M
Mark L. Ferguson
FAQ for MS Antispyware version 1.0.509 (failed update, see ***** below)
Browser version available at http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
At the RSA conference, Bill Gates announced the consumer and
enterprise strategy for Microsoft Windows AntiSpyware.
"The personal version of the final Windows AntiSpyware software (will be)
available at no additional charge to licensed Windows customers as part of
the Windows value proposition. The offering will offer full functionality
to consumers, including the ability to detect and remove spyware, continual
protection that helps guard against more than 50 ways that Web sites and
programs can put spyware on a PC, and protection against the latest threats
through the combined efforts of the SpyNetT community and Microsoft
researchers. For business customers, with more complex infrastructure
support, management and deployment needs, Microsoft plans a managed
anti-spyware solution that will be available as part of a paid solution."
More information can be found at the following link:
http://www.microsoft.com/presspass/press/2005/feb05/02-15RSA05KeynotePR.asp
Please submit a suspected spyware report by clicking tools -> Suspected Spyware Report.
1) Known bugs/errors/unpopular features
a) Various mis-spellings and errata
c) Win9x installs are not supported. (expected behavior)
d) Enterprise end user could block processes domain administrator wants to run (http://support.microsoft.com/kb/892375)
e) CoolWebSearch, VX2 versions not detected (for cws run antispy in safe mode twice, or
http://www.intermute.com/products/cwshredder.html)
f) false positives ( try submitting yours at: http://www.spynet.com/falsepositive.aspx )
Vendors:fill out a dispute form located at http://www.spynet.com/vendors.aspx
1) ?
k) Tracks Eraser failures
l) Multi-user installs not working (Limited User errors, Fast User Switching. etc)
p) No "Failed Install" notice
q) Tracking Cookies not deleted. (This feature is not included in this beta release, next version will do that)
r) Accessibility features not included (for the beta)
u) network and firewall related problems (winsock): http://support.microsoft.com/kb/892350
aa) Ignore closes the browser
dd) terminal serve (Remote Desktop) into a computer, the MS AntiSpy(beta) icon will turn blue
ee) Firewall dead (see: http://support.microsoft.com/kb/892350 )
hh) Kaaza files lost
jj) Dell machines ask for setup disk on scan
ll) totally successful scans only happen in Safe Mode
nn) HOSTS file permission and blocking features.
oo) System Explorer menu item missing (Conflict caused by ATI Mulltimedia DAO (uninstal-reinstall it)) OR (see entry below ******)
pp) RUN Key in the registry is not cleared. (perhaps virus rather than spyware, as well as maybe a bug or needed feature)
qq) Search not restored after search spy/hijack removal.(see Advanced Tools menu/Use "Browser Hijack Settings Restore" feature)
ss) scan on startup impacts system performance during the scan
uu) WINTOOLS lockup (uninstall from add/remove app, and run a safe mode scan)
vv) TeaTimer from spybot causes performance hit
yy) home page changes to MSN
ccc) Hibernation problems with some antivirus software (not defined yet)
hhh) DSO Exploit not detected (Spybot S&D DSO Exploit Fix : http://www.majorgeeks.com/download4392.html )
iii) antispy 'timed' popup windows have no 'close' option
kkk) Virtual Memory errors ( run a deep scan in Safe Mode. and be sure you are logged on as an admin)
mmm) System Restore not cleaned (use 'disk cleanup's option for that)
sss) "System Inoculation Wizard " listed in help, but not included in this beta
uuu) Scan causes big performance hit (slow comnputer)
www) Un-quarantined items missing. (Kazaa, and others)
yyy) Scans only function when running as Administrator (expected behavior, try 'RunAs" for other users)
aaaa)"Estimated scan time:" incorrect
bbbb) scan freezes to "Polymorphic browser hijack scan" (you have a very large ../System32/drivers/etc/HOSTS file.)
cccc) "Detected Spyware on your system:" message shown when no spyware found.
dddd) Error 102 aqnd Error 103 (be sure you have the latest version of antispyware, and are running as an administrator.)
eeee) ?
