OT: anti-malware progs ineffective

[Terry Pinnell]

I was surprised to learn today that all anti-adware and anti-spyware
programs perform so badly. Here's an extract of the ranking, from
'Anti-adware misses most malware' By Brian Livingston, in
http://windowssecrets.com/050127/

Product Adware Fixed
---------------- ------------
Giant AntiSpyware 63%
Webroot Spy Sweeper 48%
Ad-Aware SE Personal 47%
Pest Patrol 41%
SpywareStormer 35%
Intermute SpySubtract Pro 34%
PC Tools Spyware Doctor 33%
Spybot Search & Destroy 33%
McAfee AntiSpyware 33%
Xblock X-Cleaner Deluxe 31%
XoftSpy 27%
NoAdware 24%
Aluria Spyware Eliminator 23%
OmniQuad AntiSpy 16%
Spyware COP 15%
SpyHunter 15%
SpyKiller 2005 15%

So, given that there must be great overlap, I reckon my
frequently-used combination of Ad-Aware SE Personal and Spybot Search
& Destroy is catching little more than half the malware reaching me.
Unsettling.

--
Terry Pinnell
Hobbyist, West Sussex, UK

 

[john jardine]

"Terry Pinnell" <terrypinDELETE@THESEdial.pipex.com> wrote in message
news:2j5kv05pqvarkhnvn2nfu64248nl2ih6er@4ax.com...

I was surprised to learn today that all anti-adware and anti-spyware
programs perform so badly. Here's an extract of the ranking, from
'Anti-adware misses most malware' By Brian Livingston, in
http://windowssecrets.com/050127/

Product Adware Fixed
---------------- ------------
Giant AntiSpyware 63%
Webroot Spy Sweeper 48%
Ad-Aware SE Personal 47%
Pest Patrol 41%
SpywareStormer 35%
Intermute SpySubtract Pro 34%
PC Tools Spyware Doctor 33%
Spybot Search & Destroy 33%
McAfee AntiSpyware 33%
Xblock X-Cleaner Deluxe 31%
XoftSpy 27%
NoAdware 24%
Aluria Spyware Eliminator 23%
OmniQuad AntiSpy 16%
Spyware COP 15%
SpyHunter 15%
SpyKiller 2005 15%

So, given that there must be great overlap, I reckon my
frequently-used combination of Ad-Aware SE Personal and Spybot Search
& Destroy is catching little more than half the malware reaching me.
Unsettling.

--
Terry Pinnell
Hobbyist, West Sussex, UK

I've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component.
"Spybot" will crash the PC on finding it. Others just acknowledge that this
POS is present.
Even the purpose written "CW Shredder" crashes on attempting to remove it.
Where are all those oh-so-clever-hot-shot-windows-programmers, when they're
needed to do some real, socially useful work?.
By default I'm learning that windows is built on gibberish. It leaks like a
sieve. No amount of updating can ever improve it.
regard.
john

 

[Alex Parkinson]

john jardine wrote:

I've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component.
"Spybot" will crash the PC on finding it. Others just acknowledge that this
POS is present.
Even the purpose written "CW Shredder" crashes on attempting to remove it.

John,

There is an extra program to remove the spyware that crashes CWShredder. You can
download it here:
http://www.spywareinfo.com/~merijn/downloads.html

Run this program, then run CWShredder and HijackThis.

Hope it helps,
Alex Parkinson

 

[Keith Williams]

In article <ctdl0u$iqj$4@blue.rahul.net>, kensmith@green.rahul.net
says...

In article <ctdka9$r0u$1@newsg2.svr.pol.co.uk>,
john jardine <john@jjdesigns.fsnet.co.uk> wrote:
[....]
I've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component.
"Spybot" will crash the PC on finding it. Others just acknowledge that this
POS is present.

"fdisk" will remove it.

I think Windows users should do as follows:

Make sure you have a CD burner.
When you burn CDs label them with the date, and what is on them.

As soon as you have a working Windows machine, make a backup of everything
onto a CD.

Good idea, though I think you're going to need a DVD these days.

If you are going to download and install something, download it and save
the download file onto a CD.

