Spyware App Updates

[Mercutio]

Adaware launched a 2007 version back in May. Spybot just upgraded to version 1.5 and introduced a simplified update process.

Both programs offer full time IE/Registry monitoring, which is as painful and annoying as ever, but both seem to fulfill some demand Vista has for active malware protection.

Adaware has introduced a serious flaw with its new software: Its user interface no longer fits on a standard safe mode 640x480 screen! This is a grave issue, given that the only way it can be used effectively as anything more than a cookie cleaner is in safe mode. Adaware, for scanning all the files on a PC, still does not seem to be aware of Firefox, either.

Hijack This, now more than double its original file size (no longer small enough to fit on a floppy, for one thing), now displays a Trend Micro Logo and offers to look up processes on the Internet; a feature that is of dubious use when the program needs to be run in safe mode to be more than minimally useful (I do from time to time use it to remove things like the HP, Java and Flash updaters, and the QuickTime task, if I happen to see them).

Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.

 

[udaman]

Adaware launched a 2007 version back in May. Spybot just upgraded to version 1.5 and introduced a simplified update process.

Both programs offer full time IE/Registry monitoring, which is as painful and annoying as ever, but both seem to fulfill some demand Vista has for active malware protection.

Adaware has introduced a serious flaw with its new software: Its user interface no longer fits on a standard safe mode 640x480 screen! This is a grave issue, given that the only way it can be used effectively as anything more than a cookie cleaner is in safe mode. Adaware, for scanning all the files on a PC, still does not seem to be aware of Firefox, either.

Hijack This, now more than double its original file size (no longer small enough to fit on a floppy, for one thing), now displays a Trend Micro Logo and offers to look up processes on the Internet; a feature that is of dubious use when the program needs to be run in safe mode to be more than minimally useful (I do from time to time use it to remove things like the HP, Java and Flash updaters, and the QuickTime task, if I happen to see them).

Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.

1. What is this spyware stuff, I use a Mac to get stuff done, no learn "primary tools" like that, lol.

2. "Floopy...? what's the 'other' thing? Aren't floopies like incandescent bulbs are to LED's, so why is jtr thinking M$ is better, and not using a Mac...sometimes I don't understand his lack of logic...getting seasick on a freighter ship for 30days to get to Asia, when a plane ride will get him there in 1 day for 1/4th the cost, 1/30 the waste of time traveling, stuck on a wide ocean expanse of thousands of miles of just salty water???

see sig. line for author of this thread:
stupidest questions from PC users
http://forums.macrumors.com/showthread.php?t=229887


3. Mostly for tea & jtr:

3 reasons you use a mac...
(from the mouths of babes that USE a Mac to make money, not play)
http://forums.macrumors.com/showthread.php?t=256205

, see post #21 & 32, experienced Linux, and very experienced professional Winblows user, now using a Mac...cause? Ah, I see occasional poster, SR & SF member iGary, yet another pro, weighs in @#47


For another thing Merc, see post #53

 

[Chewy509]

Udaman:Since when did you have a Mac? (You've never mentioned in the past, unless my memeory is failing)?

I guess those spyware/malware issues is one of the reasons I no longer run Windows at home. (Runing Solaris Express exclusively now, after moving on from FreeBSD/WinXP x64 a few weeks ago).

But I can see your point, people don't want to have to care about maintaining their PC, it's now a commodity tool, not an expensive toy. On the flip side, IMHO the only reason why MS will hold onto it's OS dominance on PC's is becuase of gaming (and hence why he have to deal with these issues on a daily basis, at least for those work actively work in the IT Support field). If it wasn't for gaming, I could see Mac and Linux/*BSD/*nix in general taking more than a significant portion of the market.

Merc: Thanks for the heads-up.

 

[Clocker]

Don't forget SuperAntiSpyware!

 

[Howell]

But I can see your point, people don't want to have to care about maintaining their PC, it's now a commodity tool, not an expensive toy.

...

If it wasn't for gaming, I could see Mac and Linux/*BSD/*nix in general taking more than a significant portion of the market.

Mac, possibly. Any of the NIXes, get real. Your first instinct was right. Most people don't want to fiddle. I just removed my Ubuntu partition because it did not work seamlessly on my laptop and I run mostly web applications. I support enough equipment at work I don't want to go home and do it.

If you understand change management you understand how difficult it will be to get people to switch.

 

[iGary]

...see post #21 & 32, experienced Linux, and very experienced professional Winblows user, now using a Mac...cause?

Ah, I see occasional poster, SR & SF member iGary, yet another pro, weighs in @#47...

I don't know who the hell *that* iGary is, but it certainly ain't me!

Besides, I was using the iGary handle starting back in 2000 -- at that other Storage place.

As for Macintosh in general: Been there, did that. Never again. I know better.

 

[Tannin]

Those three programs are the primary tools I teach people to use in my classes. Two of them seem to have taken a big step backward.

Make that three out of three.

The new Spybot:

* Cannot be installed in safe mode because it insists on trying to download updates and refuses to install without a live web conection
* Thus cannot be used to detox a machine that is sick enough to have lost connectivity
* Doesn't start up properly on first run - there is a very long wait involved
* Has two other very long waits that look like a sick machine until you realise it does it on every machine.

 

[mubs]

Your sig says it, Tannin.

 

[Mercutio]

* Cannot be installed in safe mode because it insists on trying to download updates and refuses to install without a live web conection
* Thus cannot be used to detox a machine that is sick enough to have lost connectivity

Spybot has always been useless until the first time you do updates. I think the default for the previous version was a database size that was about 5% of what the DB with updates was...

Winsockfix has the Mercutio seal of approval for taking care of that lost connectivity.

Also, Tannin... I know that you have specifically complained about how obnoxious it is to snag the updates for Spybot and that you prefer to have the update files rather than doing the updates on a per-PC basis. Why aren't you doing a scheduled mirroring of the safer-networking.org site with, say, Spiderzilla or something?

Anyway, the reason I am necro-posting here is to ask if anyone has tried out [http://www.threatfire.com/download/]ThreatFire[/url], which has a real time antispyware component and as an honest to goodness free version. It seems to be getting good reviews in computer magazines, but since these are the same magazines that typically give high marks to whatever Symantec and McAffee have shat out, I am more than a little wary of leaving it on some poor sod's PC.

 

[Tannin]

Ahh, but in the previous version of Spybot, you could download the updates ("sypbotsdincludes.exe", I think) and drop them on a CD. Start the infected system in safe mode, install Spybot, don't bother running it yet, close it and run spybotsdincludes which updates the Spybot install to the latest defs (as of the date you burned the CD). Then you run it and clean out the vast bulk of the crap. Usually, that leaves you with a system that's healthy enough to do on-line updates on from this point, and clean out the last of the infection.

Err ... what would be the point of a scheduled mirroring, Merc? Before you answer that, bear in mind that my (rather expensive) cable connection is now so fast that time saving is unlikely to be a factor. I don't know what they've done to it, and unlike other companies it never seems to get any cheaper, but it's seriously quick. Even the likes of a Win XP SP2 download is no drama.

 

[Mercutio]

Err ... what would be the point of a scheduled mirroring, Merc?

As I recall, one of your former complaints was that you were having to regularly download the updates and that it generally took too long. Apparently a Real Internet Connection has fixed that problem nicely.

 

[Tannin]

Ahh, yes, that makes sense. You are right, these last few months that hasn't been an issue. The Spybot servers are a lot more reliable than they use to be too.

 

[Stereodude]

So, what's the consensus on this one?

I'm trying to clean up a computer for a coworker. I'm doing this mostly because the Geek Squad at BB told him to throw it out and buy a new maching. I gave up on running any applications on the actual machine, pulled the HD, connected it to mine via USB, did a full virus scan on it, and am in process of scanning the drive with Windows Defender.

What I really want to know is why doesn't someone make a product that consists of a bootable CD that has up to date virus and spyware scanners in it so that you can clean a machine that is so far gone you can't actually install anything on it. Between problems with the low resolution of safe mode, programs that won't installing in safe mode, programs that won't update their definitions in safe mode it's enough to pull your hair out.

