M
Mark L. Ferguson
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
1) Known bugs/errors/unpopular features
a) Various mis-spellings and errata (e.g. "TxtFocus")
b) scan stops unexpectedly when clicking areas like "Microsoft AntiSpyware Beta1" graphic or some menu items
c) Win9x installs are not supported. (expected behavior)
d) Enterprise end user could block processes domain administrator wants to run (http://support.microsoft.com/kb/892375)
e) CoolWebSearch, VX2 versions not detected (for cws run antispy in safe mode twice, or
http://www.intermute.com/products/cwshredder.html)
f) false positives ( try submitting yours at: http://www.spynet.com/falsepositive.aspx )
Vendors:fill out a dispute form located at http://www.spynet.com/vendors.aspx
1) TAPICFG.EXE
2) EZCyberSearch
3) Network Essentials
4) Various false PC Spy (Commercial Key Logger)
5) Remote control software (VNC et.al.)
6) chktrust.exe part of .Net Framework.
7) sporder.dll (sometimes real)
8) IE5 Toolbar Wallpaper from MS IE5 Web Accessories is falsely identified as GonnaSearch
9) Outlook Express Mail Store folders (QUARANTINE, don't delete, till you determine what is)
10) MessengerPlus
11) Weatherbug/AOL (only advanced features are spyware)
12) SearchSquire (bug filed, slated for exception)
13) script file and other comments identified as virus (iMesh)
14) tvenuax.dll (TruVoice file)
15) PCduo
16) eloglist.exe and psexec.exe from sysinternals
17) nProtect KeyCrypt 1.0
18) RadLight
19) Nullsoft Sex
20) Zipdll.dll
21) TimeSync from Blue Nomad for a PDA
22) Spybot Search & Destroy (some immunity registry entries)
23) beta.toolbar.msn.com as a browser hijacker homepage
24) SCRRUN.DLL (sometimes)
25) MediaTickets CDT domains
26) HelpHost.exe to go to remote host windows.microsoft.com
27) WINREP
28) Borland Database Engine
29) nsldapssl32v30.dll (Netscape and others)
30) moo.dll (MIRC)
31) Hummingbird DM Toolbar
32) StartNow Hyperbar
33) cat.exe (unix cat utility for windows)
34) ZipGenius
35) BearShare lite and pro (adware if free)
36) DOT.exe
37) instsrv.exe from nT Resource Kit
38) StumbleUpon Toolbar [2]
39) Lucent DSA
40) EditPad.exe by jgsoft.com
41) winsys.exe
42) PVM (Parallel Virtual Machine)
43) TrayIcon V1.00
44) flashget with no banners
45) "Sports" and other folders in Favorites
46) Ace AHTML Pro 5
47) BEEE from IOpus is detected as a keylogger
48) Bootvis
49) ?
g) DPI settings (not default) corrupt display
h) scan time settings (12:00 PM, et.al.) not correct.
i) Notification icons behave incorrectly
j) Non-english time display problems
k) Tracks Eraser failures
l) Multi-user installs not working (Limited User errors, Fast User Switching. etc)
m) Flying Alerts (Taskbar not at the bottom)
n) Script blocking not manageable
o) Abnormal Termination (Shell Execute hooks, et.al.)
p) No "Failed Install" notice
q) Tracking Cookies not deleted. (This feature is not included in this beta release, next version will do that)
r) Accessibility features not included (for the beta)
s) Reactivate blocked items not working (There is a workaround. Copy out, delete original, copy back)
t) CPU usage 100% (under study for specific hardware causes , stop antivirus while spyscanning)
u) network and firewall related problems (winsock): http://support.microsoft.com/kb/892350
v) Failure to launch UI under XP after apparently successful install
w) Script and batch files working directory defaults to ../system32 (on unblock instance only)
x) PrimalScript editor - edit runs file
y) "gcasDtServHolder" popup window (possibly Tweak UI's alt-tab setting)
z) Hibernation slow or disabled on laptops
aa) Ignore closes the browser
bb) User Redirected Shell folders (My Documents, and others)
cc) 'Results of scan' (Show Summary) popup can't be disabled.