I download/save everything to a directory under an "installed"
directory on my "D" drive/partition and install from there.
Periodically that directory tree gets written to CD.

Every time you create something you don't want to lose, write it onto a
CD.

....along with all the malware already installed.

Plan on doing a re-install of Windows every 3 Months to a year.

Why plan on it. It's going to happen anyway. Actually, I'm on year
five on this laptop and refused a new one because a re-installation
would be a disaster. :-(

--
Keith

 

[Ken Smith]

In article <ctdka9$r0u$1@newsg2.svr.pol.co.uk>,
john jardine <john@jjdesigns.fsnet.co.uk> wrote:
[....]

I've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component.
"Spybot" will crash the PC on finding it. Others just acknowledge that this
POS is present.

"fdisk" will remove it.

I think Windows users should do as follows:

Make sure you have a CD burner.
When you burn CDs label them with the date, and what is on them.

As soon as you have a working Windows machine, make a backup of everything
onto a CD.

If you are going to download and install something, download it and save
the download file onto a CD.

Every time you create something you don't want to lose, write it onto a
CD.

Plan on doing a re-install of Windows every 3 Months to a year.


--
--
kensmith@rahul.net forging knowledge

 

[John Woodgate]

I read in sci.electronics.design that Ken Smith
<kensmith@green.rahul.net> wrote (in <ctdka0$iqj$3@blue.rahul.net&gt
about 'OT: anti-malware progs ineffective', on Fri, 28 Jan 2005:

I think what may be the best way to solve the problem is to place
Windows on a disk as the C drive, install all the applications from the
shrink wrapped boxes and then disconnect the write wire of the C drive.
From that point on, all the data goes on the D drive or it goes nowhere
at all.

You can't then install the weekly crop of updates and bug fixes for
Windows itself, not to mention all the apps.
--
Regards, John Woodgate, OOO - Own Opinions Only.
The good news is that nothing is compulsory.
The bad news is that everything is prohibited.
http://www.jmwa.demon.co.uk Also see http://www.isce.org.uk

 

[Nico Coesel]

kensmith@green.rahul.net (Ken Smith) wrote:

I think what may be the best way to solve the problem is to place Windows
on a disk as the C drive, install all the applications from the shrink
wrapped boxes and then disconnect the write wire of the C drive. From
that point on, all the data goes on the D drive or it goes nowhere at all.

Using windows as a user and not administrator does effectively the
same.

--
Reply to nico@nctdevpuntnl (punt=.)
Bedrijven en winkels vindt U op www.adresboekje.nl

 

[Rene Tschaggelar]

Ken Smith wrote:

[snip]

I think what may be the best way to solve the problem is to place Windows
on a disk as the C drive, install all the applications from the shrink
wrapped boxes and then disconnect the write wire of the C drive. From
that point on, all the data goes on the D drive or it goes nowhere at all.

If windows was designed this way...


Rene
--
Ing.Buero R.Tschaggelar - http://www.ibrtses.com
& commercial newsgroups - http://www.talkto.net

 

[Ken Smith]

In article <g229bKE0kl+BFwYA@jmwa.demon.co.uk>,
John Woodgate <noone@yuk.yuk> wrote:

I read in sci.electronics.design that Ken Smith
kensmith@green.rahul.net> wrote (in <ctdka0$iqj$3@blue.rahul.net&gt
about 'OT: anti-malware progs ineffective', on Fri, 28 Jan 2005:

I think what may be the best way to solve the problem is to place
Windows on a disk as the C drive, install all the applications from the
shrink wrapped boxes and then disconnect the write wire of the C drive.
From that point on, all the data goes on the D drive or it goes nowhere
at all.

You can't then install the weekly crop of updates and bug fixes for
Windows itself, not to mention all the apps.

If C can't be written, most of the bug fixes aren't needed since they are
fixes to ways that C can be corrupted.

--
--
kensmith@rahul.net forging knowledge

 

[Ken Smith]

In article <41fa6018.1204218614@news.planet.nl>,
Nico Coesel <nico@puntnl.niks> wrote:

kensmith@green.rahul.net (Ken Smith) wrote:



I think what may be the best way to solve the problem is to place Windows
on a disk as the C drive, install all the applications from the shrink
wrapped boxes and then disconnect the write wire of the C drive. From
that point on, all the data goes on the D drive or it goes nowhere at all.

