#141492 - 2005-06-12 10:28 AM
OT: Spyware removal tools not up to the job
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11625
Loc: CA
|
Prompted by a discussion I had with Al_Po and having been wanting to do this sort of test for a long time now, I finally got around to doing it.
In order to test the power of some of the current leaders in the field of Spyware removal I ran the following test.
Using VMware Workstation 5 I created a Windows XP Pro installation.
I gave the system 2.2GB of diskspace and 800MB of RAM to use.
1. No Service Packs installed
2. No Antivirus installed
3. No Microsoft hotfixes installed
The reason I chose the above setup is that in my opinion I think that setup more closely follows how many home users are setup.
Granted some may be on Windows XP Home Edition, but for this testing I don't feel the Pro version adds any benefits to help prevent spyware.
I then proceeded to start surfing the Web and I allowed popups to run, I allowed software to install by "accidentally" clicking on links. In the real World it might take a home user a few weeks to get the system as infected as I had it, but eventually by fairly normal surfing all Windows users will get spyware if they don't have methods or software to prevent it.
Within a few hours the system was taking about 5 minutes to even finish logging in and was using 100% of the CPU (when the system was first installed and doing nothing the CPU usage was about 0 to 1% ) RAM was consuming 600+MB and paging to the swap file.
On day 2 of this test the system blue screened twice and I had to manually intervene by setting up a script to loop through some of the programs and keep killing them while I cleaned it up some. I got the system stable again by removing some spyware manually (couldn't be avoided). Then started the system back up normally and started surfing again.
It got to the point that many of the spyware programs were fighting each other to take control of IE. It got to the point that .html files were no longer associated to run with IE and would prompt you what to do with links. Again I had to manually intervene to get IE working again. Okay, started browsing again, but not very well. Finally a program named clicksearchclick.com became the dominant application that took over all browser requests. I'm not sure what the real intent of this site or method is. Even if you click on the bogus links that it gives you when you search, it runs another search and never goes to the intended real link. If you said, okay I'll buy some of "what ever" and click on it, you still just keep getting more useless search results. Don't understand the ROI for clicksearchclick.com with this method.
Then a program named Desktop Search got onto the system and it was GAME OVER... That little baby would not go away no matter what. I continued attempting to get more spyware onto the system but it was evident that the system was so bogged down now that it was useless trying to get more spyware to install.
Okay, time to start using some of the Top rated spyware removers and see where we get. Let me say right off that I assumed that none of them alone would be able to remove all of the spyware. I was soon to be amazed and find that not only could none of them remove all of it alone, but all of the programs used together were not able to remove all of it.
NOTE! I had to map a drive to the root of the test system and copy over the removal tools and then remove the map. Internet explorer was no longer capable of downloading any removal tools on it's own.
This is something to be quite aware of for some users. You might need to talk someone through getting the appropriate removal tools via a command-line connection of FTP.
Originally I had wanted to let each program try and remove stuff then replace the VMware image with a backup of the spware infected image, but since finding that using all the spyware apps without success there was no reason to proceed further in that direction.
Here are the results from each of the tested programs.
- PROGRAM: Spybot Search & Destroy
Version: 14
Defs: June, 10, 2005
Database: 24,627 potential threats covered
First pass and reboot request: 24 minutes 48 seconds
304 Items fixed
26 could not be fixed
Allowed Spybot to autorun after reboot
Second pass and reboot request:
57 Items fixed
3 could not be fixed
Third (auto launch did not auto launch)
Third pass and reboot request (manually kicked off 3rd scan)
57 Items fixed
4 could not be fixed
Fourth pass and reboot request:
55 Items fixed
3 could not be fixed
At this point it would appear senseless to continue allowing Spybot to
autolaunch and scan after each reboot. Spybot does not appear to be able to
automatically remove the following items without further assistance from the user.
- PROGRAM: Ad-AwareSE
Version: 1.06r1
Defs: May, 31, 2005
First pass and reboot request:
Found: 499 problems in 8 minutes 30 seconds
Second pass and reboot request:
113 Objects found
Third pass and reboot request:
165 Objects found
Fourth pass and reboot request:
144 Objects found
At this point it would appear senseless to continue allowing Ad-AwareSE to
autolaunch and scan after each reboot. Ad-AwareSE does not appear to be able to
automatically remove the following items without further assistance from the user.
- PROGRAM: Microsoft Antispyware
Version: beta 1
Defs: #5725
First pass and reboot request:
Found: 35 problems in 1 minutes 42 seconds
Second pass and reboot request:
12 Items found
Third pass and reboot request:
10 Items found
At this point it would appear senseless to continue allowing Microsoft Antispyware to
autolaunch and scan after each reboot. Microsoft Antispyware does not appear to be able to
automatically remove the following items without further assistance from the user.
