Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Operating Systems Privacy Software Windows IT

Failing Grades For Most Anti-Spyware Tools 517

serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."
This discussion has been archived. No new comments can be posted.

Failing Grades For Most Anti-Spyware Tools

Comments Filter:
  • Ars Report (Score:5, Informative)

    by cow_licker ( 172474 ) * on Tuesday November 23, 2004 @06:01AM (#10896544)
    Ars-technica also just did a review. Check it out. va l.ars

  • I've been using a few different anti spyware tools in parallel because it seems as if there isn't a single tool that can reliable remove all spyware.
    • by catwh0re ( 540371 ) on Tuesday November 23, 2004 @06:57AM (#10896709)
      In terms of spyware that runs on your system as a program, it's a good idea to write a list of the notorious Run directory in the windows registry, that way you can check your list to see if new spyware(and sometimes viruses) have been added. What you need to really do though is ensure that you don't end up deleting legitimate additions to this list, such as those added after installing applications.
  • It's interesting (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 23, 2004 @06:08AM (#10896556)
    The attitude to directed advertising programs or "spyware" on Slashdot. Especially when you step outside the parochial echochamber that is Slashdot discourse and speak to people who actually use these programs. On the whole, they are actually happy to get these novelties for "free", like the funny little desktop buddy, or the search bar, weather report or stopwatch.

    I used to work for one of the companies that distributed a "spyware" program through, and we had continual PR problems with being lumped in with the worst offenders of the spyware world. We didn't do drive by installations, or hide our intentions: we just traded our customers data for use of our program. What, exactly is wrong with that? Why is Slashdot pretending all of us are as bad as each other, as if in this, as with all fields, there isn't a spectrum of behaviour?? Even some linux users are bad, just look at the DDOS at I'm sure noone here would condone that behaviour.

    (Posted anonymously, not interested in karma bonus.)
    • by Anonymous Coward on Tuesday November 23, 2004 @06:31AM (#10896643)
      no they are not 'happy' with all that crap. that's why the developers go to such extreme lengths to get make the damn things next to impossible to remove without dedicated removal tools (which even then, as we see in the article, often fail).

      if your program had a smooth uninstall that actually did something, was called WarningNastyEvilSpyware.exe, flashed up a new warning everytime it ran that evil crappy spyware it installed, and clearly documented everything it did, then I guess it was ok (though you'd have to pay me to use it).
      otherwise you were working for evil.

      (and what made you think you'd get karma for admitting to writing spyware?)
    • Re:It's interesting (Score:5, Interesting)

      by cheezemonkhai ( 638797 ) on Tuesday November 23, 2004 @06:32AM (#10896646) Homepage
      Regardless, I don't see a problem with giving users the option to remove these things which trade their personal details.

      • Who actually reads all the agreement to use the software?
      • How many of them know their personal details are being sold?
      • How many people know what is actually being collected.
      • How many people got these "tools" from a random e-mail saying look this is cool?
      I can hear what your saying, but I think the user is allowed the right to remove the spyware.
      If the company doesn't want them to use the tool without the spyware then make it break without it and inform the user they removed the spyware which collects their details and would they like to reinstall it or remove the free "tool".

      Sure some spyware is worse than others, but the user deserves the choice.
    • by RedBear ( 207369 )
      Ahem... Why are you pretending all /.ers are as bad as each other?

      On the one hand, some /.ers do find it reasonable for spyware like yours to exist in the world, as long as it notifies the user clearly that they are selling personal information in exchange for the "free" use of this software. On the other hand even those folks will usually still class your software in the same category of the junk that unknowingly violates your privacy and bogs down your computer.

      It's difficult for most people to come to
    • by Erik Hensema ( 12898 ) on Tuesday November 23, 2004 @07:15AM (#10896754) Homepage
      • spyware almost always hides its true intentions deeply into some EULA nobody reads
      • spyware usually is very hard to uninstall

      Especially the last point is important. If my browser is infected with spyware, I simply want to go to controlpanel->software, select the program and uninstall it. Nearly always this is completely impossible. Lots of spyware nowadays actively combats uninstalling. And when software does that, it always is written by the Bad Guys.

      Unfortunately you don't say what product your company was/is making, but I guess that was to be expected.

      • spyware usually is very hard to uninstall

        Last Friday I went over to my cousin's house and cleaned her computer. (Can't quite get her to switch to Linux... yet.) Took all evening, and I finally had to boot into DOS and remove some files that way. One of them called "Wintools" had even set the 'hidden' and 'read-only' attributes, if I hadn't remembered 'attrib' I'd have had to wipe the thing and reinstall.

        One of them had screwed up shutdown; it would freeze and she'd have to power-cycle, invoking a scandi

      • Re:It's interesting (Score:3, Interesting)

        by hackstraw ( 262471 ) *

        spyware almost always hides its true intentions deeply into some EULA nobody reads

        spyware usually is very hard to uninstall

        In other words, spyware like most spam depends on a business model based upon deception. Using deception in a business model is also known as fraud.

        fraud (n.) -- A deception deliberately practiced in order to secure unfair or unlawful gain.

        Fraud in the US is illegal.

        Therefore, most spyware and spam are alread illegal in the US.

        Look lawmakers you can give yourself another raise a

    • by asadsalm ( 647013 ) on Tuesday November 23, 2004 @07:18AM (#10896762)
      Of course!

      They would be really happy to install these free utilities and games. They really wouldn't care why their computer takes 30 minutes to start, and keeps crashing every so often, randomly. They wouldnt care, because they dont "know".