Using windows as a user and not administrator does effectively the
same.

Not even close to the same. Windows constantly writes stuff all over C
even when running as just "user mode". Bugs can allow important stuff to
be overwritten. ith my solution, most of the bugs don't matter.

--
--
kensmith@rahul.net forging knowledge

 

"SioL" <Sio_spam_L@same.net> wrote in message
news:GVtKd.8614$F6.1577112@news.siol.net...

Maybe publicly identifying people who write this crap (with a
picture, name
and address) would take care of this problem. I'm sure many pissed
off users
would love to "personally congratulate" the authors.

And than perhaps an amnesty for any "crime" involved in
congratulating.

Burn 'em on the stake!

S

I'd love to torture the creators of Gator! Bastards!

 

[JeffM]

I also suggest you try using the Microsoft Spyware Removal Tool
free for download from MS's download area.
It's just a relabeled version of Giant's product.
Anthony Fremont

No. Microsoft also tweaked GIANT's product.

1) Microsoft's version only runs on current OSes.

It finds things that neither Spybot S&D nor AdAware find.

2) Like P2P software, which it labels malware.

 

[JeffM]

Any comments/information/user-reviews for "Secure IE"?
http://www.secureie.com/index.aspx
Jim Thompson

Mistitled. You can make it Internet Exploder MORE secure,
but until M$ redesigns it to close the security holes
(and breaks backward-compatibility), it will remain insecure.
Let's not forget the long latency in MSIE patches either.

Better security for Internet Explorer:
(ActiveX / MSIE is a requirement by The Borg for automatic updates.)

Best case: Have a fiend burn his Windows updates to a CD for you.
Then you don't have to use Internet Exploder at all.
Save bandwidth too.

2nd best case: Don't do automatic updates; download them manually.
This is browser-agnostic.

3rd best case: Use IE only to access microsoft.com.
Avoid all other sites that require ActiveX.

4th best case: If you just can't avoid sites that require ActiveX,
Mozilla has an ActiveX plug-in
(though why someone would allow ActiveX / ActiveScript to run on his
box,
I don't know; I don't need my HDD remotely wiped, thank you).
Anything that can legitimately done with ActiveX,
can be done with Javascript or something else.

There is absolutely no justification for VBscript on a Worldwide Web
that was concieved so that it would be hardware-/software-agnostic.
Same goes for ActiveX.
In 2005, there is no more place for dweebs who use this M$-centric junk
than there is a place for pages done in FrontPage.

/rant

 

[Robert Monsen]

Terry Pinnell wrote:

I was surprised to learn today that all anti-adware and anti-spyware
programs perform so badly. Here's an extract of the ranking, from
'Anti-adware misses most malware' By Brian Livingston, in
http://windowssecrets.com/050127/

Product Adware Fixed
---------------- ------------
Giant AntiSpyware 63%
Webroot Spy Sweeper 48%
Ad-Aware SE Personal 47%
Pest Patrol 41%
SpywareStormer 35%
Intermute SpySubtract Pro 34%
PC Tools Spyware Doctor 33%
Spybot Search & Destroy 33%
McAfee AntiSpyware 33%
Xblock X-Cleaner Deluxe 31%
XoftSpy 27%
NoAdware 24%
Aluria Spyware Eliminator 23%
OmniQuad AntiSpy 16%
Spyware COP 15%
SpyHunter 15%
SpyKiller 2005 15%

So, given that there must be great overlap, I reckon my
frequently-used combination of Ad-Aware SE Personal and Spybot Search
& Destroy is catching little more than half the malware reaching me.
Unsettling.

The problem with some adware/spyware is that they have guard
applications, meaning that they install two apps, which are both started
when you log in (or start up) and which watch each other. If you kill
one of these, the other one will immediately restart it. This makes it
nearly impossible for these spyware removal programs to get them.