2) FAQ's (see also: Frequently asked questions about Microsoft Windows AntiSpyware (Beta):
http://www.microsoft.com/athome/security/spyware/software/faq.mspx )
a) "I like it" (Thanks for testing the beta and providing feedback.)
b) bug reports? (Yes, file in this newsgroup. Please title the message so it is Obvious it is a bug, error, or false positive)
c) Deployable via SUS, Enterprise? (see notice at top)
d) MS AntiSpyware cannot start with error 101 (Use the Update feature in Add/Remove, "Change" (see last entry below))
e) Giant Software owners (see page http://www.giantcompany.com/commonQuestions.htm#gen_beta for More information about general
questions for currently licensed customers of Giant Software
f) Group Policy options available? (see notice at top)
g) about:blank issues (Click Tools, Suspected Spyware Report, and submit it to Spynet)
h) Uninstall MAS? (Add/Remove app in Control Panel)
i) "Is there a tutorial for this software?" (Tutorial - How to use the Microsoft AntiSpyware Beta to remove Spyware:
http://www.bleepingcomputer.com/forums/tutorial98.html)
j) "Is the Security Center going to include this?" (probably)
k) " Language Settings are ignored." (beta is English only)
l) "Does this beta expire? (Yes, see Help menu, About)
m) "My antispy expired already!" (change to English in Regional Settings, to run the beta
n) "Limited uses cannot run the scan, make it a service."
0) "Why not include a 'Winsock Repair Tool? (they are working on a way to take care of that issue (also see 3)-e) below)
p) "it doesn't scann for Cookies!" (next beta release will do that
q) "Scheduled scans do not run!" (you have to be logged on for the scan to run)
r) "Update fails with third party firewall" (see *firewall entry below)
s) "When do we get the next version of the beta (or release date for final)" (When it's ready)
t) "Can you update definition files from a downloaded copy?" (not yet, under development)
u) "What criterion is used to determine what is spyware?" ( Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware
threat: http://support.microsoft.com/kb/892340 )
v) "Are there any command line arguments available?" ( *.exe -scan -schedule -withui -withresultsui )
w) "Can you do remote, silent, or unattended installs?" (see ** below)
x) "Update version incorrect in Help, About box?" (do a manual update, on the File menu)
y) "Expiration date extension and Beta 2? (July 31 expiration will be extended by an online update, and there will be a beta 2,
date not announced.)
z)?
3) Remarks
a) "it doesn't work!! (It's a "Beta")
b) "Will it be free, or not?" (see announcement at top)
c) "My software is falsely accused of spying!" (http://support.microsoft.com/kb/892340 MAS incorrectly identifies a program as a
spyware threat)
d) "The error.log file gets too big!" (It's a "Beta")
e) "It's NOT a Bug!" (many spyware removals will expose relic damage, Repair the system)
f) Various other rants and trolling (yawn)
created by Mark L. Ferguson
free for re-publication
(If you would like to post reply comments or additions, anything but a rant is fine.) Followup set to .general newsgroup
AntiSpy newsgroup info >> Newsserver: privatenews.microsoft.com Username privatenews\spyware Password: spyware
(or) Support newsgroup : http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us
*Error 101 fix (choose a non-default location for the install, e.g "C:\msas\" or )
Verify you are logged in as an administrator.
Open up control panel and double-click on add/remove programs.
Select Microsoft AntiSpyware
Select "Change"
On the Microsoft AntiSpyware Maintenance Wizard, click next.
On the next screen (Microsoft AntiSpyware Maintenance Wizard) select Update
Microsoft AntiSpyware and click next.
Select Install
Let the product update.
Click Finish.
(if no help, try uninstalling from Add/Remove, and then reinstall the antispyware.)
Another Error 101 fix -
Home edition -- In Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Find the value called
"nodefaultadminowner". The supported values are "0" for "Administrators group", or "1" for "Object creator". Set the value to 0.
Pro Edition -- start/run, type secpol.msc , then browse to Security Settings \ Local Policies \ Security Options. The policy name
is "System objects: Default owner for objects created by members of the Administrators group". The allowable settings are
"Administrators group" or "Object creator". Change it to "Administrators group." After that change has been made, please refresh the
policy by typing: "gpupdate /force" from a command prompt.
Another Error 101 fix -
Windows Installer cleanup tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
And another Error 101 fix -
(on Win 2000):
Go to the MAS install directory (typically C:\Program
Files\Microsoft Anitspyware)
Create a shortcut for dcasDTServ.exe.
Drag the shortcut into your Start Menu\Programs\Startup
Restart.