dd) terminal serve (Remote Desktop) into a computer, the MS AntiSpy(beta) icon will turn blue
ee) Firewall dead (see: http://support.microsoft.com/kb/892350 )
ff) ansi.sys disabled
gg) Network Connection folder icons no longer listed as 'connected' after doing a winsock fix. (toggle the checkboxes off, restart,
and on, in Firewall settings, advanced tab)
hh) Kaaza files lost
ii) proxy error on manual update or report submission (Sun Java VM? Non-MS browser, like firefox? Try later, server down?)
jj) Dell machines ask for setup disk on scan
kk) Shortcut 'hotkey' delayed opening.
ll) totally successful scans only happen in Safe Mode
mm) Menu mouse-overs fail (after opening a menu)
nn) HOSTS file permission and blocking features.
oo) Windows Explorer menu item missing (Conflict caused by ATI Mulltimedia DAO (uninstal-reinstall it))
pp) RUN Key in the registry is not cleared. (perhaps virus rather than spyware, as well as maybe a bug or needed feature)
qq) Search not restored after search spy/hijack removal.
rr) Multiple instances of gcasservalert
ss) scan on startup impacts system performance during the scan
tt) version wrong in Help, About
uu) WINTOOLS lockup (uninstall from add/remove app, and run a safe mode scan)
vv) TeaTimer from spybot causes performance hit
ww) Realtime Protection popup closes too fast
xx) Windows Key (Winkey) functions disabled (R and others)
yy) home page changes to MSN (Fast User Switching issue)
zz) "gcasServ.exe - No Disk" popup when flashdrive inserted into USB
aaa) Horizontal scroll bar missing in spyware scan results
bbb) slow scan startup
ccc) Hibernation problems with some antivirus software (not defined yet)
ddd) gcasServ.exe (installer conflicts for 16-bit apps)
eee) gcasServ.exe (process continues running needlessly)
fff) "Allowed" title for popup for 'blocked' event
ggg) MSNList.com not detected
hhh) DSO Exploit not detected (Spybot S&D DSO Exploit Fix : http://www.majorgeeks.com/download4392.html )
iii) antispy 'timed' popup windows have no 'close' option
jjj) Deactivated Checkpoints Cannot Be Reactivated
kkk) Virtual Menory errors ( run a deep scan in Safe Mode.)
lll) "unblock" instruction fails
mmm) System Restore not cleaned (use 'disk cleanup's option for that)
nnn) Scan results window missing from the 'z' order. (can't alt-tab to scan results window)
ooo) TweakUI'a Alt-Tab setting hides alerts.
ppp) Intel Storage Driver causes the crash
qqq) Help/About shows wrong version of definitions (click the 'Diagnostic" button))
rrr) ?
2) FAQ's (see also: Frequently asked questions about Microsoft Windows AntiSpyware (Beta):
http://www.microsoft.com/athome/security/spyware/software/faq.mspx )
a) "I like it" (Thanks for testing the beta and providing feedback.)
b) bug reports? (Yes, file in this newsgroup. Please title the message so it is Obvious it is a bug, error, or false positive)
c) Deployable via SUS, Enterprise? (This is still under consideration)
d) MS AntiSpyware cannot start with error 101 (Use the Update feature in Add/Remove, "Change" (see last entry below))
e) Giant Software owners (see page http://www.giantcompany.com/commonQuestions.htm#gen_beta for More information about general
questions for currently licensed customers of Giant Software
f) Group Policy options available? (Under consideration)
g) about:blank issues (Click Tools, Suspected Spyware Report, and submit it to Spynet)
h) Uninstall MAS? (Add/Remove app in Control Panel)
i) "Is there a tutorial for this software?" (Tutorial - How to use the Microsoft AntiSpyware Beta to remove Spyware:
http://www.bleepingcomputer.com/forums/tutorial98.html)
j) "Is the Security Center going to include this?" (probably)
k) " Language Settings are ignored." (beta is English only)
l) "Does this beta expire? (Yes, see Help menu, About)
m) "My antispy expired already!" (change to English in Regional Settings, to run the beta
n) "Limited uses cannot run the scan, make it a service."
0) "Why not include a 'Winsock Repair Tool? (they are working on a way to take care of that issue (also see 3)-e) below)
p) "it doesn't scann for Cookies!" (next beta release will do that
q) "Scheduled scans do not run!" (you have to be logged on for the scan to run)
r) "Update fails with third party firewall" (see *firewall entry below)
s) "When do we get the next version of the beta (or release date for final)" (When it's ready)
t) "Can you update definition files from a downloaded copy?" (not yet, under development)
u) "What criterion is used to determine what is spyware?" ( Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware
threat: http://support.microsoft.com/kb/892340 )
v) ?
3) Remarks
a) "it doesn't work!! (It's a "Beta")
b) "Will it be free, or not?" (Not announced yet)
c) "My software is falsely accused of spying!" (http://support.microsoft.com/kb/892340 MAS incorrectly identifies a program as a
spyware threat)
d) "The error.log file gets too big!" (It's a "Beta")
e) "It's NOT a Bug!" (many spyware removals will expose relic damage, Repair the system)
f) Various other rants and trolling (yawn)
created by Mark L. Ferguson (NOT an MS-MVP)
free for re-publication
(If you would like to post reply comments or additions, anything but a rant is fine.)
AntiSpy newsgroup info >> Newsserver: privatenews.microsoft.com Username privatenews\spyware Password: spyware
(or) Support newsgroup : http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us
*Error 101 fix (choose a non-default location for the install, e.g "C:\msas\" or )
Open up control panel and double-click on add/remove programs.
Select Microsoft AntiSpyware
Select "Change"
On the Microsoft AntiSpyware Maintenance Wizard, click next.
On the next screen (Microsoft AntiSpyware Maintenance Wizard) select Update
Microsoft AntiSpyware and click next.
Select Install
Let the product update.
Click Finish.
Be sure the DCOM service s running ( start/run, type: C:\WINDOWS\system32\svchost -k DcomLaunch )
Retry Windows AntiSpyware
Another Error 101 fix -
Windows Installer cleanup tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
*Update with third party firewall
Customers with software firewalls need to grant access to the programs
below in order to keep Microsoft AntiSpyware up to date as well as upload
unknown threats to the spynet community.
GiantAntiSpywareMain.exe
gcasDtServ.exe
MicrosoftAntiSpywareUpdater.exe
gcasServAlert.exe
Customers with hardware firewalls only need to verify ports 80 and 443 are
open.
*
1) Known bugs/errors/unpopular features
a) Various mis-spellings and errata (e.g. "TxtFocus")
b) scan stops unexpectedly when clicking areas like "Microsoft AntiSpyware Beta1" graphic or some menu items
c) Win9x installs are not supported. (expected behavior)
d) Enterprise end user could block processes domain administrator wants to run (http://support.microsoft.com/kb/892375)
e) CoolWebSearch, VX2 versions not detected (for cws run antispy in safe mode twice, or
http://www.intermute.com/products/cwshredder.html)
f) false positives ( try submitting yours at: http://www.spynet.com/falsepositive.aspx )
Vendors:fill out a dispute form located at http://www.spynet.com/vendors.aspx
1) TAPICFG.EXE
2) EZCyberSearch
3) Network Essentials
4) Various false PC Spy (Commercial Key Logger)
5) Remote control software (VNC et.al.)
6) chktrust.exe part of .Net Framework.
7) sporder.dll (sometimes real)
8) IE5 Toolbar Wallpaper from MS IE5 Web Accessories is falsely identified as GonnaSearch
9) Outlook Express Mail Store folders (QUARANTINE, don't delete, till you determine what is)
10) MessengerPlus
11) Weatherbug/AOL (only advanced features are spyware)
12) SearchSquire (bug filed, slated for exception)
13) script file and other comments identified as virus (iMesh)
14) tvenuax.dll (TruVoice file)
15) PCduo
16) eloglist.exe and psexec.exe from sysinternals
17) nProtect KeyCrypt 1.0
18) RadLight
19) Nullsoft Sex
20) Zipdll.dll
21) TimeSync from Blue Nomad for a PDA
22) Spybot Search & Destroy (some immunity registry entries)
23) beta.toolbar.msn.com as a browser hijacker homepage
24) SCRRUN.DLL (sometimes)
25) MediaTickets CDT domains
26) HelpHost.exe to go to remote host windows.microsoft.com
27) WINREP
28) Borland Database Engine
29) nsldapssl32v30.dll (Netscape and others)
30) moo.dll (MIRC)
31) Hummingbird DM Toolbar
32) StartNow Hyperbar
33) cat.exe (unix cat utility for windows)
34) ZipGenius
35) BearShare lite and pro (adware if free)
36) DOT.exe
37) instsrv.exe from nT Resource Kit
38) StumbleUpon Toolbar [2]
39) Lucent DSA
40) EditPad.exe by jgsoft.com
41) winsys.exe
42) PVM (Parallel Virtual Machine)
43) TrayIcon V1.00
44) flashget with no banners
45) "Sports" and other folders in Favorites
46) Ace AHTML Pro 5
47) BEEE from IOpus is detected as a keylogger
48) Bootvis
49) ?
g) DPI settings (not default) corrupt display
h) scan time settings (12:00 PM, et.al.) not correct.
i) Notification icons behave incorrectly
j) Non-english time display problems
k) Tracks Eraser failures
l) Multi-user installs not working (Limited User errors, Fast User Switching. etc)
m) Flying Alerts (Taskbar not at the bottom)
n) Script blocking not manageable
o) Abnormal Termination (Shell Execute hooks, et.al.)
p) No "Failed Install" notice
q) Tracking Cookies not deleted. (This feature is not included in this beta release, next version will do that)
r) Accessibility features not included (for the beta)
s) Reactivate blocked items not working (There is a workaround. Copy out, delete original, copy back)
t) CPU usage 100% (under study for specific hardware causes , stop antivirus while spyscanning)
u) network and firewall related problems (winsock): http://support.microsoft.com/kb/892350
v) Failure to launch UI under XP after apparently successful install
w) Script and batch files working directory defaults to ../system32 (on unblock instance only)
x) PrimalScript editor - edit runs file
y) "gcasDtServHolder" popup window (possibly Tweak UI's alt-tab setting)
z) Hibernation slow or disabled on laptops
aa) Ignore closes the browser
bb) User Redirected Shell folders (My Documents, and others)
cc) 'Results of scan' (Show Summary) popup can't be disabled.
dd) terminal serve (Remote Desktop) into a computer, the MS AntiSpy(beta) icon will turn blue
ee) Firewall dead (see: http://support.microsoft.com/kb/892350 )
ff) ansi.sys disabled
gg) Network Connection folder icons no longer listed as 'connected' after doing a winsock fix. (toggle the checkboxes off, restart,
and on, in Firewall settings, advanced tab)
hh) Kaaza files lost
ii) proxy error on manual update or report submission (Sun Java VM? Non-MS browser, like firefox? Try later, server down?)
jj) Dell machines ask for setup disk on scan
kk) Shortcut 'hotkey' delayed opening.
ll) totally successful scans only happen in Safe Mode
mm) Menu mouse-overs fail (after opening a menu)
nn) HOSTS file permission and blocking features.
oo) Windows Explorer menu item missing (Conflict caused by ATI Mulltimedia DAO (uninstal-reinstall it))
pp) RUN Key in the registry is not cleared. (perhaps virus rather than spyware, as well as maybe a bug or needed feature)
qq) Search not restored after search spy/hijack removal.
rr) Multiple instances of gcasservalert
ss) scan on startup impacts system performance during the scan
tt) version wrong in Help, About
uu) WINTOOLS lockup (uninstall from add/remove app, and run a safe mode scan)
vv) TeaTimer from spybot causes performance hit
ww) Realtime Protection popup closes too fast
xx) Windows Key (Winkey) functions disabled (R and others)
yy) home page changes to MSN (Fast User Switching issue)
zz) "gcasServ.exe - No Disk" popup when flashdrive inserted into USB
aaa) Horizontal scroll bar missing in spyware scan results
bbb) slow scan startup
ccc) Hibernation problems with some antivirus software (not defined yet)
ddd) gcasServ.exe (installer conflicts for 16-bit apps)
eee) gcasServ.exe (process continues running needlessly)
fff) "Allowed" title for popup for 'blocked' event
ggg) MSNList.com not detected
hhh) DSO Exploit not detected (Spybot S&D DSO Exploit Fix : http://www.majorgeeks.com/download4392.html )
iii) antispy 'timed' popup windows have no 'close' option
jjj) Deactivated Checkpoints Cannot Be Reactivated
kkk) Virtual Menory errors ( run a deep scan in Safe Mode.)
lll) "unblock" instruction fails
mmm) System Restore not cleaned (use 'disk cleanup's option for that)
nnn) Scan results window missing from the 'z' order. (can't alt-tab to scan results window)
ooo) TweakUI'a Alt-Tab setting hides alerts.
ppp) Intel Storage Driver causes the crash
qqq) Help/About shows wrong version of definitions (click the 'Diagnostic" button))
rrr) ?
