Spyware App Updates

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
Adaware launched a 2007 version back in May. Spybot just upgraded to version 1.5 and introduced a simplified update process.

Both programs offer full time IE/Registry monitoring, which is as painful and annoying as ever, but both seem to fulfill some demand Vista has for active malware protection.

Adaware has introduced a serious flaw with its new software: Its user interface no longer fits on a standard safe mode 640x480 screen! This is a grave issue, given that the only way it can be used effectively as anything more than a cookie cleaner is in safe mode. Adaware, for scanning all the files on a PC, still does not seem to be aware of Firefox, either.

Hijack This, now more than double its original file size (no longer small enough to fit on a floppy, for one thing), now displays a Trend Micro Logo and offers to look up processes on the Internet; a feature that is of dubious use when the program needs to be run in safe mode to be more than minimally useful (I do from time to time use it to remove things like the HP, Java and Flash updaters, and the QuickTime task, if I happen to see them).

Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.
 

udaman

Wannabe Storage Freak
Joined
Sep 20, 2006
Messages
1,209
Adaware launched a 2007 version back in May. Spybot just upgraded to version 1.5 and introduced a simplified update process.

Both programs offer full time IE/Registry monitoring, which is as painful and annoying as ever, but both seem to fulfill some demand Vista has for active malware protection.

Adaware has introduced a serious flaw with its new software: Its user interface no longer fits on a standard safe mode 640x480 screen! This is a grave issue, given that the only way it can be used effectively as anything more than a cookie cleaner is in safe mode. Adaware, for scanning all the files on a PC, still does not seem to be aware of Firefox, either.

Hijack This, now more than double its original file size (no longer small enough to fit on a floppy, for one thing), now displays a Trend Micro Logo and offers to look up processes on the Internet; a feature that is of dubious use when the program needs to be run in safe mode to be more than minimally useful (I do from time to time use it to remove things like the HP, Java and Flash updaters, and the QuickTime task, if I happen to see them).

Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.

1. What is this spyware stuff, I use a Mac to get stuff done, no learn "primary tools" like that, lol.

2. "Floopy...? what's the 'other' thing? Aren't floopies like incandescent bulbs are to LED's, so why is jtr thinking M$ is better, and not using a Mac...sometimes I don't understand his lack of logic...getting seasick on a freighter ship for 30days to get to Asia, when a plane ride will get him there in 1 day for 1/4th the cost, 1/30 the waste of time traveling, stuck on a wide ocean expanse of thousands of miles of just salty water???

see sig. line for author of this thread:
stupidest questions from PC users
http://forums.macrumors.com/showthread.php?t=229887


3. Mostly for tea & jtr:

3 reasons you use a mac...
(from the mouths of babes that USE a Mac to make money, not play)
http://forums.macrumors.com/showthread.php?t=256205

, see post #21 & 32, experienced Linux, and very experienced professional Winblows user, now using a Mac...cause? Ah, I see occasional poster, SR & SF member iGary, yet another pro, weighs in @#47


For another thing Merc, see post #53 :D
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,358
Location
Gold Coast Hinterland, Australia
Udaman:Since when did you have a Mac? (You've never mentioned in the past, unless my memeory is failing)?

I guess those spyware/malware issues is one of the reasons I no longer run Windows at home. (Runing Solaris Express exclusively now, after moving on from FreeBSD/WinXP x64 a few weeks ago).

But I can see your point, people don't want to have to care about maintaining their PC, it's now a commodity tool, not an expensive toy. On the flip side, IMHO the only reason why MS will hold onto it's OS dominance on PC's is becuase of gaming (and hence why he have to deal with these issues on a daily basis, at least for those work actively work in the IT Support field). If it wasn't for gaming, I could see Mac and Linux/*BSD/*nix in general taking more than a significant portion of the market.

Merc: Thanks for the heads-up.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
But I can see your point, people don't want to have to care about maintaining their PC, it's now a commodity tool, not an expensive toy.

...

If it wasn't for gaming, I could see Mac and Linux/*BSD/*nix in general taking more than a significant portion of the market.

Mac, possibly. Any of the NIXes, get real. Your first instinct was right. Most people don't want to fiddle. I just removed my Ubuntu partition because it did not work seamlessly on my laptop and I run mostly web applications. I support enough equipment at work I don't want to go home and do it.

If you understand change management you understand how difficult it will be to get people to switch.
 

iGary

Learning Storage Performance
Joined
Nov 22, 2002
Messages
236
Location
iLand
...see post #21 & 32, experienced Linux, and very experienced professional Winblows user, now using a Mac...cause?

Ah, I see occasional poster, SR & SF member iGary, yet another pro, weighs in @#47...

I don't know who the hell *that* iGary is, but it certainly ain't me!

Besides, I was using the iGary handle starting back in 2000 -- at that other Storage place.

As for Macintosh in general: Been there, did that. Never again. I know better.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.

Make that three out of three.

The new Spybot:

* Cannot be installed in safe mode because it insists on trying to download updates and refuses to install without a live web conection
* Thus cannot be used to detox a machine that is sick enough to have lost connectivity
* Doesn't start up properly on first run - there is a very long wait involved
* Has two other very long waits that look like a sick machine until you realise it does it on every machine.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
* Cannot be installed in safe mode because it insists on trying to download updates and refuses to install without a live web conection
* Thus cannot be used to detox a machine that is sick enough to have lost connectivity

Spybot has always been useless until the first time you do updates. I think the default for the previous version was a database size that was about 5% of what the DB with updates was...

Winsockfix has the Mercutio seal of approval for taking care of that lost connectivity.

Also, Tannin... I know that you have specifically complained about how obnoxious it is to snag the updates for Spybot and that you prefer to have the update files rather than doing the updates on a per-PC basis. Why aren't you doing a scheduled mirroring of the safer-networking.org site with, say, Spiderzilla or something?

Anyway, the reason I am necro-posting here is to ask if anyone has tried out [http://www.threatfire.com/download/]ThreatFire[/url], which has a real time antispyware component and as an honest to goodness free version. It seems to be getting good reviews in computer magazines, but since these are the same magazines that typically give high marks to whatever Symantec and McAffee have shat out, I am more than a little wary of leaving it on some poor sod's PC.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
Ahh, but in the previous version of Spybot, you could download the updates ("sypbotsdincludes.exe", I think) and drop them on a CD. Start the infected system in safe mode, install Spybot, don't bother running it yet, close it and run spybotsdincludes which updates the Spybot install to the latest defs (as of the date you burned the CD). Then you run it and clean out the vast bulk of the crap. Usually, that leaves you with a system that's healthy enough to do on-line updates on from this point, and clean out the last of the infection.

Err ... what would be the point of a scheduled mirroring, Merc? Before you answer that, bear in mind that my (rather expensive) cable connection is now so fast that time saving is unlikely to be a factor. I don't know what they've done to it, and unlike other companies it never seems to get any cheaper, but it's seriously quick. Even the likes of a Win XP SP2 download is no drama.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
Err ... what would be the point of a scheduled mirroring, Merc?

As I recall, one of your former complaints was that you were having to regularly download the updates and that it generally took too long. Apparently a Real Internet Connection has fixed that problem nicely.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
So, what's the consensus on this one?

I'm trying to clean up a computer for a coworker. I'm doing this mostly because the Geek Squad at BB told him to throw it out and buy a new maching. I gave up on running any applications on the actual machine, pulled the HD, connected it to mine via USB, did a full virus scan on it, and am in process of scanning the drive with Windows Defender.

What I really want to know is why doesn't someone make a product that consists of a bootable CD that has up to date virus and spyware scanners in it so that you can clean a machine that is so far gone you can't actually install anything on it. Between problems with the low resolution of safe mode, programs that won't installing in safe mode, programs that won't update their definitions in safe mode it's enough to pull your hair out. :mad:
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,745
Location
Horsens, Denmark
Making it a bootable CD would mean re-burning the disk every time an update came out. Even if it was on USB there would be a process involved. I typically do what you have done: connect their hard drive to my own system.

Is sending NOD32 and the other standard tools at it the best method?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Making it a bootable CD would mean re-burning the disk every time an update came out. Even if it was on USB there would be a process involved.
Yeah, but at least there'd be an option other than pulling the drive for those cases where you can't or don't want to.
Is sending NOD32 and the other standard tools at it the best method?
I use Avira Antivir for virus scanning.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
Windows Defender is positively the most useless security application in the history of EVAR. Anyway, if you look on the torrent sites, you will find that such tools do exist, usually as BartPE distributions... which can with only a little modification be made bootable on Thumb drives.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Windows Defender is positively the most useless security application in the history of EVAR.
How so?

Besides, my other options are:

Spybot - super slow to start because it scans for over 100k "bots" and can't be forced to only search a certain directory / drive.

Adaware - free version won't let you only scan a certain drive either, so it takes forever and a day to scan your whole system, and eventually the drive you really wanted to.

If there's something better out there I'm open to suggestions.
 

SYROB

What is this storage?
Joined
Apr 15, 2002
Messages
58
How so?

Besides, my other options are:

Spybot - super slow to start because it scans for over 100k "bots" and can't be forced to only search a certain directory / drive.

Adaware - free version won't let you only scan a certain drive either, so it takes forever and a day to scan your whole system, and eventually the drive you really wanted to.

If there's something better out there I'm open to suggestions.

http://www.sunbelt-software.com/

CounterSpy have used it, not too bad, try it

SYROB
 

Will Rickards

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,012
Location
Here
Website
willrickards.net
I continue to maintain the best way to clean one of these computers is to format and install from scratch. You waste way too much time trying to clean them.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,745
Location
Horsens, Denmark
I continue to maintain the best way to clean one of these computers is to format and install from scratch. You waste way too much time trying to clean them.

