MS Antispyware vs Adware ++

[TedF]

I ran into two infected computers that I had to clean.
One had 240 spyware, MS antispyware removed them successfully.
But I ran Adware, it found additional 29 Spyware.

On the other W2K computer, neither MS Antispyware nor Adware, was
able to remove winole.exe Backdoor Network spyware virus, nor any
of the antivirus program was able to remove it.
Tried everything, in Safemode, VGA mode, cleaned up temp folders
The virus gets deleted but comes back when you connect to the
Internet using DSL.
Had to format the drive, upgraded it to XP.

Little bug in MS Antispyware, it doesn't remove it self from the
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
When you select it to be inactive, and doesn't start when Windows start.

 

[John]

My comments are inserted below:

I ran into two infected computers that I had to clean.
One had 240 spyware, MS antispyware removed them successfully.
But I ran Adware, it found additional 29 Spyware.

MSAS beta is not detecting or handling cookies at this time.

On the other W2K computer, neither MS Antispyware nor Adware, was
able to remove winole.exe Backdoor Network spyware virus, nor any
of the antivirus program was able to remove it.

MSAS does not handle viruses, only spyware. Once infected by a virus,
frequently you must use a specialized tool from an Antivirus company.
Symantec says
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.rpcbot.html

Tried everything, in Safemode, VGA mode, cleaned up temp folders
The virus gets deleted but comes back when you connect to the
Internet using DSL.

ANY TIME you connect a computer to a broadband connection, you MUST use a
firewall - I prefer hardware. Without a firewall, you will be infected in
15 minutes or less.

Had to format the drive, upgraded it to XP.

Little bug in MS Antispyware, it doesn't remove it self from the
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
When you select it to be inactive, and doesn't start when Windows start.

MSAS is intended to be an active defense, not a cleanup tool.

JohnF.

 

[TedF]

MSAS beta is not detecting or handling cookies at this time.

Who said anything about cookies ?

MSAS does not handle viruses, only spyware.

It is a spyware, the heavy duty type.

MSAS is intended to be an active defense, not a cleanup tool.

It did clean up and removed 240 spyware.
If it doesn't cleanup, then it is worthless.

 

[Ron Chamberlin]

Hi Ted,

Who said anything about cookies ?

True. You didn't say that. What was it that AdAware found that MSAS walked
on?

It is a spyware, the heavy duty type.>

From a quick run thru at Google, I would think of it as a critter. May I
suggest if you do run into this beast again that you call 1-866-PCSafety (
in the US) for free tech guidance on clearing it?

It did clean up and removed 240 spyware.
If it doesn't cleanup, then it is worthless.

If I could be the mediator here, I'll say it walks both sides of the street.
I envision it's true value is installing on a clean machine, and keeping it
clean.

Ron Chamberlin
MS-MVP

 

[TedF]

True. You didn't say that. What was it that AdAware found that MSAS walked

on?

I will see if I can get the logs tonight.

Three more issues with MS Antispyware.
1) It doesn't install in Safemode, Adware does.
2) If you select to get latest update after installation
step one, it takes for ever with no progress bar.
3) If you select to get latest signature update in the first scan,
it takes for ever again with no progress bar.
I assume it tries to get latest software update.

 

[JohnF.]

Of course this is a cleanup tool - you can't eliminate problems if you can't
remove them. What I am saying is that there seems to be a group of people
who don't want pro-active defense in an antispyware tool, all they want is
an after the fact tool. Giant did not intend for this program to work as an
after the fact tool but as a defender as well. MS agrees.

 

[TedF]

Hi Ron,

What was it that AdAware found that MSAS walked on?

Below is Adware quarantine Log:
===========================================
ArchiveData(auto-quarantine- 2005-02-19 10-12-22.bckp)
Referencefile : SE1R28 16.02.2005
======================================================

FLYSWAT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{8efd99e4-7d7b-11d2-a26f-00c04f962769}
obj[1]=Regkey : clsid\{c107f7a0-b489-11d2-b2fe-005004055bfb}

MAINPEAN DIALER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=Regkey : software\intexusdial
obj[3]=RegValue : software\intexusdial "Pre"
obj[4]=RegValue : software\intexusdial "PreNumber"
obj[5]=RegValue : software\intexusdial "DeviceName"
obj[6]=RegValue : software\intexusdial "Country"
obj[7]=RegValue : software\intexusdial "Language"
obj[8]=RegValue : software\intexusdial "Machine"
obj[9]=RegValue : software\intexusdial "InstallFlags"
obj[10]=RegValue : software\intexusdial "PassFlags"
obj[11]=RegValue : software\intexusdial "Password"
obj[29]=Folder : C:\Documents and Settings\GARAGE\Start Menu\Programs\-
Cheats24.org -
obj[35]=File : c:\log.txt

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[12]=IECache Entry : Cookie:[email protected]/
obj[13]=IECache Entry : Cookie:[email protected]/
obj[14]=IECache Entry : Cookie:[email protected]/
obj[15]=IECache Entry : Cookie:[email protected]/
obj[16]=IECache Entry : Cookie:[email protected]/
obj[17]=IECache Entry : Cookie:[email protected]/
obj[18]=IECache Entry : Cookie:[email protected]/
obj[19]=IECache Entry : Cookie:[email protected]/
obj[20]=IECache Entry : Cookie:[email protected]/
obj[21]=IECache Entry : Cookie:[email protected]/
obj[22]=IECache Entry : Cookie:[email protected]/
obj[23]=IECache Entry : Cookie:[email protected]/
obj[24]=IECache Entry : Cookie:[email protected]/
obj[25]=IECache Entry : Cookie:[email protected]/
obj[26]=IECache Entry : Cookie:[email protected]/
obj[27]=IECache Entry : Cookie:[email protected]/
obj[28]=IECache Entry : Cookie:[email protected]/

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[30]=Regkey : software\vendor
obj[31]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[32]=File : C:\WINDOWS\kwv2.dat
obj[36]=File : C:\WINDOWS\inf\twaintec.PNF

MYDAILYHOROSCOPE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[33]=File : C:\WINDOWS\system32\setup_silent_25207.exe

FAVORITEMAN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[34]=File : C:\WINDOWS\system32\suiteinstall.exe
obj[37]=File : C:\WINDOWS\system32\O.BAT
obj[38]=File : C:\WINDOWS\system32\v.dat
===========================================

 

[TedF]

Giant did not intend for this program to work as an after the fact tool

but as a defender as well.

Maybe its time to combine antispyware and antivirus
together.
AVG antivirus and MS Anti-spyware were fighting like crazy
with messages, neither was able to kill the spyware.
I had to uninstall both while messages were popping up.

Winole.exe must have another file, or reside in in another
file that places itself back after deletion.
Many files get re-created with this spyware virus.
It also adds itself to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services
From reading about it on the Internet, and what I saw is completely
different. I doubt anybody have a way killing this virus.
Norton, Trendmicro, AVG, Panda all failed.
Normally I can delete stubborn spyware if antispyware could not
remove it, but this one was very tricky and tough.