      Its absolutely wrong to create awareness, since ignorance is bliss isn't it? For them, all they need to do when their computer becomes a constantly-rebooting over-sized paperweight is to call me and spend a day to have it "formatted".

      I mean, c'mon, the funny-little-desktop-buddy is OK. All it does is reduce my computer to a 0.5 frame per second 1956 batch-processor.

      Its funny how, when your bread comes from a shady source, that source becomes morally right. Like, for example, in my religion, interest based financial transactions are not allowed. The only people who say its ok are bankers!

      • Re:It's interesting (Score:3, Interesting)

        by Darthmalt ( 775250 )
        My cousins gave me what was at the time a pretty decent computer with *shudder* winME that "didnt work". Because it wouldnt even finish booting anymore.

        I started it in safe mode went to the startup menu, and fell in the floor laughing. The only thing wrong with it, besides the fact that it had ME on it, was that my cousin had d/l so many spyware/malware/tollbar crap that the computer didnt have enough processing power to get it all started.
        after disabling all that crap and running spybot and adaware it s
    • Re:It's interesting (Score:5, Interesting)

      by NoMercy ( 105420 ) on Tuesday November 23, 2004 @07:40AM (#10896831)
      1/4 the time your probably breaking the law when you do that, there are strict laws governeing what you can and can't do with information about european citizens. I know any 'information handler' which operates with the UK has to have a data protection statement, be registered as a data handler, and needs to keep all it's data on file for several years as any person must be able to get a copy of all the information held on themselves for no more than 10 pounds (about 30 dolars).

      Sure your actions are still legal?
    • Re:It's interesting (Score:4, Interesting)

      by IO ERROR ( 128968 ) <> on Tuesday November 23, 2004 @07:44AM (#10896849) Homepage Journal
      There's a big difference between an ad that someone can choose to click on or ignore, and a program you install on their computer which sends all of their data to your servers for you to do with whatever you want.

      First of all, your program probably didn't disclose to the users that it was collecting personal information, or if it did, it was buried near the bottom of the license, which is to say you may as well not have disclosed it.

      You may not have hid your intentions, but I'll bet you didn't show them either. How many of your users would have installed your program if you said right on the first screen "We collect your personal information and do whatever the hell we want with it"? Uh huh, that's what I thought.

      There's a huge difference between a banner ad on someone's site and your typical spyware program.

    • Re:It's interesting (Score:5, Interesting)

      by Ilgaz ( 86384 ) on Tuesday November 23, 2004 @08:10AM (#10896915) Homepage
      If you state directly that program will sell your private habits, you are off to go.

      I don't have problem with that myself.

      I _hate_ one little, clever company named Limewire. Limesoft to be exact.

      Those assholes recently tested SPYWARE on Mac OS X knowing the fact that mac users aren't so advanced on such things.

      They used same tactic as they did on Top Moxie, on Win32 years ago. Coded it so system part (java.exe) will run it and if user runs an advanced firewall (not usual on mac too!) , Java will ask for permission to connect to net, NOT the spyware itself.

      Advanced users figured it (thank god) and that "Adam" guy from Limesoft (boss) said "they were testing technology on macintosh, its pulled from installation now"

      Do I remember that kind of answer and shameless response from somewhere? YES! It was same deal on Win32 topmoxie!

      Notice something, I use "spyware" for Limewire, not whatever your product is. If you show users your intentions, you won't get much protest from them.

      BTW, as mac users turned out to be "not that stupid", they removed "limeshop control panel" installation from later releases.

      Limewire, on mac, while doing such "great inventions" as first spyware on OS x is currently number 1 on mac edition... :)

      When are you bundling your shit again Adam Fisk?
    • Re:It's interesting (Score:5, Interesting)

      by gad_zuki! ( 70830 ) on Tuesday November 23, 2004 @08:18AM (#10896943)
      I've found the opposite to be true and I've done tech support in a variety of atmospheres. Once "spyware" became a common word and we were able to talk about it, I have yet to hear anyone say "Yeah, I love the GAIN suite of helper apps." What I have heard is stuff like "I dont even know what that is, it just appeared one day." Sometimes I hear some pissed off outrage when they find out all those delays and crashes theyve been dealing with were caused by these semi-stealth installed programs and their privacy has been violated the whole time.

      I think I met one dude who didn't care then the spyware kept multiplying. Afterall these vendors don't care about their customers, in fact they are hostile to thme, so why not abuse the system and turn that one downloaded app into more installs during an "update."

      On top if it, a lot of these apps append the sig line in your mail client and professionally its makes the users who use email for work look bad. It makes them look stupid and incompetent. This kind of thing embrasses them quite a bit, and rightly so. A client is going to see a email full of multicolor characters with 4 links to GAIN and think, 'This guy is a moron.'

      >Especially when you step outside the parochial echochamber

      And once you step out of your "people are stupid/ignorant and dont deserve disclosure" stage you'll understand.

      I am very glad both socially (people deserve disclosure and a legalese 10 page EULA isnt) and personally (Im sick of fixing computers) that spyware/adware is the kiss of death and now in the same league as spam and other scams.
    • by shokk ( 187512 )
      Yeah, they're really happy to see security holes opened on their system, and how they are unable to use that brand spanking new 3.4GHz system as the CPU is fully consumed running hundreds of unwanted processes. I saw 800+ at one victim's system before applying the double-whammy of Spybot and Ad-Aware (non-commercial user). I'm going to check out SpySweeper to see how it fares vs the other two for keeping on my USB keychain thumb drive for when I visit friends. Since they have a Corporate Edition of Spy S
  • Spyware (Score:3, Informative)

    by cheezemonkhai ( 638797 ) on Tuesday November 23, 2004 @06:09AM (#10896559) Homepage
    Well Spybot may not do great, but it certainly does enough to clean up a persons PC so it works again without crashing every 5 minute.

    My reccomendation is firefox or mozilla or even opera if you prefer it.

    I do however note that if you take a clean system and then visit, then run spybot etc you will find that there are little evils that appear on your system.

    It now appears that the best option is to wave goodbye to MS if you can. Pick a nice linux distro (eg Ubuntu or whatever suits you) or even MacOS X and feel that little bit safer.
    • Re:Spyware (Score:3, Interesting)

      by MoonFog ( 586818 )
      A lot of the spyware you get is just cookies from or something that registers what sites you visit etc. You're not safer from them on Linux than you are on Windows.As long as you accept cookies, they'll be there.

      I just use Firefox's cookie handling. I disable cookies and choose to allow only certain sites to set cookies (such as gmail, online banking etc).
    • Re:Spyware (Score:4, Interesting)

      by dave420 ( 699308 ) on Tuesday November 23, 2004 @08:06AM (#10896903)
      What the heck are you on about? I run Windows, and I've had no problems with spyware ruining my PC or crashing it. I'm fed up with all this "ooh better stop using microsoft, otherwise your face will melt clean off" bullshit. I thought you guys were professionals? Why are you spouting this FUD about microsoft? If it was as bad as everyone here says, no-one would be able to use it at all, as their computers would be simultaneously blowing up and sending their credit card information to north korea.

      There are PLENTY of things people can do in windows to protect themselves as much as they want. Suggesting moving to another operating system shows your real intentions here.

      I apologise if this sounds pretty harsh, but I'm pissed off with the lack of professionalism or objectivity on this site.

      • Re:Spyware (Score:4, Funny)

        by RoloDMonkey ( 605266 ) on Tuesday November 23, 2004 @11:11AM (#10898176) Homepage Journal
        ...I'm pissed off with the lack of professionalism or objectivity on this site.

        Your new here, aren't you?

      • Re:Spyware (Score:4, Insightful)

        by blackest_k ( 761565 ) on Tuesday November 23, 2004 @11:14AM (#10898209) Homepage Journal
        first of all who's professional? Some readers of slashdot may be professional but I am certain a lot are not. your asking a lot of a readership that has a number of posters who just post for creating havoc if you read slashdot at -1 you will soon see that comments on slashdot pump through the site like raw sewage with the occassional gem which moderators reach in and retrieve.

        While you may be able to run a windows operating system without getting infested with spyware it seems to be the case that many people can't.
        perhaps if people could be educated into looking for "open source" instead of "free" when looking for a tool or utility then they might improve their Pc's health.

        Spyware often uses two parallel processes to maintain control of a pc, when you go to kill one process the partner process restarts it. these tricky beasts can be killed by booting in safe mode and finding the programs on the harddrive and deleting them. These are the most common ones I have to deal with once I have educated users to run spybot and adaware to remove the easy stuff.

        It doesn't help that users like to run things like kazaa instead of kazaalite as an alternative and seem clueless and overly trusting of the files they download- often not even running an up to date antivirus program such as avg (free edition).

        Finally while windows is a mess of worms trojans and spyware, suggesting that these same users run linux instead, is pointless they struggle hard enough with windows. linux isn't friendly to clueless users ect...

        Maybe a Mac is the real answer for these people but few will migrate to another o/s or buy new hardware so the problem will remain.

        perhaps it might help if it was possible to launch linux from within the windows environment. similar to the experience of running amiga os under emulation.
        then users can venture into linux as and when they find applications to run under linux and don't have to reboot into windows to run something which doesnt have a linux alternative.

        To be objective you can't look at windows and say it is not vunerable to these problems (no matter how well you look after your system). It is equally valid to say Linux isn't a pain free alternative yet.

        hope you find this post a little more balanced.

      • Why are you spouting this FUD about microsoft?

        My father and one of my brothers have windows machines. One is a locked down corporate XP pro SP1 laptop that is remotely administered by professionals. The other is a Windows ME home computer used for web surfing, e-mail, and video games.

        About every other time I go to visit them, I walk them through spyware removal to make their machines run at a reasonable speed again. About once every three months, one of them calls me because their machine has become

      • Re:Spyware (Score:3, Insightful)

        by _Sprocket_ ( 42527 )

        What the heck are you on about? I run Windows, and I've had no problems with spyware ruining my PC or crashing it.

        Years ago, I ran nothing but Win9x. My own home systems were fairly stable and usable. I had no interest in anything but a Windows world. Then I became a "professional".

        As a payed IT cog, I had to deal with OTHER people's Windows machines. I got a full sample of Murphy's Law and Microsoft. And then I began to understand some of Microsoft's detractors.

        It's not that Windows is absolu

  • Interesting... (Score:2, Interesting)

    by Anonymous Coward
    ...though I would have liked to see how the pre-emptive SpywareBlaster [] changed the results...
  • by krumms ( 613921 ) on Tuesday November 23, 2004 @06:10AM (#10896566) Journal
    I've always found a combination of Ad-Aware and HijackThis do an excellent job of keeping all things spyware under control. Ad-Aware for more frequent scans, and the odd hit of HijackThis when things seem screwy. Admittedly, I don't know how much spyware I actually miss but it seems to keep XP happy for most part :)
  • by Sai Babu ( 827212 ) on Tuesday November 23, 2004 @06:13AM (#10896574) Homepage
    you never know where your internet connected peecee might be sending it's bytes.

    hmmm why is that activity LED blinkin?

  • by Viol8 ( 599362 ) on Tuesday November 23, 2004 @06:14AM (#10896577) Homepage
    This isn't a standard issue MS bashing troll but you do have to question whether given the ease at which programs (which is what spyware is) can install themselves on someone elses computer with little or no user intervention , Windows is fit to be allowed on the internet. If all windows systems were taken offline then almost all viruses and the like would disappear almost immediately along with spambots and other unpleasent creations of the black hat fraternity. I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.
    • by Skyfire ( 43587 ) on Tuesday November 23, 2004 @06:20AM (#10896604) Homepage
      As much as we like to say bad things about Windows' security here on /. (and I won't argue with the poor security of Windows), I don't really think that most spyware is a security issue. Most of the spyware that gets installed is installed hidden in amongst other downloaded programs, and the only warning that the user has might be one or two lines in the EULA, which no one bothers to read. I think that the real culprit behind spyware is the companies that play these dirty tricks, and also to some extent the users that blindly click every little button. I've learned to carefully look through the installer instructions on random programs that I download, and I very rarely have problems with spyware.
      • I'm sure most spyware is nothing more than some greedy company wanting to find out what you like to buy and then send off the data to their warehouse to help in decision making or something similar. HOwever , these programs could do anything which is the worrying part. 99% of them may just be Gary Grocer trying to make some extra money , but 1% may have more nefarious intentions and thats the worrying part. Once you can install a program on someone elses machine without their knowledge you can do anything w
        • by Dogtanian ( 588974 ) on Tuesday November 23, 2004 @07:18AM (#10896761) Homepage
          HOwever , these programs could do anything which is the worrying part. 99% of them may just be Gary Grocer trying to make some extra money

          I think you're underplaying the seriousness of Gary Grocer's nefarious activities. After all, he's an internationally-wanted credit card fraudster who is also notorious for using zombified PCs to send spam.... that's how he makes his "extra money". (Note: There is a reward for the capture of him and his money-laundering associate, Freddy Firefighter).

          "These people are scum, " says Florida's Head of Anti-Fraud Investigations, Calvin Criminal.

          "Damn right, " adds his colleague, Alvin Arsonist.
      • I used to think that what Windows needed was an SU ability, so you'd run as a normal user, and enter the admin password when needed. I still think that's a good idea, but I've come to realise it won't do shit to stop spyware.

        For those that don't know, Mac OS-X does just this. You run as a user, and it asks for root when something requires root to execute. Good idea, don't want to be running as root full time. So I'm hanging out in a recording studio, chattering with the engineer, who is also piddling aroun

    • If you change the ecosystem new species will evolve to fill the niches.

    • by Anonymous Coward on Tuesday November 23, 2004 @06:33AM (#10896651)
      I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.

      Windows is a relatively secure OS if you know how to run it. Unfortunately, most people who run it are dumbasses who install all programs they find and click YES to every prompt they see. If you run it with a decent firewall (whether that be software or hardware), antivirus software, and diligence then Windows won't give you any problems.

      BTW I recommend Ad-Aware and Spybot: S&D for clearing out just about any crap if the spyware does somehow "install themselves" onto a system.

      • Windows is a relatively secure OS if you know how to run it. Unfortunately, most people who run it are dumbasses who install all programs they find and click YES to every prompt they see.

        Unfortunately, Windows is designed so that any dumbass can run it. Any OS which demands any kind of technical comprehension is labels 'elitist' and stays relatively obscure.

        The only reason Linux is gaining ground is that the latest desktop environments and installers allow you to be a total eejit and still get a halfwa
      • Windows is reasonably secure only if it is behind a Linux firewall...

        If Windows was secure, then Linux would have been behind Windows firewalls and all the little Linksys and Dlink firewall routers in Best Buy would have been running WinCE.

        Nuff sed.

  • Ad-Aware Rules (Score:2, Informative)

    by dreegle ( 443860 )
    If you can limp yourself to download it, I've found Ad-Aware does an outstanding job in most cases. But you must have the new (free) version to do any good, The rate of evolution of these beasts are high, and they apparently came up with a new engine for Ad-Aware SE, that I've seen fund hundreds of objects that Ad-Aware 6, a moment before with current updates, had missed.

    Makes most machines usable again, and quickly.
  • by Maljin Jolt ( 746064 ) on Tuesday November 23, 2004 @06:17AM (#10896585) Journal
    These test results are well worth your time.

    No they are not. I already burned all Windows CDs in the fire. You wan't believe how much time I gained by doing this!
  • I've been an Ad-Aware user ever since I discovered spyware. SS&D was always over-zealous and broke too many legit applications for my liking.
  • And if they fail... (Score:5, Informative)

    by Tuxedo Jack ( 648130 ) on Tuesday November 23, 2004 @06:20AM (#10896603) Homepage
    That's what SpywareInfo's for. []

    It's arguable that they're the biggest antispyware site out there, and if nothing else, they can get the CoolWebSearch strains that even Ad-Aware and Spybot can't get (real-yellow-pages, linklist, et cetera).

    (Disclaimer: I'm a Trusted Advisor there.)
  • Spybot Search & Destroy is more preventive, as far as I know Ad-Aware doesn't do preventive measures like blocking (kill bit) of known bad ActiveX controls.
  • Really, I don't. Can some explain what exactly these "tools" do?

    Perhaps I'm in a rare position and have been lucky to be immune from such troubles, but it seems to me that checking startup items, managing what's running on your system (exe's, services, etc.) is fairly routine stuff. And if there is a problem, deleting a file, making a simple regedit, etc. can't be that hard, right?
    • You ever root through the Windows registry? Literally millions of keys and subkeys are there, and it's a pain in the ass to root through them all to find and kill one.