That does depend. If it's Office and Firefox, no problem. One of my clients has a legacy app that only installs on Win98. The only way to get the app running on XP is to install Win98, install the app, and then do an upgrade. This is slower than cleaning out the machine.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
So, I cleaned it with the drive in my PC (with ad-aware & others), but when I put it back in the machine (notebook) it still acts strangely. It seems to behave in safe mode for the most part, but spybot will not launch, nor will hijack this (in safe mode or standard bootup). I assume there's something preventing them from running, so how do I get around it if the drive is as clean as I can get it in another PC?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Something is still causing some odd behavior on this machine. There are two user accounts, and I created a 3rd one to test with. They are all admins. However, once out of safe mode despite being admins you can do virtually nothing with the PC. The control panel is hidden. You can't install a service (which prevents Ad-Aware or Windows Defender from installing). You can't even right click on my computer and bring up the properties.

And, even in safe mode applications that have "spy" in their name refuse to run. I did a full virus scan of the drive in another PC using Avira Antivir, but there's obviously something still running, even in safe mode.

I have run Spybot S&D on the machine and cleaned everything it found also.

Any ideas? (other than re-installing)
 

timwhit

Hairy Aussie
Joined
Jan 23, 2002
Messages
5,278
Location
Chicago, IL
Something is still causing some odd behavior on this machine. There are two user accounts, and I created a 3rd one to test with. They are all admins. However, once out of safe mode despite being admins you can do virtually nothing with the PC. The control panel is hidden. You can't install a service (which prevents Ad-Aware or Windows Defender from installing). You can't even right click on my computer and bring up the properties.

And, even in safe mode applications that have "spy" in their name refuse to run. I did a full virus scan of the drive in another PC using Avira Antivir, but there's obviously something still running, even in safe mode.

I have run Spybot S&D on the machine and cleaned everything it found also.

Any ideas? (other than re-installing)

Root Kit maybe?
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
More than likely, you've got either a set of registry hacks or a really hilarious group policy applied. A lot of crap from Freeze.com, for instance, installs a registry hack that removes the Display applet from control panel.

If you have the basic workstation security template you might try running that through Security Configuration and Analysis to see if that clears anything up.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
Uh, also, those problems aren't coming up in a spyware scan because, technically, they aren't spyware. They are a potentially normal configuration for a Windows PC.

You need to be working with Killbox and Hijack This. It might do well for you to take a look at your \system32 folder for files that have unusual names, particularly gibberish sorts of words. You can always compare a directory listing of that folder from a clean machine to yours if need be.

Also, I think I mentioned this before, but BartPE is very helpful if you want to start that PC in a clean environment; there are all kinds of situations where you can't just reimage a PC. Believe me when I say that I have been where you are many, many times.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
It's XP Home, so how would I go about doing that?

Run MMC. Add Snapin. Add Security Configuration and Analysis.
Create a database (right click SCaA, Open Database)
Select a baseline template. Choose "compatws.inf"
Right Click. Configure Computer now.

See if anything changes.

What that does is changes all the Local Security Policies on your PC to match the ones that Microsoft thinks are the most permissive possible.

Of course, if these changes are the result of registry settings and not GPOs, changing the GPO settings might not do anything at all. But it won't really hurt, either.

I'm not sure if XP Home has the security templates or not, though.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Just for a little clarification... I get the following error when trying to get into things.

"The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

I'm not sure if this is a legitimate windows error or not (especially with the typo in it).
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
I guess Avira Antivir isn't so good for remote scanning. I'm rescanning the drive from my laptop (via USB) with NOD32 and so far it's found 85 "infiltrations". Who knew...
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Run MMC. Add Snapin. Add Security Configuration and Analysis.
Create a database (right click SCaA, Open Database)
Select a baseline template. Choose "compatws.inf"
Right Click. Configure Computer now.

See if anything changes.
Just FYI XP Home doesn't have the Security Configuration and Analysis snap in, at least this one didn't.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Well, I'm about to give up on this one. Clearly this is beyond my ability to fix. :(

I thought I had it all clean and the machine was working, then it was back.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Can you post a Hijack This log?
Yeah, in a little while once I put the drive back in the machine. It took some sleuthing to even get HJT it to run, but I figured out how to outsmart whatever was on the machine. I had to rename both the executable and the directory it's in.

I think I got rid of the Vundo finally, but it's still got Bolenja / Bolenjx on it. The solutions I found online are to use ComboFix and/or Grisoft AVG. ComboFix won't start, and when I rename it to run it closes as soon as it opens. Grisoft AVG requires a reboot, and magically the executable gets deleted during the reboot.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,300
Location
I am omnipresent
OK...
Whatever this thing is, it's operating in Safe mode as well, right? That suggests it's either convinced Windows that it's a service that should start in safe mode, or it's convinced Windows that it's necessary to open or work a system file (usually Explorer.exe but sometimes WinLogon).
Have you looked at what's running on an "empty" desktop in Process Explorer?
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
OK...
Whatever this thing is, it's operating in Safe mode as well, right? That suggests it's either convinced Windows that it's a service that should start in safe mode, or it's convinced Windows that it's necessary to open or work a system file (usually Explorer.exe but sometimes WinLogon).
Have you looked at what's running on an "empty" desktop in Process Explorer?
Yes, it's running in safe mode. I found some info on it here. Apparently it's very new. I did have to laugh at the moderators on that forum for scolding the guy for making a very informative post.
 
Top