Readers reveal their adware battles

My article in the Jan. 27 newsletter on anti-adware and antispyware generated a wave of responses from our readers.

The conventional wisdom — reported by many computer magazines until quite recently — had been that two free programs, Ad-Aware and SpyBot Search & Destroy, were able to remove most malware when both were used.

In reality, I reported last issue that these two programs have not kept up with the growth of the adware threat. I compiled raw data provided by researcher Eric Howes, who exhaustively tested 20 applications in October 2004.

The results showed that only one anti-adware program, Giant AntiSpyware, was capable of removing more than 50% of the little buggers. Every other program removed fewer than half of the problem cases.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8 Hacks: Tips & Tools for Unlocking the Power of Tablets and Desktops

Subscribe and get our monthly bonuses - free!

Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!



The best two-program combination to root out adware, the study indicated, was Giant AntiSpyware — which deleted 63% of the unwanted components by itself — plus Webroot Spy Sweeper, which brought the figure up to 70%. (For links, see the Security Baseline section, below.)

Ironically, Microsoft purchased the little-known Giant Software Company in December 2004. This has created a different sort of problem, but we’ll get to that later.

After the article appeared, the newsletter received literally hundreds of reports from readers. They related the pain they’ve experienced from adware and the relief they’ve gotten from using some of the newer, more accurate anti-adware utilities.

Here’s just one brief example of the many success stories readers sent us (this one from Mike Butler):
  • “You guys have hit a home run with this edition.

    “The adware discussion prompted me to download Microsoft Windows AntiSpyware and CWShredder.

    “I couldn’t believe the trash that Spybot failed to catch. Thanks a million for your brilliant work. If I never read anything else about Windows, I read your column religiously.”
Well, that’s enough kudos. Now let’s move on to the tough work of dealing with the malware and adware we still must defeat.

Keeping up with an accelerating armsrace

One corporate network administrator, who asked to remain anonymous, reports that malware programs are exploding in number and that anti-adware apps need to evolve at least as quickly.

His own findings, and the questions that lie behind his message, will be interesting to anyone who’s grappling with rampant adware:

  • “I’m a network engineer working as IT manager for an electronics company. I’ve spent the last few months pushing my management team towards a purchase of an enterprise-wide antispyware program. We’ve just bought and implemented Webroot Spy Sweeper Enterprise Edition, and it’s going in this weekend.

    “I first used the 30-day trial of Spy Sweeper in August 2004, when my marketing manager got her system all but disabled by spyware/malware. SpyBot Search & Destroy just wasn’t helping, so I did a little research and downloaded Spy Sweeper.

    “Spybot was picking up 14 instances of spyware. Spy Sweeper picked up 56 instances (over 1,200 traces in all). Quite a difference. Two sweeps with Spy Sweeper (the second in Safe Mode) and the workstation was clean.

    “Admittedly, Spy Sweeper wouldn’t have been able to tell me about problems it wasn’t programmed to detect. But my Registry warnings, Run and Run Once keys, running processes (in Task Manager), MSCONFIG lists, and Add/Remove Programs screens were clear (and, more importantly, have stayed clear).

    “Also, the user’s prolific pop-up and browser hijacking problems stopped completely.

    “Part of the 30-day trial was an update of the Spy Sweeper pattern files. At that time (August 2004), the update brought the original number of recognized patterns from 4,000+ to 29,000+. I had a second workstation badly compromised the next month (September 2004) and by then the patterns numbered over 34,000.

    “The current number of recognized patterns (although it will probably grow between now and the time you look) is 54,000 and change.

    “See my issue? Spy Sweeper is now recognizing nearly twice the number of spyware / malware / Trojan / etc. infestations as it was when Eric did his (truly impressive) research runs. You don’t list the dates of your patterns when you did your product combinations, but it seems that every couple of weeks hundreds, or even thousands, of new holes are being plugged.

    “Is there any way to find out if those percentages have changed in the last four months to reflect the significant change in SpySweeper’s arsenal? Speaking as a network manager who’s just talked my management team into a pretty sizeable investment, I’d love a response.”
I believe the anti-adware market has progressed very quickly since Eric Howes conducted his tests in October. He tells me that he’s planning another round of tests within the next month or two. This set will attempt to evaluate the Microsoft Antispyware beta, which didn’t exist four months ago.

In the meantime, other testers are suggesting that new leaders now hold the mantle of anti-adware effectiveness. In ratings released last week, for example, PC Magazine gave its coveted Editors’ Choice award solely to one of the two programs we recommended: Webroot Spy Sweeper. (See the Security Baseline section for details.)

What’s Microsoft’s responsibility forspyware?