*Update with third party firewall
Customers with software firewalls need to grant access to the programs
below in order to keep Microsoft AntiSpyware up to date as well as upload
unknown threats to the spynet community.
GiantAntiSpywareMain.exe
gcasDtServ.exe
MicrosoftAntiSpywareUpdater.exe
gcasServAlert.exe
Customers with hardware firewalls only need to verify ports 80 and 443 are
open.
** Remote silent, or unattended installs (by ryan@overdose) http://www.overdose.net/docs/msas_silent_remote_install.txt
.\GIANTAntiSpywareMain.exe /S /v/qn
or
msiexec.exe /i c:\msantispy.msi /qn INSTALLDIR=c:\MSAS\
or
MsiExec.exe /X {536F7C74-844B-4683-B0C5-EA39E19A6FE3} /L *vx /Log c:\msas.log /quiet
first run "gcasDtServ.exe /regserver" for silent installs (/q)
remote installs of Antispyware
use win32_process Create to run the MSI and register gcasDtServ
***Agents missing (found by "Bob")
Download scripten.exe from microsoft and install it.
http://www.microsoft.com/downloads/...43-7e4b-4622-86eb-95a22b832caa&displaylang=en
Uninstall MSAS
Reinstall MSAS
**** Flying Alerts fix (found by "Boris" bkortiak@tbsindustries)
Use the Alt-Tab Power Toy.
Alt-Tab to the alert, then Tab to DENY, or ALLOW
Microsoft PowerToys for Windows XP: http://www.microsoft.com/WINDOWSXP/home/downloads/powertoys.asp
***** Update to version 509 failure ( found by Bob Dietz)
1) Reboot into SAFE MODE. (F8 on restart)
2) START> Run...> cmd
3) cleanmgr /sageset:999
4) Uncheck everything except "Temporary Setup Files."
5) cleanmgr /sagerun:999
6) Attempt to install the program again.
******
System Explorer items missing
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
if no help: try the installation of a Service Pack for the Visual Basic 6 runtime: This link is
for SP6, but SP5 also appears to be effective.
http://www.microsoft.com/downloads/...61-7a9c-43e7-9117-f673077ffb3c&DisplayLang=en
..
Browser version available at http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
At the RSA conference, Bill Gates announced the consumer and
enterprise strategy for Microsoft Windows AntiSpyware.
"The personal version of the final Windows AntiSpyware software (will be)
available at no additional charge to licensed Windows customers as part of
the Windows value proposition. The offering will offer full functionality
to consumers, including the ability to detect and remove spyware, continual
protection that helps guard against more than 50 ways that Web sites and
programs can put spyware on a PC, and protection against the latest threats
through the combined efforts of the SpyNetT community and Microsoft
researchers. For business customers, with more complex infrastructure
support, management and deployment needs, Microsoft plans a managed
anti-spyware solution that will be available as part of a paid solution."
More information can be found at the following link:
http://www.microsoft.com/presspass/press/2005/feb05/02-15RSA05KeynotePR.asp
Please submit a suspected spyware report by clicking tools -> Suspected Spyware Report.
1) Known bugs/errors/unpopular features
a) Various mis-spellings and errata
c) Win9x installs are not supported. (expected behavior)
d) Enterprise end user could block processes domain administrator wants to run (http://support.microsoft.com/kb/892375)
e) CoolWebSearch, VX2 versions not detected (for cws run antispy in safe mode twice, or
http://www.intermute.com/products/cwshredder.html)
f) false positives ( try submitting yours at: http://www.spynet.com/falsepositive.aspx )
Vendors:fill out a dispute form located at http://www.spynet.com/vendors.aspx
1) ?
k) Tracks Eraser failures
l) Multi-user installs not working (Limited User errors, Fast User Switching. etc)
p) No "Failed Install" notice
q) Tracking Cookies not deleted. (This feature is not included in this beta release, next version will do that)
r) Accessibility features not included (for the beta)
u) network and firewall related problems (winsock): http://support.microsoft.com/kb/892350
aa) Ignore closes the browser
dd) terminal serve (Remote Desktop) into a computer, the MS AntiSpy(beta) icon will turn blue
ee) Firewall dead (see: http://support.microsoft.com/kb/892350 )
hh) Kaaza files lost
jj) Dell machines ask for setup disk on scan
ll) totally successful scans only happen in Safe Mode
nn) HOSTS file permission and blocking features.