One thing you can do which at least lets you know what's up is to use
msconfig, (start:run:type msconfig) and then go to the 'startup' tab.
Programs that start at init time are shown here. You can turn them off
here if you want, or go dig around in the registry.

Usually, if you run the spybot cleaner from safemode, (which also
doesn't run these init programs) the spybot cleaner programs can remove
them. This is only true if it knows about the particular infection, though.

One particularly nasty infection actually installed itself as a windows
service... that took some rooting around to eradicate.

I've been using a combination of Norton Antivirus and Spybot Search and
Destroy, and my system has been clean of these things for months. Also,
I switched to using the Firefox browser. Many of these are installed
using backdoors in internet explorer. I *never* run IE these days except
for updates from microsoft (which, sadly, require IE). I taught my kids
to use firefox as well, and their computer has been clean too.

One other thing, if you use XP, you can turn on the SP2 firewall, which
will prevent any infections that may crop up from connecting to their
mothership. It blocks outbound connections from programs that you
haven't explicitly allowed. It's kinda annoying initially, but it works.
Also, use a cable or dsl inbound firewall, and make it 'dark', so it
doesn't respond to pings or other queries.

I've been cleaning up systems for friends this way, and it works even
for people of limited computer knowledge. I cleaned up my gardener's
system a few months ago, and he is happy as a clam. Before, he couldn't
use his computer without being inundated with popups. He had 5 actual
viruses, and at least 200 forms of adware. (I got a few months of free
garden work as well!).

--
Regards,
Robert Monsen

"Your Highness, I have no need of this hypothesis."
- Pierre Laplace (1749-1827), to Napoleon,
on why his works on celestial mechanics make no mention of God.

 

[Anthony Fremont]

"JeffM" <jeffm_@email.com> wrote in message
news:1106939935.413149.75280@c13g2000cwb.googlegroups.com...

I also suggest you try using the Microsoft Spyware Removal Tool
free for download from MS's download area.
It's just a relabeled version of Giant's product.
Anthony Fremont

No. Microsoft also tweaked GIANT's product.
1) Microsoft's version only runs on current OSes.

Sad, but true.

It finds things that neither Spybot S&D nor AdAware find.

2) Like P2P software, which it labels malware.

Most P2P software comes with plenty of spyware attached. They also
refuse to run after removing the spyware/adware packaged with it.
"required component is missing, please reinstall" Beware, it will
delete your pirated music if you allow it.

 

[Fred Abse]

On Fri, 28 Jan 2005 15:12:38 +0000, john jardine wrote:

've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component. "Spybot" will crash the PC on
finding it. Others just acknowledge that this POS is present.
Even the purpose written "CW Shredder" crashes on attempting to remove it.
Where are all those oh-so-clever-hot-shot-windows-programmers, when
they're needed to do some real, socially useful work?. By default I'm
learning that windows is built on gibberish. It leaks like a sieve. No
amount of updating can ever improve it. regard.

Try:

http://www.silentrunners.org/sr_cwsremoval.html

I can't vouch for it, since I don't run Windows, but it's worth a try.

--
Then there's duct tape ...
(Garrison Keillor)

 

In <71ukv0lp4n8v54joter7tr60lr7cgifk77@4ax.com>, on 01/28/05
at 10:38 AM, Jim Thompson <thegreatone@example.com> said:

Any comments/information/user-reviews for "Secure IE"?

http://www.secureie.com/index.aspx

Interesting. I have not heard of it, so I can't comment on it.

Mozilla does everything I need, its free, its not IE and so I wouldn't
pay someone for software to fix Microsoft's stuff. Since how M$ has not
updated IE in about four years, it stands to reason that a browser that is
currently supported and maintained is a good way to go. As usual, YMMV.

If anyone uses the secureIE software, I would be interested in your
opinions.

John

 

[Rich Grise]

On Fri, 28 Jan 2005 10:39:41 +0000, Terry Pinnell wrote:

I was surprised to learn today that all anti-adware and anti-spyware
programs perform so badly. Here's an extract of the ranking, from
'Anti-adware misses most malware' By Brian Livingston, in
http://windowssecrets.com/050127/
[snip stats]
So, given that there must be great overlap, I reckon my
frequently-used combination of Ad-Aware SE Personal and Spybot Search
& Destroy is catching little more than half the malware reaching me.
Unsettling.

