What's the latest and greatest in anti spyware?

[Santilli]

I KNEW I was going to get roasted for that post...;-)

I figured some of you pros might have clients with AOL, so, you might want to be aware of it...

S.Other has a LONG time existing AOL account that she uses at about 5 different places, and, it's paid for by her business.

MUCH as I hated doing it, I installed it on her home computer. McAfee is free, and, it's better then NOT paying for either NOD32, or another copy of Penicillin...

It has her law email address on it, so....

I thought it was sort of in the order of the suffering professionals go through, in dealing with clients...

Greg

 

[ddrueding]

I actually got to do this again today. A family has many computers; every time they buy a new "family" PC, the older one gets passed down for dedicated use by one of the kids. The 13 year old was complaining that his games were going slow. I told him that if he didn't use the internet it would go faster. He agreed, and I disabled his NIC and uninstalled his AV client. Now its at least 20% faster (disk limited most of the time), and his games play faster. If he wants the internet, he uses the new "family" machine.

 

[Santilli]

I like that David. He can muck up the family machine. Wonder how long that will take him???;-)

Well, it gets better. The anti-spyware removed some files, resulting in everytime you start the machine, you get those annoying something is missing, please reinstall the program. Uninstall. Still have annoying messages.
Program doesn't show on the uninstall/install list.
Look for files in Program files, find McAfee.com file, and, you can't delete them.

ONLY way I know is regedit, so, I spent about an hour deleting anything with the magic word, McAfee in it, and, that worked.

Seems the version that was trashed by the SAS program, was not the new one avaliable from AOL.

The amount of garbage it left in the registry was criminal.

WOW!!! What wonderful software....

Greg

PS
I wonder how my SO would feel if I said she could only use Firefox to access the net, WITHOUT USING ALL THE AOL AND THEIR ANTI-VIRUS SOFTWARE???

Somehow, I don't think I have David's command to pull that one off...

 

[MaxBurn]

I have had problems with SpybotSD not running or stopping the scan halfway through with a reason that the user stopped the scan and I know I didn't. Addaware works for me fine. I would like to see an update of both of these, they have been around for quite a while now and it seems that they can be avoided now as popular scanners.

Just tried out superantispyware on the recommendation of this thread, it caught a bunch of cookies that the other two didn't catch. I think this just made it into my spyware kit.

I also tried the microsoft product once or twice some time ago, its funny but I don't remember it actually finding anything?

 

[Mercutio]

There are spyware programs that directly interfere with spyware scanning programs. Some varieties of Coolwebsearch do that, for example. It would not surprise me if you found one of the nastier varieties of some similar spyware.

 

[Tea]

There are lots of spyware programs that directly interfere with spyware scanning programs.

In fact, a suspiciously fast Spybot scan is an excellent indicator that you have a nasty infection.

We do around 10 spyware removal jobs a week (me and Tannin, I mean, with occassional help from the Soup Nazi) and I reckon we are pretty good at it - practice makes perfect, after all. Here is the normal routine, the one we follow for all infections except ones that are weird for some reason. Steps 1 to 3 pretty much always happen in that order. After that, it all depends on the particular infection.

1: Safe mode with networking
2: Msconfig to remove things you might want to put back later, cause it's easy to reverse.
3: Remove everything you don't trust with Hijackthis.
4: Install and run Ad-Aware. Make it uninstall and replace any previous Ad-Aware installation.
5: Full Spybot scan.
6: Remove any useless anti-virus programs, such as Norton or Mcafee.
7: Remove any other crap, such as Limewire, iTunes, anything else you don't like.
8: Hijackthis again.
9: If it seems justified, install and perform full scan with Old Upronouncable (otherwise known as Ewido)
10: Full virus scan, either with the ever-more-crappy Housecall service (which is nothing like as good as the old one) or remotely using Norman AV.
11: Install some decent web software: Thunderbird, Opera, Seamonkey. While you are at it, also install Firefox.
12: Teach customer how not to get infected again.
13: Bill them $75
14: Go to lunch. Spend $75.

 

[Tea]

Correction, steps 1 to 5 in that order. (You know, thois is the only forum I visit that doesn't let you edit posts. How crappy is that?)

 

[MaxBurn]

Exactly, they could use an updated version of spybot to hinder the inteference from nasties. How much can you ask of a free product though?

 

[Buck]

For me, the combination of NOD32, Adaware, and Spybot take care of most infections. I find Adaware quite useful, as it finds a host of things that Spybot does not, and vice versa. Yet, the first key element is NOD32.

 

[Mercutio]

Safe Mode with Networking is not a good choice, Tannin, as there are Spyware thingies that start up when Networking is initialized.
Your better bet is to throw all the shit you need on a thumb drive and run it from there.

Also, there's no reason to bother with msconfig; Hijack this keeps a lovely backup folder that stores everything. You can zero it out or rename it for a particular PC when you run it off your thumb drive.

That's what I do, anyway.

 

[Tea]

1: Safe Mode with Networking is not a good choice, Tannin, as there are Spyware thingies that start up when Networking is initialized.

2: Your better bet is to throw all the shit you need on a thumb drive and run it from there.

3: Also, there's no reason to bother with msconfig; Hijack this keeps a lovely backup folder that stores everything. You can zero it out or rename it for a particular PC when you run it off your thumb drive.

That's what I do, anyway.

1: Quite so, but it lets me get the various anti-spyware programs up to date, run housecall & etc, and at least get rid of the bulk of the problem, leaving any few resistant nasties for a subsequent scan.

2: I dislike thumb drives. "Hate" is probably too strong a word, but I avoid using them as a rule. I much prefer to stick firmly with read-only media when I'm sticking my discs into random, virus-infected machines. I know the old-fashioned boot sector virus went out of fashion years ago, but nevertheless, I never use read-write media in a customer machine without some careful thought beforehand. (For machines that we can't get networking just yet, our workshop CDs, whch get updated every couple of weeks or so, contain the latest updates for Spybot, Ad-Aware, and Ewido. Plus various other handy tools, of course.)

2a: To use the Hijackthis backup folder, you have to install the program - which is dead easy, granted, but it's one extra step. I prefer to do it the lazy way and run it directly off the CD.

3: Not saying your method is wrong, Merc. It sounds very practical. Just outlining why we work this way. Habit as much as anything else.

 

[Mercutio]

Proper thumb drives, good ones, have a read-only switch. The 4GB pqi model I've been using certainly does.

Hijack This WILL make a backup folder whereever you use it. My basic plan, however, is a tiny batch file that copies it and copy of other programs to
c:\program files\bin (the other programs are utorrent, killbox, bfu, spacemonger, process explorer, lspfix and a few other small things) and a set of shortcuts for those things in a folder that goes on the desktop.

Why use such a huge thumb drive? I was hoping to build a trimmed disk image on it, to further decrease my build time. I have had better luck, however, with TrueImage network installs, so now I just carry around ~2.5GB of application installs. I have a second, 2GB thumb drive with WinPE and a set of cleanup apps on it.

 

[Platform]

ONLY way I know is regedit, so, I spent about an hour deleting anything with the magic word, McAfee in it...

Control Panel ---> System ---> Hardware (tab) ---> Device Manager (button) ---> View (menu item) ---> "Show Hidden Devices" (menu selection)

Now, expand the "Non-Plug'n'Play Drivers" resource to reveal all drivers of this class that are running or have been setup on your system. Carefully scroll down through these drivers. You will find the system drivers for anti-virus programs here -- sometime even spyware.

 

[time]

Client had a trojan that wasn't detected by his A/V (NOD32) or Spybot or Ad-Aware (I think). He bought Spyware Doctor, which claimed to get rid of the gremlin but didn't. His commit charge was >300MB while sitting at the desktop, so I suggested he uninstall that POS. Memory usage dropped to about 170MB ...

On the strength of Clocker's recommendation, I suggested the client download and install SUPERAntiSpyware. Small memory footprint, found the nasty, although the free version "blocked" the trojan rather than removing it. Nonetheless, it clearly identified the rogue files, which I removed with Security Task Manager (I still think that's more user-friendly than Hijack-This, etc).

Super AntiSpyware looks good from here.

 

[Santilli]

Platform:
thank you!!!

My machine is fine. Now to check the other one...

Greg

 

[Groltz]

Has anyone tried PCTools Spyware Doctor or Sunbelt Software's Counterspy?

 

[Mercutio]

I've thought about Counterspy, but I am deeply hesitant to try security software that is not free.

I've seen Spyware Doctor on machines that I've cleaned of hundreds of distinct infections off of. I'm not sure it does anything useful, but of course the only machines *I* see are ones that have already been fuxx0red.

 

[iGary]

hmmmm... I sort of recall Sunbelt Software's name from about a year or two ago or so; something controversial, as in not good. I don't recall the details.

 

[Mercutio]

They were sued into submission by a spyware company that claimed its product wasn't spyware.

That's the kind of crap that makes me like free stuff.

 

[Mercutio]

Chatting with another tech about Anti-Spyware stuff. He mentioned programs from this company.

 

[ddrueding]

Chatting with another tech about Anti-Spyware stuff. He mentioned programs from this company.

They even have a free command-line scanner that has all the features of their ful-blown product. Sweet.

 

[Mercutio]

Actually, the thing that's interesting about the command line tool is that the updates are downloaded to the selfsame folder. Put the damned thing on a thumb drive, update (a2cmd /u) and you're never any more out of date than the last time you updated. Very Thumb Drive friendly.

Which is rather different from doing a new install of Spybot or Adaware.

No idea if it works as intended, though.

 

[Handruin]

A fun project might be making a spyware infested virtual appliance so that people could demo their anti-spyware software... But I'm not that motivated.

 

[Mercutio]

Naw, the biggest issue is removing the latest and greatest. A static test doesn't tell you much, unless the product sucks to begin with.