      Admittedly, there are certain hotspots (HKLM\Software\Microsoft\Windows\CurrentVersion\R u n being the big one), but you don't want to regedit over there every time, do you?

      No. You use tools to kill that.

      You can't manage BHOs without BHODemon or XP SP2, so you use HijackThis to kill the bastards.

      Services are a pain to check, but very few s
    • Re:I don't get it (Score:5, Insightful)

      by isdfnmo ( 673446 ) on Tuesday November 23, 2004 @07:04AM (#10896728)
      No, friend, you really don't.

      The point is not that we technically proficient people can deal with SpyWare but rather that the 99% of computer users who are not technically adept can use their computers, the internet and their email without having to fight a constant battle with unwanted intrusion.

      What other mass-produced, home appliance can you think of that requires a deep understanding of its inner workings? We, as the technicians, should be hanging our heads in shame that we have failed, in over 20 years of trying, to devise a machine and an interface and a secure environment that allows the end-user to enjoy the internet or office suite or any other application with such carefree abandon as they do their TV or Dishwasher or Microwave.

      Sure people need to be careful, just as they do when driving or using a blender, but surely it is not beyond the wit of man to hide the complexity of the system. Surely a better use of our time and effort, rather than trying to play catch-up with 'the man' is to start finding common ground upon which we can progress best practices... Let the Corporations then compete on price and feature-sets from that good and solid foundation rather than firing off in their own directions with their own agendas and muddying the already dirty waters.

      We have a lot of work to do, I'm afraid.
  • ...that I run FreeBSD, Linux and Solaris.

    The least Microsoft could have done is create a non-admin user upon installation and force users to work as that, e.g. by changing word, excel etc. to refuse to open when used by an administrator and changing IE to refuse to work on anything but windowsupdate for administrators.
    That would have been far more effective than SP2 and all the gazillion tools one seems to need today to be able to use XP reasonably.
    It would also have cut down on a lot of Spam.

    Yes, it woul
  • hitman pro (Score:3, Interesting)

    by Anonymous Coward on Tuesday November 23, 2004 @06:28AM (#10896634)
    This is a very good solution :

    It's dutch and it runs Ad-aware, Spysweeper , Spybot S&D, Stinger, Spywareblaster , ect...automaticly....

  • use only Free software
  • Me charging $60 an hour and HijackThis.

    Seriously, I've yet to see spyware that booting into SafeMode and running HijackThis won't cure.

  • I use Spy Assissin. You download it from the ad-aware site, and have to pay for it. I think it's supposed to be better than adaware SE, which is the one tested (that's the free one).

    Spy Assissin is cheap, and you get a 5 PC licence for it. Certainly sorted out a few nasty popup problems on my dads PC (though he probably didn't mind some of those lovely ladies popping up, but I'm sure my mother would have if it had gone on any longer).

    Spy Assissin is updated regularly, and each time you run it it downlo
  • Horses for Courses (Score:5, Insightful)

    by One Childish N00b ( 780549 ) on Tuesday November 23, 2004 @06:46AM (#10896683) Homepage
    The anti-spyware game is a real case of horses for courses - one tool will detect some spyware and miss others, while another will find all the bits the other missed, but miss off a couple it didn't. There really is no 'definitive' spyware removal tool and it's foolish to say there is. I advise people to run both Ad-Aware and Spybot with latest updates at least once a week to ensure almost all spyware is found and removed, as I've had too many instances of one of the two missing out five or six items on every sweep that the other one found straight away.

    You could probably get even better performance by running more than those two, but I'm not going to harrass my clients to start running half a dozen programs just to remove spyware and it's a pretty rare thing to come across a piece of spyware, even a humble cookie, that both of those two miss. Anyway, my point is this; You can't just run Ad-Aware or Spybot and think you're protected. Until an anti-spyware tool has a 100% record against all known spyware, I won't consider them anything near a definitive tool, or a licence to behave recklessly on the net, something which too many naive people seem to do.

    The problem with anti-spyware tools is three-fold;

    a) They are made by private companies and individuals who's credentials and/or decency cannot be guaranteed. They could easily take kickbacks from spyware companies in exchange for 'excluding' their programs from the scan list. Sure, it might not be happening now, but what's to stop Lavasoft suddenly to start taking kickbacks to let the less insiduous spyware through? Unless you're on the inside of a company like that, you can never be sure. I'm sure Lavasoft aren't doing anything like that, as these results prove, I'm merely using them as an example - any anti-spyware app people trust is in an immensely powerful position on the user's computer, and any money-seeking company can theoretically be bought out.

    c) When they remove a spyware .dll that a program the user makes use of hooks into, the program may stop working, and who would get blamed? the anti-spyware vendor. Hey presto, Spybot looks like pure evil because they just killed off Joe User's cool new P2P app because keylog32.dll got wiped. This happened a lot when Kazaa was big - naive users getting told by techy types to run Spybot every now and then to clear spyware ended up bitching because it nuked the spyware that Kazaa checked for before starting up. They didn't seem to care about privacy when protecting it stopped them getting their MP3s and porn.

    c) People do, as I mentioned above, use them as an excuse to behave recklessly on the internet - they will install random .exes, they will visit dodgy sites and they will do all manner of things because they believe they are safe. They don't understand that spyware blockers only work against known types of spyware, not all spyware in total. Naive users seem to think it's an agreement between spyware vendors and anti-spyware companies when it is, to all intents and purposes, an arms race which the anti-spyware groups will always in second place.