Or, you could just run Linux. It doesn't do spyware. But I have been
watching my apache access logs, and I've blacklisted a few IPs that
are sending such extreme garbage:
--------<sample excerpted>------
4.8.194.170 - - [27/Jan/2005:05:38:15 -0800] "GET /default.ida?XXXXXXXXXXXXXXXXXXX
[two lines of XXXXXXX snipped]
4.10.192.232 - - [27/Jan/2005:10:18:08 -0800] "SEARCH /\x90\xc9\xc9\...
Many many \xc9, followed by as many \x90. I know \x90 is an 8086 nop, but it's
followed by:
4.10.192.232 - - [27/Jan/2005:10:18:39 -0800] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 307,
-------<end excerpt>------------
which is clearly a windoze buffer-overflow-type attack. Presumably, that
sequence is the key to the back door of your system.

So, wanna see my current blacklist? No? Sorry, here it is anyway:
BLACKLIST="146.82.109.210
146.82.109.220
206.173.44.115
216.73.86.23
218.235.138.29
218.235.138.5
4.10.111.70
4.10.130.162
4.10.131.233
4.10.133.101
4.10.133.39
4.10.134.223
4.10.135.69
4.10.192.232
4.11.10.236
4.11.102.77
4.11.177.147
4.11.193.186
4.11.203.34
4.11.203.76
4.11.213.233
4.11.236.20
4.11.241.127
4.11.251.128
4.11.44.243
4.11.53.75
4.11.54.16
4.11.60.183
4.11.61.44
4.27.133.163
4.8.194.170"

Cheers!
Rich

 

[Richard the Dreaded Liber]

On Fri, 28 Jan 2005 10:16:55 -0500, Alex Parkinson wrote:

john jardine wrote:
I've got some trash called "Cool web search" on my PC at the moment.
*Nothing* can remove the core component.
"Spybot" will crash the PC on finding it. Others just acknowledge that this
POS is present.
Even the purpose written "CW Shredder" crashes on attempting to remove it.

John,

There is an extra program to remove the spyware that crashes CWShredder. You can
download it here:
http://www.spywareinfo.com/~merijn/downloads.html

Run this program, then run CWShredder and HijackThis.

And of course, these are all decuctible, being burnt offerings at the
altar of Prince Bill, right?

;-)

Good Luck!
Rich

 

[Ken Smith]

In article <ivqdnR71OKYAM2fcRVn-qw@buckeye-express.com>,
Mark Jones <abuse@127.0.0.1> wrote:
[...]

I've long-since lobbied for OS-on-EEPROM, especially now that we have
such high-density hardware. Anything without specific permissions just
isn't going to get clearance to write to it, simple as that. Maybe a
"key" you need to insert in the front of the PC to upgrade the
OS/service pack, etc. (Say the switch allows the EEPROM to get +12v.)

When I "upgrade" my toaster, I just buy a new one. Soon the same will be
true of the PC. You will buy it with certain programs on it and thats all
it will do. It will save a lot of trouble.

As far as the programs themselves, I think it should be illegal for
any company to include any kind of "malware" with their software,
known or not. Since it is impossible (and arguably immoral) to police
such companies, they could be added to a blacklist network instead,

I think it perfectly moral to outlaw malware. If we can ban food that
contains toxins and drugs that don't work and cars that don't have breaks
and water heaters that explode, the malware banning seems like just more
of the same.

Enforcement isn't all that hard in many cases. You just have to be
willing to blow up someones house in India or something like that.

which every computer connected to the net can automatically check
daily. Any suspect software comes up flagged as bad, much like how
SpamCop works but only for programs. i.e.,

Ding! "Attention, you have Kazaa installed, you idiot! 17 people are
preening through your hard disk right now, 2 are deleting your Pamela
Anderson nude collection, and 1 is editing your registry. Recommend
you uninstall Kazaa, like, yesterday..."

-M

-- "Konnichiha, douzoyoroshiku." MCJ 200404

--
--
kensmith@rahul.net forging knowledge