oo) System Explorer menu item missing (Conflict caused by ATI Mulltimedia DAO (uninstal-reinstall it)) OR (see entry below ******)
pp) RUN Key in the registry is not cleared. (perhaps virus rather than spyware, as well as maybe a bug or needed feature)
qq) Search not restored after search spy/hijack removal.(see Advanced Tools menu/Use "Browser Hijack Settings Restore" feature)
ss) scan on startup impacts system performance during the scan
uu) WINTOOLS lockup (uninstall from add/remove app, and run a safe mode scan)
vv) TeaTimer from spybot causes performance hit
yy) home page changes to MSN
ccc) Hibernation problems with some antivirus software (not defined yet)
hhh) DSO Exploit not detected (Spybot S&D DSO Exploit Fix : http://www.majorgeeks.com/download4392.html )
iii) antispy 'timed' popup windows have no 'close' option
kkk) Virtual Memory errors ( run a deep scan in Safe Mode. and be sure you are logged on as an admin)
mmm) System Restore not cleaned (use 'disk cleanup's option for that)
sss) "System Inoculation Wizard " listed in help, but not included in this beta
uuu) Scan causes big performance hit (slow comnputer)
www) Un-quarantined items missing. (Kazaa, and others)
yyy) Scans only function when running as Administrator (expected behavior, try 'RunAs" for other users)
aaaa)"Estimated scan time:" incorrect
bbbb) scan freezes to "Polymorphic browser hijack scan" (you have a very large ../System32/drivers/etc/HOSTS file.)
cccc) "Detected Spyware on your system:" message shown when no spyware found.
dddd) Error 102 aqnd Error 103 (be sure you have the latest version of antispyware, and are running as an administrator.)
eeee) ?
2) FAQ's (see also: Frequently asked questions about Microsoft Windows AntiSpyware (Beta):
http://www.microsoft.com/athome/security/spyware/software/faq.mspx )
a) "I like it" (Thanks for testing the beta and providing feedback.)
b) bug reports? (Yes, file in this newsgroup. Please title the message so it is Obvious it is a bug, error, or false positive)
c) Deployable via SUS, Enterprise? (see notice at top)
d) MS AntiSpyware cannot start with error 101 (Use the Update feature in Add/Remove, "Change" (see last entry below))
e) Giant Software owners (see page http://www.giantcompany.com/commonQuestions.htm#gen_beta for More information about general
questions for currently licensed customers of Giant Software
f) Group Policy options available? (see notice at top)
g) about:blank issues (Click Tools, Suspected Spyware Report, and submit it to Spynet)
h) Uninstall MAS? (Add/Remove app in Control Panel)
i) "Is there a tutorial for this software?" (Tutorial - How to use the Microsoft AntiSpyware Beta to remove Spyware:
http://www.bleepingcomputer.com/forums/tutorial98.html)
j) "Is the Security Center going to include this?" (probably)
k) " Language Settings are ignored." (beta is English only)
l) "Does this beta expire? (Yes, see Help menu, About)
m) "My antispy expired already!" (change to English in Regional Settings, to run the beta
n) "Limited uses cannot run the scan, make it a service."
0) "Why not include a 'Winsock Repair Tool? (they are working on a way to take care of that issue (also see 3)-e) below)
p) "it doesn't scann for Cookies!" (next beta release will do that
q) "Scheduled scans do not run!" (you have to be logged on for the scan to run)
r) "Update fails with third party firewall" (see *firewall entry below)
s) "When do we get the next version of the beta (or release date for final)" (When it's ready)
t) "Can you update definition files from a downloaded copy?" (not yet, under development)
u) "What criterion is used to determine what is spyware?" ( Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware
threat: http://support.microsoft.com/kb/892340 )
v) "Are there any command line arguments available?" ( *.exe -scan -schedule -withui -withresultsui )
w) "Can you do remote, silent, or unattended installs?" (see ** below)
x) "Update version incorrect in Help, About box?" (do a manual update, on the File menu)
y) "Expiration date extension and Beta 2? (July 31 expiration will be extended by an online update, and there will be a beta 2,
date not announced.)
z)?