 

[ddrueding]

Making it a bootable CD would mean re-burning the disk every time an update came out. Even if it was on USB there would be a process involved. I typically do what you have done: connect their hard drive to my own system.

Is sending NOD32 and the other standard tools at it the best method?

 

[Fushigi]

Well if you use a bootable USB Flash drive you can update it easily enough.

 

[Stereodude]

Making it a bootable CD would mean re-burning the disk every time an update came out. Even if it was on USB there would be a process involved.

Yeah, but at least there'd be an option other than pulling the drive for those cases where you can't or don't want to.

Is sending NOD32 and the other standard tools at it the best method?

I use Avira Antivir for virus scanning.

 

[Mercutio]

Windows Defender is positively the most useless security application in the history of EVAR. Anyway, if you look on the torrent sites, you will find that such tools do exist, usually as BartPE distributions... which can with only a little modification be made bootable on Thumb drives.

 

[Stereodude]

Windows Defender is positively the most useless security application in the history of EVAR.

How so?

Besides, my other options are:

Spybot - super slow to start because it scans for over 100k "bots" and can't be forced to only search a certain directory / drive.

Adaware - free version won't let you only scan a certain drive either, so it takes forever and a day to scan your whole system, and eventually the drive you really wanted to.

If there's something better out there I'm open to suggestions.

 

[Stereodude]

Nevermind... A quick trip to usenet took care of the problem I was having with Ad-aware.

 

[SYROB]

How so?

Besides, my other options are:

Spybot - super slow to start because it scans for over 100k "bots" and can't be forced to only search a certain directory / drive.

Adaware - free version won't let you only scan a certain drive either, so it takes forever and a day to scan your whole system, and eventually the drive you really wanted to.

If there's something better out there I'm open to suggestions.

http://www.sunbelt-software.com/

CounterSpy have used it, not too bad, try it

SYROB

 

[Will Rickards]

I continue to maintain the best way to clean one of these computers is to format and install from scratch. You waste way too much time trying to clean them.

 

[ddrueding]

I continue to maintain the best way to clean one of these computers is to format and install from scratch. You waste way too much time trying to clean them.

That does depend. If it's Office and Firefox, no problem. One of my clients has a legacy app that only installs on Win98. The only way to get the app running on XP is to install Win98, install the app, and then do an upgrade. This is slower than cleaning out the machine.

 

[Stereodude]

So, I cleaned it with the drive in my PC (with ad-aware & others), but when I put it back in the machine (notebook) it still acts strangely. It seems to behave in safe mode for the most part, but spybot will not launch, nor will hijack this (in safe mode or standard bootup). I assume there's something preventing them from running, so how do I get around it if the drive is as clean as I can get it in another PC?

 

[Stereodude]

Finally! I got Spybot started by renaming the exe file and now it's doing it's thing.

 

[Stereodude]

Something is still causing some odd behavior on this machine. There are two user accounts, and I created a 3rd one to test with. They are all admins. However, once out of safe mode despite being admins you can do virtually nothing with the PC. The control panel is hidden. You can't install a service (which prevents Ad-Aware or Windows Defender from installing). You can't even right click on my computer and bring up the properties.

And, even in safe mode applications that have "spy" in their name refuse to run. I did a full virus scan of the drive in another PC using Avira Antivir, but there's obviously something still running, even in safe mode.

I have run Spybot S&D on the machine and cleaned everything it found also.

Any ideas? (other than re-installing)

 

[timwhit]

Something is still causing some odd behavior on this machine. There are two user accounts, and I created a 3rd one to test with. They are all admins. However, once out of safe mode despite being admins you can do virtually nothing with the PC. The control panel is hidden. You can't install a service (which prevents Ad-Aware or Windows Defender from installing). You can't even right click on my computer and bring up the properties.

And, even in safe mode applications that have "spy" in their name refuse to run. I did a full virus scan of the drive in another PC using Avira Antivir, but there's obviously something still running, even in safe mode.

I have run Spybot S&D on the machine and cleaned everything it found also.

Any ideas? (other than re-installing)

Root Kit maybe?

 

[Stereodude]

Root Kit maybe?

