Internet Products
1820699 Members
2740 Online
109627 Solutions
New Discussion юеВ

Microsoft Windows Anti Spyware Beta released

 
SOLVED
Go to solution
Ron Kinner
Honored Contributor

Microsoft Windows Anti Spyware Beta released

Just got a blurb from Microsoft. They have released a beta version of their new anti spyware program. You can download it free at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&Hash=S6C53V5

It does require that you have a legal copy of windows but the download is free.

Just ran it on my PC. It came up with three false positives. It seemed to think that the presence of nsldapssl32v30.dll meant that I had Timbuctu remote control installed when in fact the dll is included with hundreds of programs. It also flagged my sniffer program winpcap as a threat but did admit that it was a low risk. Finally it said it found searchsquire and wanted to remove it. Actually the only mention of searchsquire is in my restricted zone so it was offering to remove it from my restricted zone.

Looking at its Advanced Tools it has something called System Explorer which lets you look at BHOs and other interesting things. Tackily says that spybot s&d's BHO is an unknown threat but since it identifies its own System Shell and a dozen Windows LSPs as unknown threats I guess it's just a beta flaw.

Wish I had a good istsvc or vx2 or coolwebsearch infection to try it on.

Ron
14 REPLIES 14
Jay Bollyn
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Hi Ron, just FYI:

Here is the MS press release, announcing they bought GIANT:

http://www.microsoft.com/presspass/press/2004/dec04/12-16GIANTPR.asp

Here is another interesting take on this acquisition:

http://www.pcworld.com/news/article/0,aid,118983,00.asp

We all know that MS is being dragged kicking and screaming into the anti-spyware business, because so many people are fed up with the security sieve called IE. My personal feeling is that IE needs to be re-written and re-designed, with SECURITY as the #1 priority. MS obviously has the resources to do it. All it would take is the nod from Bill.

I will try this beta version on the VX2-infected PC we talked about, but I am not expecting much.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=781562

:-) Jay

check Facebook
Jay Bollyn
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Sounds like I got the same false-positives that you got.

This was run on my primary home PC, which is not having any problems at all:

http://orion.neiu.edu/~jbollyn/spyware/ms-anti-spyware.jpg

:-) Jay
check Facebook
Nguyen Anh Tien
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Hp also recomend SpySubtract (InterMute)
go:
http://h20239.www2.hp.com/techcenter/security/index.htm Choose Got Spyware or choose Intermute to get software.

I am download Anti Spyware . I will try and compare Anti Spyware and SpySubtract.
HP is simple
Ron Kinner
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Appears to be much ado about nothing. I met a guy on the MS forum with an about:blank (sp.html) infection who ran the program then sent me his hijackthis log. After MS said it was clean I found a bunch of evil doers still on his system including about:blank. See attached.

I guess it's not going to put me out of business anytime soon.

Ron
Jay Bollyn
Honored Contributor
Solution

Re: Microsoft Windows Anti Spyware Beta released

Hi Ron,

I think MAS did a pretty good job on the VX2-infected PC. There were quite a few other things (spyware/malware/data miners/tracking cookies, etc.) as well. I just ran MAS in normal XP mode (not Safe Mode). After the scan, I did not see any mention of having found VX2, but I just took all the default suggestions to delete or ignore the things MAS found.

After reboot, I ran HJT ver. 1.99.0, which found the LSP problem I had noticed before. When you try to delete the LSP entries, this current HJT version says 'sorry I can't do it, but check here' and provides this link:

http://www.cexx.org/lspfix.htm

I ran LSPfix which did fix the problem. With previous versions of HJT, you could check the LSP checkboxes, but the problem would return after reboot.

So this PC is clean now; I have rebooted several times. I ran the Ad-Aware VX2 add-in, and VX2 was not found.

We are probably going to install MAS (when RTM is available), replacing Spybot S&D, on the client PCs on my network.

So it seems, from what you say, MAS is a mixed bag. We will need to try it on more infected PCs to get a better idea, of how useful MAS is.

:-) Jay



check Facebook
Roger Faucher
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Ron:

In fairness to MS, it is only Beta1 software. They still have time to mess it up some more. ;-)

I ran it on 2 machines so far. Ran clean on my nephew's and on mine flagged only one item, RealVNC. It did however offer pretty good text describing how RealVNC is not truly malicious unless you're not aware that it's on your system. I haven't been able to run it on an infected system yet.

Make a great day!

Roger
Make a great day!

Roger
Jay Bollyn
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

I had another infected PC to work with. MAS found some things but could not deal with all the problems. I had to run Ad-Aware in Safe Mode, CW Shredder, and HJT. The PC is now clean.

So what I say so far, MAS is a useful tool, but it does not put our other tools out of business.

MAS did prevent http://seeq.com from changing the IE home page. MAS gives a popup dialog 'are you sure you want to allow this?' so you click the 'block' button.

:-) Jay
check Facebook
Jay Bollyn
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Hi Ron et al,

It seems like every day I get a call from someone on my network who is reporting either unusual popups, or general slowness with a lot of unusually heavy HDD activity.

I don't think it is worthwhile to run *any* of our anti-spyware tools in normal winXP mode. My current strategy is to first update the following in normal winXP mode: Spybot S&D, Ad-Aware SE (with the VX2 plugin), and MAS. Then reboot into Safe Mode to run the scans. Then scan with HJT v1.99.0.

One thing I do like about MAS: When you first run it, MAS will give popups asking if various changes are to be allowed or blocked, and then MAS will remember those choices. Realtime detection/blocking and automatic definition updates are critical, and MAS does a good job with these features. Antispyware software needs to be as transparent as possible to the user, like AV software currently is.

Lately I have been seeing a lot of CoolWWWSearch.Yexe. CWShredder does not detect it, but our ordinary tools detect and remove it *when*run*in*safe*mode. CWS does not give annoying popups, but it does give heavy HDD activity, especially at logon.

:-) Jay
check Facebook
Donal
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Fred Langa has just posted a review of this software:

http://langa.com/newsletters/2005/2005-01-13.htm#2

Re: Microsoft Windows Anti Spyware Beta released

Hi,

has anyone visited the community that microsoft set up for this product?

I see a lot of angry people there ... they really shouldn't be, as it is clearly stated it is BETA software!

But anyway, here is in short what you will see there:
- A lot of false positives. Even some of M$ own product are flagged as 'threat' ;-)
- Some PC's had their IP-stacks shattered (no more IP connectivity)
- For some people on XP it broke their XP firewall.

It seems rather silly, they shold just fix the bloody IE once and for all, instead of dabbling in anti-spyware.

If you don't want spyware, don't use IE. period.

I haven't seen any spyware since I switched to Mozilla/Firefox, which, apart from being "immune" to spyware is a very good browser indeed!
Jay Bollyn
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Hi Marcus,

Using an alternative browser is a good idea for individual users (home/small office) and for Power Users, but for large institutions with hundreds or thousands of users, it is not feasible. For one thing, I have subscription databases which require IE. And I am not interested in the training issues and support calls to support a new browser.

I use Firefox 1.0, and I agree it is a good browser. People on my network can use any browser they like. But IE will continue to be our officially supported browser, regardless of spyware or security concerns. We run a Checkpoint firewall, SAV Corporate Edition 8.1, and SUS to handle MS critical/security updates, so risk to the network from IE is minimized.

:-) Jay
check Facebook
Ron Kinner
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Word from the Microsoft antispy forum is that running AntiSpy twice in a row in Safe Mode both times is the key to getting rid of VX2, CoolWebSearch and About Blank.

Not sure I believe it but thought I'd pass it on.

Ron
Fred Rone
Advisor

Re: Microsoft Windows Anti Spyware Beta released

For 11 days now, I've been trying to get rid of what TrojanHunter calls Adware.VX2.100
MS AntiSpyWare called it VX2.Narrator.
SpyBot calls it CoolWebSearch.*
None of the other programs can do any better; they all say they are deleting it, but it reappears following reboot.
I've been on Active Chat with HP Instant support, and they say to use the Restore CD and reformat, and reinstall WinXPpro.
Alas, I must, I fear...
Fred
Ron Kinner
Honored Contributor

Re: Microsoft Windows Anti Spyware Beta released

Don't do that. I can fix it. Start your own post so that you can "pay" with points and post a HijackThis log as an attachment please! There is something in HijackThis logs that drives the forum crazy.

Get HijackThis at:

http://tomcoyote.org/hjt/hjt199//HijackThis.exe

It's best to run cwshredder first just in case this is a version that it can kill.

Get the standalone free version from intermute:

http://www.intermute.com/spysubtract/cwshredder_download.html

You want it to fix not just scan your system. If it asks you if something is random just tell it no but write down the filename and ask me about it.

Then run HijackThis and post the log.

Ron