3) Remarks
a) "it doesn't work!! (It's a "Beta")
b) "Will it be free, or not?" (see announcement at top)
c) "My software is falsely accused of spying!" (http://support.microsoft.com/kb/892340 MAS incorrectly identifies a program as a
spyware threat)
d) "The error.log file gets too big!" (It's a "Beta")
e) "It's NOT a Bug!" (many spyware removals will expose relic damage, Repair the system)
f) Various other rants and trolling (yawn)
created by Mark L. Ferguson
free for re-publication
(If you would like to post reply comments or additions, anything but a rant is fine.) Followup set to .general newsgroup
AntiSpy newsgroup info >> Newsserver: privatenews.microsoft.com Username privatenews\spyware Password: spyware
(or) Support newsgroup : http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us
*Error 101 fix (choose a non-default location for the install, e.g "C:\msas\" or )
Verify you are logged in as an administrator.
Open up control panel and double-click on add/remove programs.
Select Microsoft AntiSpyware
Select "Change"
On the Microsoft AntiSpyware Maintenance Wizard, click next.
On the next screen (Microsoft AntiSpyware Maintenance Wizard) select Update
Microsoft AntiSpyware and click next.
Select Install
Let the product update.
Click Finish.
(if no help, try uninstalling from Add/Remove, and then reinstall the antispyware.)
Another Error 101 fix -
Home edition -- In Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Find the value called
"nodefaultadminowner". The supported values are "0" for "Administrators group", or "1" for "Object creator". Set the value to 0.
Pro Edition -- start/run, type secpol.msc , then browse to Security Settings \ Local Policies \ Security Options. The policy name
is "System objects: Default owner for objects created by members of the Administrators group". The allowable settings are
"Administrators group" or "Object creator". Change it to "Administrators group." After that change has been made, please refresh the
policy by typing: "gpupdate /force" from a command prompt.
Another Error 101 fix -
Windows Installer cleanup tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
And another Error 101 fix -
(on Win 2000):
Go to the MAS install directory (typically C:\Program
Files\Microsoft Anitspyware)
Create a shortcut for dcasDTServ.exe.
Drag the shortcut into your Start Menu\Programs\Startup
Restart.
*Update with third party firewall
Customers with software firewalls need to grant access to the programs
below in order to keep Microsoft AntiSpyware up to date as well as upload
unknown threats to the spynet community.
GiantAntiSpywareMain.exe
gcasDtServ.exe
MicrosoftAntiSpywareUpdater.exe
gcasServAlert.exe
Customers with hardware firewalls only need to verify ports 80 and 443 are
open.
** Remote silent, or unattended installs (by ryan@overdose) http://www.overdose.net/docs/msas_silent_remote_install.txt
.\GIANTAntiSpywareMain.exe /S /v/qn
or
msiexec.exe /i c:\msantispy.msi /qn INSTALLDIR=c:\MSAS\
or
MsiExec.exe /X {536F7C74-844B-4683-B0C5-EA39E19A6FE3} /L *vx /Log c:\msas.log /quiet
first run "gcasDtServ.exe /regserver" for silent installs (/q)
remote installs of Antispyware
use win32_process Create to run the MSI and register gcasDtServ
***Agents missing (found by "Bob")
Download scripten.exe from microsoft and install it.
http://www.microsoft.com/downloads/...43-7e4b-4622-86eb-95a22b832caa&displaylang=en
Uninstall MSAS
Reinstall MSAS
**** Flying Alerts fix (found by "Boris" bkortiak@tbsindustries)
Use the Alt-Tab Power Toy.
Alt-Tab to the alert, then Tab to DENY, or ALLOW
Microsoft PowerToys for Windows XP: http://www.microsoft.com/WINDOWSXP/home/downloads/powertoys.asp
***** Update to version 509 failure ( found by Bob Dietz)
1) Reboot into SAFE MODE. (F8 on restart)
2) START> Run...> cmd
3) cleanmgr /sageset:999
4) Uncheck everything except "Temporary Setup Files."
5) cleanmgr /sagerun:999
6) Attempt to install the program again.
******
System Explorer items missing
1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without the quotes).
3) Close and re-open Windows AntiSpyware
if no help: try the installation of a Service Pack for the Visual Basic 6 runtime: This link is
for SP6, but SP5 also appears to be effective.
http://www.microsoft.com/downloads/...61-7a9c-43e7-9117-f673077ffb3c&DisplayLang=en
..
The help here has been great.