2) FAQ's (see also: Frequently asked questions about Microsoft Windows AntiSpyware (Beta):
http://www.microsoft.com/athome/security/spyware/software/faq.mspx )
a) "I like it" (Thanks for testing the beta and providing feedback.)
b) bug reports? (Yes, file in this newsgroup. Please title the message so it is Obvious it is a bug, error, or false positive)
c) Deployable via SUS, Enterprise? (This is still under consideration)
d) MS AntiSpyware cannot start with error 101 (Use the Update feature in Add/Remove, "Change" (see last entry below))
e) Giant Software owners (see page http://www.giantcompany.com/commonQuestions.htm#gen_beta for More information about general
questions for currently licensed customers of Giant Software
f) Group Policy options available? (Under consideration)
g) about:blank issues (Click Tools, Suspected Spyware Report, and submit it to Spynet)
h) Uninstall MAS? (Add/Remove app in Control Panel)
i) "Is there a tutorial for this software?" (Tutorial - How to use the Microsoft AntiSpyware Beta to remove Spyware:
http://www.bleepingcomputer.com/forums/tutorial98.html)
j) "Is the Security Center going to include this?" (probably)
k) " Language Settings are ignored." (beta is English only)
l) "Does this beta expire? (Yes, see Help menu, About)
m) "My antispy expired already!" (change to English in Regional Settings, to run the beta
n) "Limited uses cannot run the scan, make it a service."
0) "Why not include a 'Winsock Repair Tool? (they are working on a way to take care of that issue (also see 3)-e) below)
p) "it doesn't scann for Cookies!" (next beta release will do that
q) "Scheduled scans do not run!" (you have to be logged on for the scan to run)
r) "Update fails with third party firewall" (see *firewall entry below)
s) "When do we get the next version of the beta (or release date for final)" (When it's ready)
t) "Can you update definition files from a downloaded copy?" (not yet, under development)
u) "What criterion is used to determine what is spyware?" ( Microsoft Windows AntiSpyware (Beta) identifies a program as a spyware
threat: http://support.microsoft.com/kb/892340 )
v) ?
3) Remarks
a) "it doesn't work!! (It's a "Beta")
b) "Will it be free, or not?" (Not announced yet)
c) "My software is falsely accused of spying!" (http://support.microsoft.com/kb/892340 MAS incorrectly identifies a program as a
spyware threat)
d) "The error.log file gets too big!" (It's a "Beta")
e) "It's NOT a Bug!" (many spyware removals will expose relic damage, Repair the system)
f) Various other rants and trolling (yawn)
created by Mark L. Ferguson (NOT an MS-MVP)
free for re-publication
(If you would like to post reply comments or additions, anything but a rant is fine.)
AntiSpy newsgroup info >> Newsserver: privatenews.microsoft.com Username privatenews\spyware Password: spyware
(or) Support newsgroup : http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us
*Error 101 fix (choose a non-default location for the install, e.g "C:\msas\" or )
Open up control panel and double-click on add/remove programs.
Select Microsoft AntiSpyware
Select "Change"
On the Microsoft AntiSpyware Maintenance Wizard, click next.
On the next screen (Microsoft AntiSpyware Maintenance Wizard) select Update
Microsoft AntiSpyware and click next.
Select Install
Let the product update.
Click Finish.
Be sure the DCOM service s running ( start/run, type: C:\WINDOWS\system32\svchost -k DcomLaunch )
Retry Windows AntiSpyware
Another Error 101 fix -
Windows Installer cleanup tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
*Update with third party firewall
Customers with software firewalls need to grant access to the programs
below in order to keep Microsoft AntiSpyware up to date as well as upload
unknown threats to the spynet community.
GiantAntiSpywareMain.exe
gcasDtServ.exe
MicrosoftAntiSpywareUpdater.exe
gcasServAlert.exe
Customers with hardware firewalls only need to verify ports 80 and 443 are
open.
*