Slashdot Mirror
CA's 'Pest Scan' Results Mislead Users
FriedDuck writes "After reading E-Weeks' article about CA's ranking of spyware threats I went to their site to check it out and try their free spyware scan. I was stunned. CA reported that my machine is being terrorized by eleven 'pests' including some that are pretty serious (not just tracking cookies.) Unfortunately all of the serious threats were false positives. CA reported that I had a key logger, cracking tool, and various other nasties that all turned out to be common software (e.g. Flash, SourceSafe) that one wouldn't easily mistake for malware. In fact, without exception my system contained none of the registry keys, folders, or binaries that CA itself say should be there. A blatant attempt at scaring people into buying shoddy software." Read on for the details of what was found, and what was actually on the system.
"If it matters, here's what it reported, and what was there on my system:
- System Spy - Key Logger. Mistook MSFT's SourceSafe executable for the keylogger. None of the other registry keys, folders or binaries were present
- Fake CD .99 - Cracking Tool. Mistook the generically-named unins000.exe that InstallShield uses as the Cracking tool. None of the other binaries were present
- Ezula TopText - Adware. Mistook the installation of Flash as the adware. Stupid.
- BonziBuddy - Spyware. Mistook a common library intalled by Borland's CaliberRM (EZSMTP object) as the spyware.
None of the other binaries, folders or keys (of which there are many) were present."
Speaking of virus scanners, I've got the new v7 of AVG's free edition on my newly-installed system, and found something odd. Some virus infections require Grisoft's "vcleaner.exe" program (from their website) to clean infections. Strangely, this also scans the entire system, and found (& fixed!) some things AVG itself didn't even find. Bizarre.
Yes, there is a tool to tell you what process has is holding a lock on a file - you mentioned it in your article too!
Use process explorer from Sysinternals. (free download)
If you use the "find handle" function, and enter the filename, or partial filename, it will list the processes that have this file opened. The find dll function is similar, but finds all processes that have loaded the specified DLL. Very handy for spyware that lives in a dll and has loaded itself with rundll.exe...
Its an incredibly useful tool. Its one of the first apps I install after a rebuild.
Unfortunately lots of free/shareware 'anti-spyware' tools generate false postives and do other 'wrong' things to get you to buy the full version. Some only find the malware, but make you pay to clean them out, and some don't work so well and worst are the ones that install thier own spyware and only clean out 'competitors'.
There is a site that tracks and lists quite a few 'rouge' anti-spyware programs:
http://www.spywarewarrior.com/rogue_anti-spyware.
One of the things they advise against is following any google add, seems buying adds on google is very popular with the bad anti-spyware makers.
Personally I just stick with spybot S&D and adaware for most malware and avg for anti-virus.
And the LAST thing I'd ever do is trust some website to scan my computer, no telling what info they are collecting along with the scan to provide 'marketing data' for thier 'bussiness partners'.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Even quicker in many instances is Sysinternals handle.exe, a commandline version of the find handle function.