New Anti-Spyware Tests[Eric L. Howes]

Discussion in 'other anti-malware software' started by hayc59, Oct 9, 2004.

Thread Status:
Not open for further replies.
  1. hayc59

    hayc59 Guest

    New Anti-Spyware Tests
    Hi All:

    Over the past 2 days I've performed yet another round of tests with 20 anti-spyware scanners, this time using a new collection of spyware and adware picked up from my favorite "test" site, "Innovators of Wrestling" ( As before, I identified a core set of "critical" detections and monitored how throughly each anti-spyware scanner removed the "critical" detections. You can find a list of those detections on the Guide page here:

    The results of this new round of tests can be found on these two pages:

    As I requested before, please have a look at the Guide page before proceeding to the results pages. The Guide page has been revised to account for these new tests. As always, the "Disclaimers" section on the Guide page is "must read":

    One aspect of these latest tests worth noting: the collection of spyware and adware used for this round of tests included some especially nasty software that proved difficult, if not next to impossible to remove for the anti-spyware scanners. In particular, the key processes for the following adware/spyware was not killable at all:

    IBIS Toolbar/Websearch
    IBIS Toolbar/WinTools

    The executables were simply too well protected in memory. Even the DiamondCS process tools APM and APT could not remove those processes and modules from memory.

    The standard procedure that anti-spyware scanners use in this situation is to remove the files on reboot by configuring the scanners to run through the HKLM\...\RunOnce key. Not a single anti-spyware scanner succeeded in doing that, however, because one of the above processes -- or perhaps it was the VX2 3dsdpi.dll module that was attached to the Winlogon process, a core Windows system process -- blocked changes to the RunOnce key. Still worse, the files mentioned above could not even be removed in Safe Mode.

    This all is a potentially huge problem. The only way I succeeded in removing those files was to boot to a command line using SysInternals' ERD Commander 2000. A bootable CD could be used to achieve the same result.

    Finally, before anyone asks, let me indicate right now that I am not going to put together a table summarizing the combined results of both rounds of tests. Were I to do so, that table would immediately be taken as a definitive ranking of the products tested, and that kind of ranking is simply not warranted solely on the basis of these two rounds of tests. Moreover, I know that once that table appeared, people would link only to the table, and the rest of the critical information and context regarding these tests would get lost in the rush to judgment.

    In any case, questions, comments, and suggestions are always welcome.


    Eric L. Howes
  2. azumi21

    azumi21 Registered Member

    Aug 16, 2004
    Cheers to you Eric !!!
  3. controler

    controler Guest

    There is a new Freeware AnitSpyware program in BETA

    Was wondering how it compares and if any have tried it out.

  4. TopperID

    TopperID Registered Member

    Oct 1, 2004
    Those Eric Howes tests have been doing the rounds of the various Forums for a few weeks now - they have done wonders for the sale of Giant AS, but really they make for very depressing reading. Even if you have a combination of several of the leading scanners, you are still unable to fix a fairly substantial proportion of ITW spyware. And if you just rely on Spybot S&D - Ugh!!!
  5. LockBox

    LockBox Registered Member

    Nov 20, 2004
    Here, There and Everywhere
    That is sobering. I'm glad to know that I'm not the only one who can't get rid of IBIS Toolbar. I tried everything with a client's computer and had been researching this. I've never seen anything like it. Thanks Eric for another round of tests.
  6. richrf

    richrf Registered Member

    Dec 11, 2003
    Hi everyone,

    I'm searching for some enlightenment on the issue of IBIS Toolbar:

    1) Does KAV 4.5. or PG 3.0 block its installation?
    2) Is it possible to block it in Firefox, without turning off javascript completely?
    3) Are their any other prevention measures available/necessary when using Firefox?

    As always, thanks much for your help in answering these questions for me.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.