Shouldn't the virus scanner have picked that up when it was attached to another PC that is virus free?

 

[ddrueding]

Shouldn't the virus scanner have picked that up when it was attached to another PC that is virus free?

Not necessarily. That is the problem with root kits. You could try an in-place OS repair, see where that gets you.

 

[Mercutio]

More than likely, you've got either a set of registry hacks or a really hilarious group policy applied. A lot of crap from Freeze.com, for instance, installs a registry hack that removes the Display applet from control panel.

If you have the basic workstation security template you might try running that through Security Configuration and Analysis to see if that clears anything up.

 

[Stereodude]

It's XP Home, so how would I go about doing that?

 

[Mercutio]

Uh, also, those problems aren't coming up in a spyware scan because, technically, they aren't spyware. They are a potentially normal configuration for a Windows PC.

You need to be working with Killbox and Hijack This. It might do well for you to take a look at your \system32 folder for files that have unusual names, particularly gibberish sorts of words. You can always compare a directory listing of that folder from a clean machine to yours if need be.

Also, I think I mentioned this before, but BartPE is very helpful if you want to start that PC in a clean environment; there are all kinds of situations where you can't just reimage a PC. Believe me when I say that I have been where you are many, many times.

 

[Mercutio]

It's XP Home, so how would I go about doing that?

Run MMC. Add Snapin. Add Security Configuration and Analysis.
Create a database (right click SCaA, Open Database)
Select a baseline template. Choose "compatws.inf"
Right Click. Configure Computer now.

See if anything changes.

What that does is changes all the Local Security Policies on your PC to match the ones that Microsoft thinks are the most permissive possible.

Of course, if these changes are the result of registry settings and not GPOs, changing the GPO settings might not do anything at all. But it won't really hurt, either.

I'm not sure if XP Home has the security templates or not, though.

 

[Stereodude]

Just for a little clarification... I get the following error when trying to get into things.

"The operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

I'm not sure if this is a legitimate windows error or not (especially with the typo in it).

 

[Stereodude]

I guess Avira Antivir isn't so good for remote scanning. I'm rescanning the drive from my laptop (via USB) with NOD32 and so far it's found 85 "infiltrations". Who knew...

 

[Stereodude]

Run MMC. Add Snapin. Add Security Configuration and Analysis.
Create a database (right click SCaA, Open Database)
Select a baseline template. Choose "compatws.inf"
Right Click. Configure Computer now.

See if anything changes.

Just FYI XP Home doesn't have the Security Configuration and Analysis snap in, at least this one didn't.

 

[Stereodude]

Well, I'm about to give up on this one. Clearly this is beyond my ability to fix.

I thought I had it all clean and the machine was working, then it was back.

 

[Mercutio]

Can you post a Hijack This log?

 

[Stereodude]

Can you post a Hijack This log?

Yeah, in a little while once I put the drive back in the machine. It took some sleuthing to even get HJT it to run, but I figured out how to outsmart whatever was on the machine. I had to rename both the executable and the directory it's in.

I think I got rid of the Vundo finally, but it's still got Bolenja / Bolenjx on it. The solutions I found online are to use ComboFix and/or Grisoft AVG. ComboFix won't start, and when I rename it to run it closes as soon as it opens. Grisoft AVG requires a reboot, and magically the executable gets deleted during the reboot.

 

[Mercutio]

OK...
Whatever this thing is, it's operating in Safe mode as well, right? That suggests it's either convinced Windows that it's a service that should start in safe mode, or it's convinced Windows that it's necessary to open or work a system file (usually Explorer.exe but sometimes WinLogon).
Have you looked at what's running on an "empty" desktop in Process Explorer?

 

[Stereodude]

OK...
Whatever this thing is, it's operating in Safe mode as well, right? That suggests it's either convinced Windows that it's a service that should start in safe mode, or it's convinced Windows that it's necessary to open or work a system file (usually Explorer.exe but sometimes WinLogon).
Have you looked at what's running on an "empty" desktop in Process Explorer?

Yes, it's running in safe mode. I found some info on it here. Apparently it's very new. I did have to laugh at the moderators on that forum for scolding the guy for making a very informative post.