Several readers sent in criticisms of Microsoft for causing the virus/malware problem in the first place. In this view, the Redmond company started a “Trustworthy Computing Initiative” about five years too late and even then didn’t complete its mission. Others question Microsoft’s actions regarding its purchase of Giant AntiSpyware, as expressed by Jim Corsa:

  • “I haven’t read anyone exposing Microsoft’s conflicts of interest in buying/developing its own antispyware and antivirus software. Why are pundits praising the [Microsoft] AntiSpyware beta and debating whether Microsoft will sell it, instead of pointing out that antispyware wouldn’t be so critical if Windows and IE were designed and coded properly?

    “If Microsoft is going to make money selling antispyware and antivirus products, then where is the incentive to fix Windows? …

    “It appears Microsoft has made matters worse by removing the best antispyware from the market, or at least from users of older Microsoft operating systems. (Another attempt to kill older versions of Windows?)

    “I clicked on the Giant AntiSpyware download link and arrived at a page which gives the impression I can download Giant AntiSpyware 1.0. However, after checking the Microsoft AntiSpyware beta link, I’m suspicious, because it appears Microsoft is abandoning Windows versions before 2000 and has stopped the sale of Giant AntiSpyware licenses.

    “The Microsoft page contains these paragraphs. The first paragraph addresses Windows versions Giant covers and Microsoft does not. The second paragraph seems to say that anything from Giant is a dead end:

    • Support for Windows 98SE, Windows ME, Windows NT (with Service Pack 3, 4, or 6a) operating systems. GIANT AntiSpyware supports these operating systems, in addition to Windows 2000, Windows XP, and Windows Server(tm) 2003. The Windows AntiSpyware (Beta) software supports only Windows 2000, Windows XP, and Windows Server 2003.

      Microsoft will continue to provide the same level of support to current subscribers of GIANT AntiSpyware software as was offered by GIANT Company Software prior to its acquisition by Microsoft Corporation. Microsoft, however, will no longer sell new licenses, subscriptions, or subscription renewals for GIANT Company Software products, including GIANT AntiSpyware.

    “It’s the ‘however’ that caught my eye. Does this mean folks with old hardware running Windows 98SE cannot get the best antispyware? Or is it still available?”
It appears Microsoft has shut down most or all of the routes by which consumers could download and register Giant AntiSpyware, as opposed to the Microsoft AntiSpyware beta. The download link mentioned above, involving a product page at Download-ware.com (a former Giant Software Company sales affiliate) no longer works. If any reader knows a legitimate way to download and register a supported version of the genuine Giant AntiSpyware, let me know. I personally believe it’s been killed dead.

Numerous readers, while criticizing Microsoft for weak code, wrote to support the growing movement to the new, free Firefox browser as a safer alternative to Internet Explorer. Many rogue programs install themselves silently, track users’ keystrokes, and do other nasty things using IE’s Browser Helper Object “feature.” This is one particular problem that Firefox is relatively immune to. (Firefox supports extensions but not BHOs.)

We’ve written about the benefits of Firefox many times, most recently in the Dec. 2, 2004, issue and as far back as a July 12, 2004, column.

How to recover if antispyware breaks your Net connection

Finally, reader Ken Baker fills us in on a problem that Microsoft Antispyware and some other anti-adware programs can create if they remove malware in a sloppy way. Many unwanted programs insert themselves into the Internet connection process. Deleting a rogue program without fixing the Registry entries it tampered with can leave the PC unable to connect.

Fortunately, there’s a cure if this happens to you:

  • “There have been instances in the past where removal of spyware wrecked computers’ Internet connection. In these cases, spyware files insinuated themselves into Winsock.

    “Win who? Winsock is our new term of the day. It’s a series of files that are used to make the Internet connection. So the spyware files wrote themselves into the Registry. That made the spyware a required part of the Internet-connection process. See how tricky these folks are?

    “When the spyware was deleted, the Registry could no longer find those files. Therefore, the Internet connection failed.

    “Over time, the antispyware makers learned to remove the Registry keys when the Winsock invaders were deleted.

    “The Windows firewall works closely with Winsock. It appears that the spyware is insinuating itself into the startup of the firewall. When you remove the files, the Registry can’t find them. So, it refuses to start the firewall service.

    “Repairing Winsock formerly meant going into the Registry. You had to track down the offending keys and delete them. But Windows has a command that will do the job.

    “To run the command, click Start, Run. Type cmd in the box and click OK. That will put you at a command prompt. Enter netsh winsock reset and press Enter. Close the DOS window and reboot the computer.

    “After doing the above, you should be good to go!”
Information about recovering from Winsock corruption is documented in more detail by Microsoft in Knowledge Base article 811259 and, for fixing general TCP/IP corruption, KB 317518.

In response to all the readers who asked, be assured that we very much plan to bring you more news on this front as we discover it. We’re just beginning to see the full scope of the damage that adware can cause, unfortunately.

In the meanwhile, to send us more information you’ve uncovered about adware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Readers Butler, Dippel, Corsa, and Baker (and Mr. Anonymous) will receive gift certificates for a book, CD, or DVD of their choice for sending us tips we printed.

= Paid content

All Windows Secrets articles posted on 2005-02-10: