ones were quite nice. Want to send text messages? SMS over mobile phones. Want to send documents? Fedex. Games? A console. Music? A radio.

Want to do all of the above, and more, with the ability to extend the features and easily upgrade for less cost? Okay. But it will require some training.

If you disconnect yourself from the internet, and lose that feature set, you will probably be secure. Even disconnected, not knowing what you are doing will have consequences. If you are lucky, the only consequence will be wasting your own time. If you are unlucky, you will be frustrated by fighting with the computer all the time to do what you want, how you want it.

Do you want to connect to the net? Congratulations, now you are exposed to the worst people in the world. Would you be cautious walking down a street in Romania with your credit cards in your wallet? Why aren't you cautious while you are online, making purchases, connected to the same network as a Romanian hacker?

I'm sorry, but we can't not create an idiot-proof box. We can't even make a box that requires zero knowledge to run. Our best bet is education.

Re:none here

[RedBear (207369)]

The general public is composed of people who literally can't tell the difference between Adobe Photoshop and Adobe Acrobat Reader, or Mozilla Firefox and Mozilla Thunderbird. This is no hyperbole, I know many people with this problem and I'm sure you've met some yourself. They'll call and say, "I'm having a problem with my Adobe." Or ask you repeatedly which application you're in right now when you're both looking at the screen, even though the applications present completely different interfaces. The person usually will have been using the applications in question for months or years, and still can't tell them apart without thinking about it really hard.

Is it simple ignorance? No, that could be easily corrected. Is it sheer stupidity? No, these people are otherwise of average intelligence or better. It's some kind of weird mental blindness that comes over people whenever they are faced with a computer screen. It's conditional stupidity, and it's one of the main problems with the general public. Most of them will never learn to be careful until you hook up a car battery to their earlobes that gives them a physical notice whenever they do something stupid. Otherwise they just don't seem to be equipped mentally to grasp the concepts involved in using a computer responsibly. The software industry hasn't exactly been helping matters, but they have a monumental task ahead of them. I think computers are just too abstract for a lot of homo sapiens sapiens to deal with.

Well, here's IMHO what's wrong with them

[Moraelin (679338)]

I've said this before, but here goes again: what's "wrong" with non-nerds is that they're used to the Real-World "security model". The real world doesn't work like computers do.

In the real world, you don't have to have an absolutely-unbreakable titanium-plated vault door to your house, nor bullet proof windows. If anyone wanted to hack your front door down, it's worth a maximum 5 minutes with an axe.

Real world locks also aren't supposed to be unbreakable. Au contraire. By computer security standards, they're a catastrophe. Most allow 1-pin-at-a-time attacks, which in computer security is the worst anti-pattern. Locks with master keys allow easy escalation of privileges too.

It's all documented vulnerabilities (or exploits) and they've been known for ages, and never fixed.

But they work IRL anyway. Yes, any kid could lockpick your front door, or hack it down, or just throw a brick through the window to get in. But people still use locks, doors and windows.

Why? Because the IRL (In Real Life) you don't live in a lawless no-man's-land where any kiddie with a lockpick is l33t and free to pick your lock. IRL your real defense isn't the lock, but the law.

The lock or the door just markers. They just say "you're not supposed to be past this point uninvited, and if we find you inside, we'll throw your sorry ass in state jail."

(If you're a die-hard gun fanatic, feel free to replace by "if I find you in, you'll get a gut full of buckshot." Same idea: there'll be repercursions. The door just marks the point beyond which the thief is not supposed to go, not _the_ deterrent itself.)

And people instinctively expect the same kind of rights and protection to apply to the online world too. "This is my computer, you're not supposed to be on it. Your playzone ends at the ISP, and this side is my private property."

Unrealistic expectation? Maybe. But it exists nevertheless.

Unreasonable expectation? Not at all.

Re:none here

[gtkuhn (823989)]

I don't have spyware cuz I check processes for new things that pop up (XP Pro). I've had malware before and I reformat ASAP. Now, one nifty line of defense I use is a freeware program called Startup Monitor. http://www.mlin.net/StartupMonitor.shtml [mlin.net]

Re:Personal experience with anti spyware tools

[catwh0re (540371)]

In terms of spyware that runs on your system as a program, it's a good idea to write a list of the notorious Run directory in the windows registry, that way you can check your list to see if new spyware(and sometimes viruses) have been added. What you need to really do though is ensure that you don't end up deleting legitimate additions to this list, such as those added after installing applications.

Re:I don't get it

[isdfnmo (673446)]

No, friend, you really don't.

The point is not that we technically proficient people can deal with SpyWare but rather that the 99% of computer users who are not technically adept can use their computers, the internet and their email without having to fight a constant battle with unwanted intrusion.

What other mass-produced, home appliance can you think of that requires a deep understanding of its inner workings? We, as the technicians, should be hanging our heads in shame that we have failed, in over 20 years of trying, to devise a machine and an interface and a secure environment that allows the end-user to enjoy the internet or office suite or any other application with such carefree abandon as they do their TV or Dishwasher or Microwave.

Sure people need to be careful, just as they do when driving or using a blender, but surely it is not beyond the wit of man to hide the complexity of the system. Surely a better use of our time and effort, rather than trying to play catch-up with 'the man' is to start finding common ground upon which we can progress best practices... Let the Corporations then compete on price and feature-sets from that good and solid foundation rather than firing off in their own directions with their own agendas and muddying the already dirty waters.

We have a lot of work to do, I'm afraid.