- PROGRAM: Webroot Spy Sweeper
Version: 4.0.3 (Build 363)
Defs: 494
Database: 93,577 potential threats covered
First pass and reboot request:
Found: 813 problems in 2 minutes 53 seconds
Second pass and reboot request:
Found: 14 problems
Third pass and reboot request:
Found: 14 problems
Fourth pass and reboot request:
Found: 163 problems
At this point it would appear senseless to continue allowing Webroot Spy Sweeper to
autolaunch and scan after each reboot. Webroot Spy Sweeper does not appear to be able to
automatically remove the following items without further assistance from the user.
- PROGRAM: EWIDO
Version: 2.1
Defs: #1242 June 11, 2005
Database: 152,781 potential threats covered
First pass and reboot request:
Found: 813 problems in 2 minutes 53 seconds
Second pass and reboot request:
Found: 202 problems
Third pass and reboot request:
Found: 66 problems
At this point it would appear senseless to continue allowing EWIDO to
autolaunch and scan after each reboot. EWIDO does not appear to be able to
automatically remove the following items without further assistance from the user.
Well bottom line is that a normal computer user would NOT be able to remove all the spyware from their system. The average home user has trouble running and using many basic applications, let alone using the advanced features of many applications.
Suggestions for all of the makers of these Spyware Removal applications:
On a heavily infected system all applications run very slowly and the CPU is often at 100% utilization due to all the auto-launched applications consuming the CPU. Having multiple "I agree", click next buttons takes way too long to get through and is quite annoying.
1. Remove or minimize the amount of screens required to get the program installed and running.
2. Have 2 install methods. a.) I'm a new computer user. Make all choices for me. Install the application and remove the spyware without asking me ANY other questions. (many of the questions often asked are not known by inexperienced users). b.) I'm an experienced user please give me all the advanced features and don't run anything automatically, I'll take care of it.
3. Microsoft's spyware removal tool is one of the worst tested about asking the user what to do, and if you don't read the dialog box carefully you can easily allow the spyware to be blocked in the ON position.
4. Some of the spyware removal tools did not give the user the option to reboot immediately which in some cases allowed some spyware to spawn and install more stuff.
5. Overall all the Spyware Removal tools need a much more "beginner" method of taking educated guesses for the inexperienced users and attempting to remove the spyware without getting into an annoying loop themselves.
Manual Cleanup Required
After giving all of the tools a chance to clean up the system I had to manually intervene and clean it up.
01. Reboot into safe mode.
02. Using personal knowledge gained by many years of working on Windows systems. Sorted and verified version fields of DLL files and removed those that either had no information or I knew were not valid files. Note! not all EXE and DLL files that don't have a resouce field are bogus but many are.
03. Scan the registry for all startup locations and removed bogus junk.
04. Modified permissions on all the main startup locations in the REGISTRY so that not even the Administrator can add or edit entries.
05. Scan and cleaned up bogus POLICY entries in the registry that were used to prevent the user from running or modifying many things inside Windows.
06. Went into each of the user profiles and deleted all the contents of the TEMP, IE TEMP, IE HISTORY folders.
07. Had to go get and use XNET to remove the Desktop Search which had installed itself as a service and was using SVCHOST (a valid network application) to run it'self.
08. Desktop Search had also created a SERVICES32 key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services32 I didn't know this was a valid entry in Windows but the system seemed to use it as a method to keep it installed and running.
09. Removed many .ini files in the %windir%\system32 folder which were designed to rename seemingly non threatening files to EXE and DLL files and randomize spawning of new applications on the fly.
10. Deleted all IE cookies as well (not that critical but helps to prevent the spyware removal tools from flagging them)
11. Disabled the Windows Restore feature and then verified the files were deleted from there which had copies of many of the bogus files.
12. Not sure if it was a result of spyware or not, but ran into a couple of folders that would not allow me to take ownership on and change permissions, so I ran a full CHKDSK C: /F and then I was able to take back ownership and change permissions so I could remove the bogus folders.
Restared the system and ran all the Spyware Removal tools again. The first one Ad-AwareSE found 8 entries in a recycle bin for another user account. I had it remove them. Then ran each one and all 5 of them then came up with a clean system.
So the results of my testing though not througly documented shows that none of the top rated Spyware Removal applications are capable of cleaning up all systems. This shows that an experienced Windows Analyst is still often needed to physically review and cleanup some systems and so far can not be left to an automated piece of software.
I'm sure that it is possible for some of them to clean up less infected systems, but I also know that there are systems out there that are even more infected with different things then mine had that they would not be able to remove either. I've had to manually clean up many systems that were brought in to me because the user was unable to clean it up with the tools either on their own.
I will say thought that over-all the programs tested do perform an amazing job of attempting to cleanup up something that is quite difficult to document due to ever changing and self spawning randomly generated new applications. However it also seems that the culprit programmers behind some of these scum spyware applications are using more advanced methods then they used to use in order to bypass these cleanup tools.
The use of the free tools from http://www.systeminternals.com was quite useful in tracking down some of the methods used by some of these spyware apps.
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 555 anonymous users online.
|
|
|