    Anyway, what was my point again? Oh yes, that these statistics are misleading for naive users. Ad-Aware and the others are now going to start shouting from the rooftops about how they're one of the top 3 anti-spyware apps on the market, and thousands of lusers will trust themselves to it implicitly solely because of that blurb, while the reality is Ad-Aware still misses stuff, and it is more than fallible. That 'lowly' Spybot has turned up half a dozen items Ad-Aware failed to find at least three times for me, but I wouldn't run that on it's own either - Everybodyb knows it's a good idea to get a second opinion, especially when it's free.

    Also, does anybody else find it funny that /. are now serving ads to the Microsoft 'Get the Facts' campaign? Is this Slashdot putting one over on Microsoft by taking the money they throw at them when they know no-one here will believe it, or have they reached a new low, actually showing not just Microsoft ads, but ones that feature blatant FUD against FOSS?
  • by Spoing ( 152917 ) on Tuesday November 23, 2004 @06:49AM (#10896696) Homepage
    Oh, not from me. While the failure rate is much higher than I'd expect, that they do fail on a regular basis is not a surprise.

    The reasons seem to be simple;

    1. Spyware detectors find and remove known spyware.
    2. Spyware creators know about the spyware scanners. If they decide that being detected is a big enough problem, they work on ways to not be detected.
    3. As the new spyware revision comes out, they are discovered and the spyware detectors are updated.
    4. Rinse and repeat.

    Yet, the test results show that the spyware detectors aren't in the arms race against spyware that I described above. Instead, many spyware revisions aren't detected at all. Either they don't know about the spyware revisions, the spyware is not being tested for, or the spyware is being ignored on purpose.

    Right now, the bar that the spyware creators have to leap is very low. Both social engineering and direct injection onto systems make spreading these things fairly easy to do for the spyware maker. Tie that in with many spyware detectors not detecting completely, and not being used consistantly, and I don't see an end to this problem soon for most people.

    What to do? I'll leave that to others for now. I have my own lists. It is a security issue so the systems should be considered to be on hostile networks and hostile users. I consider 2 hours to lock down a Windows XP system to be a reasonable minimum amount of time to spend on each system -- unless automation tools are used.

  • by cybergibbons ( 554352 ) on Tuesday November 23, 2004 @06:56AM (#10896708) Homepage

    I run a small IT consultancy, and nearly every internet connected PC we work on has a significant spyware infection on it. It's not only our job to remove it, but to prevent it coming back. The things that I've noticed after fixing a lot of problems:

    • People don't know they have spyware on their computers. They are crawling along, at a stage I would call barely usable, and it doesn't bother them in the slightest. Or, better still, they find those new toolbars really useful...
    • A combination of Spybot S&D and Adaware will clean up most problems. Hijackthis will then allow you to remove anything else. Some people say that Hijackthis is the only tool you need - but it can only remove very apparent problems, whereas the other tools will remove nearly all associated keys, files etc.
    • To prevent re-infection, you need to lock down the machine whilst it remains usable. People really do not want to change, or put any effort in. You can try putting Firefox and Thunderbird on the PC, but most people will choose IE, or complain if you hide IE, so they don't have the option.
    • Change the settings for the zones in IE to be more secure.
    • Add a big list of bad sites to the restricted zone in IE. This includes some sites that have content, but it's generally porn, and as our users are business users, they won't call us back to give them access to a porn site.
    • Add an even bigger list of ActiveX CLSIDs to not run.
    • Stop the default action on windows scripting host files, scr files etc. from "run" to "edit". A lot of problems start with some user interaction, and this has cut down on quite a few (mainly non spyware) problems.
    • A lot more small registry tweaks can be done... most of the above is done automatically by scripts we have writen. One of the problems we found was adding keys once to each HKCU hive - you don't want to overwrite them at each login, or the user changes will be forgotten, but none of the Run, RunOnce etc. keys do it per user.
    • Add some buttons to the IE toolbar to put sites in the trusted or restricted zones, for when people have problems.
    • Install Spyware Guard - this provides some active protection against spyware.

    This won't stop everything by any means, but it slows down reinfection. End users need to change habits - reading EULA, not just clicking OK, using passwords - but this isn't something you can do with a couple of hours work, so people aren't willing to do it. I have no solution to that problem.

    • by cybergibbons ( 554352 ) on Tuesday November 23, 2004 @07:18AM (#10896760) Homepage

      I should ad (hoho) that one major advantage of Spybot S&D is that you can schedule it to run quietly in the background... this just isn't possible with any of the other free tools. The command that does it:

      spybotsd /autoupdate /autocheck /autofix /autoclose /autoimmunize /taskbarhide

      There are other tools that help massively with spyware. As a consultant, it's equally important to understand the ways and means spyware gets onto the system, so that you can prevent and cure effectively, and respond to new spyware before the automated tools do it or before it appears on the many forums.

      • Sysinternals Utils are free and great. Process Explorer replaces the crippled useless tasklist in XP, and is quicker and easier to use than the command line utils. Filemon, Regmon, and Diskmon allow you to monitor files, registry keys, and disk access - you can see how, when, and why spyware is getting in.
      • WhoLockMe - appears on the right click menu in explorer, and shows what is causing a file to be locked. Again, this can be done at the command line, but this makes life that little bit easier.
      • Knoppix - for when it all goes very very wrong.... recover files, partition tables, reset passwords, even edit the registry
    • End users also need to be disabled from performing administrative tasks on their computers.

      From my limited experience with spyware, by simply removing the user from the Administrator group you effectively cripple the majority of spyware tools. If you do not have access to modify the %SystemRoot% or make any changes to %ProgramFiles% you'll be a much safer user overall.

      I would never logon to my box using root for daily activities. While spyware may be able to make modifications to the current user they wil
  • by gtkuhn ( 823989 ) on Tuesday November 23, 2004 @06:57AM (#10896711)
    Seriously guys, none of these spyware removers are even remotely perfect and they all suck time and CPU cycles. I disavow any knowledge of this guy, Mike Lin, but his itty-bitty FREEWARE program kicks butt. [] It does one tiny little thing with almost zero overhead, it tells you what wants to insinuate itself into one of the several startup vectors of Windows. And gives you the option of not allowing it. Any spyware must have some part that runs at startup. This gives you a warning and a filename for googling to remove whatever you have contracted. Probably works for many worms, viruses, and trojans too.
    • by Akardam ( 186995 ) on Tuesday November 23, 2004 @09:38AM (#10897310)
      I've recently seen a rash of new spyware that registers a .dll or ten into the TCP/IP stack, or even in some cases a device driver. Those are truly the beasts. And, of course, the normal Windows startup routines don't necessarily apply, since Windows will include the dll's at launch, and once they're hooked into a process, they'll go about their nasty business as part of what may otherwise be considered a legitemite executable. The line between spyware and a virus/worms/trojans these days is so incredibly thin, it's hard to see anymore.

      If it hasn't already become obvious I'm all in favor of dropping large objects on the scumbags that make this kind of stuff. Say, a super-large special order 1000 ton ACME anvil, to start?
  • Review Format (Score:3, Insightful)

    by Donny Smith ( 567043 ) on Tuesday November 23, 2004 @07:30AM (#10896792)
    While we should be grateful for the work done by the reviewer, I cannot but notice that the results are hard to find out.

    I, for one, would like to see some conclusion or recommendation or rating (Anti-Spyware A - goog; Anti-Spyware B - shit; Anti-Spyware C - excellent).
    I know the article focuses on falling efficiency, but still, it's a bit overwhelming to go over those huge tables.
  • by DigiShaman ( 671371 ) on Tuesday November 23, 2004 @07:33AM (#10896802) Homepage
    About half the time a user removes spyware from a PC that is running really sluggish, I've found that it the spyware removal utilities does NOT repair the winsock registry keys. Thus, you can't even get TCP/IP connectivity. You will know it's broken if you get an IP of or will fail instantly to repair the LAN connection in XP and just get a 169.x.x.x address.

    If you do plan on removing a heavly invested PC, be sure you know how to fix repair winsock.

    If the customer is running XP with SP2, then you can run the "netsh winsock reset catalog" command (without quotes) to repair the connection and reset the winsock settings back to defaults. However, if the PC does not have SP2 installed, you will have to check out this link; en-us;811259 []

    For Win9x users, check out this link []
    • There's two utilities I use on a regular basis for winsock fixing:

      1. LSP Fix []. This program will let you see what dll's are embedded in your TCP/IP stack. Most of the time it will even detect stuff that's not supposed to be there, but you do have the option to override its judgement. Spybot S&D also has the ability to look into the stack, but you can't use it to remove offending modules, nor see their actual dll filenames.

      2. Winsock XP Fix []. This nifty little utility will basically reset all registry se
  • by videodriverguy ( 602232 ) on Tuesday November 23, 2004 @07:39AM (#10896825) Homepage
    I'm surprised that they don't mention this piece of s**t. But since I haven't yet seen a program that can remove the latest version, I'm not surprised. This insidious piece of work actually installs a device driver which continuously monitors its files and prevents deletes etc.

    Even starting in so-called 'safe mode' won't stop it. You have to boot with a CD and erase it manually.

    The people who wrote it are 3721. something, and a link to it even appears on the default Chinese search page. In theory it just allows for Chinese name searches, but in reality does much more.

    You have been warned - please don't visit the site.
  • by NoMercy ( 105420 ) on Tuesday November 23, 2004 @07:44AM (#10896847)
    "Moreover, users should learn to practice safe computing habits, which include avoiding web sites and programs of unknown or dubious provenance and carefully reading End User License Agreements and Privacy Policies."

    Am I the only one who doubts that will come true any time soon, we all know how to click on a button as a reflex action, reading a lengthy EULA full of lawyerspeek... that's a headache.
  • by SoupIsGood Food ( 1179 ) on Tuesday November 23, 2004 @08:26AM (#10896964)
    You could simply buy an iBook and look at it as a peripheral for your cryo-cooled 1337-gamerboi PC.

    You use the PC for playing "City of HalfEverDiabloCraft III" and for generating dubious overclocking benchmarks and storing your MP3's on your terrabyte RAID with the windowed 250gb SATA disks.

    You use the Mac for web surfing, email and IM, to store critical documents you don't want eaten by Virii (making sure to back them up to CD-R every now and again) and generally Doing Usefull Stuff.

    That way, your precious game time is uninterrupted by Microsoft's Keystone Kops approach to secuirty and monoculture attacks. Let's face it... you ain't never gonna be able to lock down your Windows box, no matter how much money and third party utilities you throw at the problem.

    Alternatively, OpenBSD on any old laptop is another way to dodge the spyware bullet, if your Unix Fu is the stronger.

    SoupIsGood Food
  • by wowbagger ( 69688 ) on Tuesday November 23, 2004 @08:38AM (#10896998) Homepage Journal
    What surprises me is the fact that Mr. Gibson is able to find web sites that do "drive-by-installation" that are not taken down immediately.

    You'd think that the hosts of "Innovators of Wrestling" would yank it if it were downloading crap onto people's computers without their knowledge - in violation of the LAW!

    But then again, I've seen how well most System AdminDUHstrators manage their sites; perhaps my surprise is simply the result of my moring coffee not kicking in yet.

    And here is a question for the class to consider: Given the difficulty of removing spyware in a machine which is running the spyware, why has somebody not taken Knoppix, Wine, the NT filesystem wrapper code, and a virus cleaner, and created a boot disk that would
    1. mount the users disk using the NTFS in the kernel
    2. locate the native NTFS DLL, MD5 check it, and assuming it is not corrupt use it to mount the system R/W
    3. Use winelib to access the registry and clean it
    4. Run the filescan and purge to remove the infections
    . That way, you would need to reboot twice (once to boot into the CD, once back into Windows).

    Granted, for me this question is of academic interest only - I don't run Windows anymore. But for those of us who have relatives still stuck in purgatory, this might be a better way to run.
    • Here's what I do (Score:3, Informative)

      by Akardam ( 186995 )
      First off, I love linux, but in this case I think there's a better tool for the job. (The following is not really a shameless plug).

      I use Bart's PE Builder []. In a nutshell, it's a bootable cd with a Win32 network, disk (with native NTFS support) and GUI API load. The best thing is that it's built using actual Windows dll's and the like. Of course, you have to have a copy of XP or Server 2003 to built it, and it may not be strictly within Microsoft's licensing agreement to use their IP in this fashion, but t
  • SINGLE BEST SOLUTION (Score:5, Informative)

    by dioscaido ( 541037 ) on Tuesday November 23, 2004 @09:48AM (#10897385)
    Stop running your daily desktop account as Administrator. Most, if not all, of the spyware will fail when it attempts to infect your system. It's just general good practice anyway. No one runs KDE/Gnome as root, or log into their OSX machine as root. Neither should we.

  • Cycles (Score:4, Insightful)

    by argStyopa ( 232550 ) on Tuesday November 23, 2004 @10:32AM (#10897733) Journal
    I'm not surprised Spybot did badly.

    These things go in cycles, kind of like the Darwinism that didn't work quickly enough on the germ plasm that somehow evolved into the amoral mockeries of humankind that write spyware/malware.

    Adaware was widely used for a while, then I started noticing that it wasn't working so well.
    Then Spybot is/was hugely popular and extremely effective, so I've started to notice that it too is missing stuff now (or is unable to remove what it finds). writers are working against these programs, and it's only natural that they are evolving their code to defeat at least the most successful/widely used anti-spyware programs out there.

    You wouldn't expect the flu inoculation from 5 years ago to protect you this year, would you? Spyware - and it's counteragents - are the same.
  • by krgallagher ( 743575 ) on Tuesday November 23, 2004 @11:11AM (#10898174) Homepage
    I recently began cleaning a friends computer of spyware. There were over 1,400 objects found by Adaware,and according to the article Adaware missed 25% of the infections. To make matters worse, even after eight reboots, running Adaware between each reboot, I still could not remove all the infections. I even tried mannually editting the registry. Now, thanks to this article, I may not have to reinstall the OS.

    What I do not understand is how can this be legal. To me this is no different than a trojan (the viral type not the condom.) Maybe it does not self-replicate and spread, but it still hijacked my friends computer. I thought that the malicious or destructive control of a computer without the users consent was illegal according to federal law. Why is it the the government will go after script kiddies, but does not go after the corporate goons who are no better? Oh, wait, I forgot. Script Kiddies do not make political contributions. I'm going to email my congressman.

  • Out-of-control (Score:3, Informative)

    by ( 213219 ) on Tuesday November 23, 2004 @11:19AM (#10898268) Journal
    Slimeware er, spyware is the bane of my existance. I work for a large company and do not have final say about how the desktops are configured (I would do it differently), I support a special group and nearly all of my people have "admin rights" on their computers. I agree that these people need admin rights for some of the functions that they have to do but figure about 95% of the time they could run as a "super user" without any problems at all.

    Very nearly 100% of the computers I touch are infested with slimeware. Running several commercial apps will clear most of the crap that is found but one or two apps seem to come back within a day or two (even if the user claims that they have not been on the internet). It has gotten to the point where I actually believe some of them!

    I've found that what seems to be happening is that the slimeware distributors are playing a little versioning game. As soon as the major spyware removal tools are able to kill a specific version of slimeware, the slimeware authors make a new version that they then distribute.

    It takes time between the release and the time that the spyware removers catch up and in the meantime, it is up to people like me to figure out how to clean up the mess. I am pretty hard-nosed and will spend a couple of hours searching the registry, booting from CD and deleting files and that kind of stuff to kill off the slimeware. Others who do similar jobs just re-image the machines. Soves the problem faster but I don't think the users are quite as happy. They have to reconfigure the machine to how they like it and there is always the risk of lost data.

    I'd love to see these purveyors of filth in prison. Many of them serve up porn and put it on kids machines! They are guilty of a crime every time this happens. Why can't we do something?

    Anyway, I don't blame the spyware removal people for these setbacks. They work hard to keep up but just can't.

    Im my dreams, I dream of a single tool that sits on the desktop and checks for viruses, slimeware, spam, and other threats and inconveniences. I'd like the tool to be able to be programmed to block access to various applications and websites too. I'd like the same tool to have some sort of "safe recovery" feature that allows me to move back in time to a stable configuration that would not delete data.

    These are just dreams but will someone somewhere please make my dream come true? Corporate IS departments everywhere would thank you with money from their budget!

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson