February 1, 2010
There is a strong possibility of IObit Security 360 being a malware; or if not; being at least infected with one. I removed it because either way it is unacceptable to me. By the way it is an antispyware from IObit. This is the operating procedure I used to uninstall & cleanse & it worked perfectly for me.
I uninstalled it because I felt its behaviour to be untrustworthy. Given the situation I used Revo rather than the apps own uninstaller – obviously:-
1) In our Windows OS all apps are supposed to be opened only by Windows Explorer (this is for our safety) because only Windows Explorer is the file manager. Or else only an app which has a digital signature is allowed to open itself provided the user approves of this. IObit Security neither has a digital signature nor is it supposed to behave like a file manager. It is an antispyware. How can (or why should) an antispyware launch an app? Very suspicious; very bad; very sad. Refer forum thread “Updating Giveaways Painlessly”. This bad action could be a backdoor entry into your file manager.
2) Before uninstallation I created a restore point choosing only 2 tools this time:-
a. Glarys Utilities Pro because:-
1. It is a reliable app – a proven warhorse
2. It comes from a country different from what IObit is from – so risk of bad apps acting in concert with each other is somewhat minimized. Glarys HQ by the way is based in USA. They choose to keep their server address a secret though.
3. http://www.dottech.org gave us Glarys Utilities Pro
4. By the way Glarys Utilities Free is also a trustworthy app
b. jvPowerTools 2009 because:-
1. It is a reliable app – a proven warhorse. Refer forum thread (Registry cleaning deep scan)
2. It comes from a country different from what IObit is from – so risk of bad apps acting in concert with each other is somewhat minimized. jv PowerTools 2009 comes from Macecraft of Finland
3. http://www.dottech.org gave us jvPowerTools 2009. Thanks
4. There is a genre of apps which are coded by developers who are user aficionados & internet well wishers. They write code because of passion & a sense of service. They do not write code only for the sake of hacking or crass commercial considerations. The pedigree of such apps are excellent & reputation trustworthy.
3) Given the context I chose to create a Restore Point rather than a Registry Backup. I did this before registry cleaning. A Restore Point saves registry settings only inside the registry. A registry backup does a similar thing but by saving your registry file as a hive on your hard disk. A registry hive is the file format used if a registry is to be saved on your hard disk. I was reluctant to save a hive. Saving a hive meant that I would have the same devil 2 times – once in my registry & again on my hard disk. Why should I let the same thief into my house twice? After registry cleaning I created a Restore Point rather than a Registry Backup – again using only Glarys & jvPowerTools
4) I chose not to use Advanced SysCare (for this registry cleaning exercise) only because it is a sister product of IObit Security 360. Beyond that I cannot comment on Advanced SysCare. I do not want to fire a gun which is half-cocked anyway.
5) Throughout this entire exercise I obviously kept the internet firmly shut off.
6) IObit Security 360 committed other sins too. In the last fortnight it has been repeatedly trying to hook my keyboard. I blocked this & still received full functionality.
7) In the last 3 days its updater has been trying to read my screen. An updater does not need to read your screen in order to update. An updater neither needs to read a window it owns nor an unowned window. I blocked this & still received full functionality.
8) I watched which registry entries got removed. It was okay.
10) After all this hoopla I used my battery of good apps (thanks http://www.dottech.org for many of them) & cleaned my drive, traces, shortcuts & registry. I did this before switching the internet back on. For this type of cleaning up I chose to use CCleaner (to clean traces), History Killer Pro, Glarys Pro, Ashampoo Win Optimizer 2010, jvPowerTools 2009, WinUtilities Pro 9.41 & one other app. Other than CCleaner the apps named here are thanks to http://www.dottech.org
11) I did this second phase of cleaning only because some apps phone in to their headquarters to report extensive logs of your usage. This might even include the act of your uninstalling that app. Therefore I cleaned the genres mentioned in point 10. By the way all apps do not phone in or at least do not phone in whenever you start up. Phoning up may be a market survey of your computer usage or it may be spying. You need to figure that out based on the pedigree of the app. There are therefore good phoners, bad phoners & even non-phoners.
12) When switching internet on again I ensured “WinPatrol” & “Anvir Task Manager” were on – thanks http://www.dottech.org for Anvir. I also switched on an excellent app called “What’s my computer doing” These 3 apps told me which processes are phoning in when I re-started internet. If your computer is on & your internet is on “What’s my computer doing” will tell you what your drive is reading or writing irrespective of whether none, 1, some or all apps are phoning. For “What’s my computer doing” the internet needs to be on.
13) I then checked if all my apps which were from the same country as IObit continued to function. I did this because some apps operate in concert with each other. All apps including “concert apps” functioned well. TouchWood! Even if none,1, some, or all those “concert apps” did not function I would still keep IObit Security 360 out of my system. From this I could reconfirm my intuition that the blighted app had got a backdoor entry into the file manager (Windows Explorer) but for the present had dropped no payload. Touchwood I acted fast enough.
12) Only after that the internet was switched back on to post this to you.
Like you I dislike & barely tolerate bad behaviour whether from people or from apps. There is a commitment & conscience to this blog family because it happens to be a set of good people. I did not want anyone to feel that just because we are good people that automatically made us dim-witted or weak.
Jeanjean as per your kind advice I made this a separate thread. I hope it proved helpful.
A webmaster plays an important role in 3 ways:-
1) provide good apps
2) provide good reviews
3) cover various bases while forging alliances with developers
Grateful yet again to our webmaster.
February 1, 2010
What was the issue about Malwarebytes’ Anti-Malware versus IObit Security 360
1)www.dottech.org had reported it in detail & so did other reputed websites
2)In layman terms the former accused the latter of intellectual property theft. Subsequently the latter removed that entire portion of that database. As a result of that the latter’s database shrunk by 40%
3)IObit Security 360 had asked its users to keep sending it malware samples so that they could keep designing a protection. Users did. IObit not only used the exact signature but also the exact key (ie. A name given to the signature). These were the same signatures & keys Malwarebytes’ Anti-Malware picked up earlier
4)Malwarebytes’ Anti-Malware smelt a rat. They developed faked signatures & gave them fake keys (i.e.names). Sure enough IObit Security 360 picked up exactly those signatures & even retained the same keys. By the way those fake signatures & fake keys were harmless.
5)Users were horrified & the vendor/app name got blighted
6)In its defence the blighted app maintained that:-
a.It was not a malevolent act but a stupid one
b.Stupid because its analyzer gave the key the same name as the other app. In acting thus the analyzer was acting with stupid honesty rather than with a cunning intention. IOBit never made it clear whether the analyzer was a human or just a machine. It’s bad enough anyway.
By the way the blighted app offered far more updates before the blight but reduced the number of updates quite drastically after the blight.
Jeanjean this is the gist. Hope it helps.
September 1, 2009
Congrats,You are making Indians proud by your deep painstaking and meticulous analysis.I have no doubt that you are very intelligent.I agree China is synonymous with dumping quality hardware and spyware bundled software.I have never senn any Chinese helping anyone anywhere any blog.biggest population though.
I never install anything except ASC Pro,Splayer is the best all media player,I have to use it through Sanboxie since it tries to inject poison.But my dear friend,ity does have a digital signature,how do we know that,simple.Just right click on the setup file you downloaded and you will see the digital signatures Tab in which Iobit,no email,no date you will see.Whenever you dont see the digital signatures tab,that means those are not having digital signature.This one has if you downloaded from a good site like download.com,softpedia.com.
Chinese maybe copycats from Malawarebytes as you say they lost the case and it was established they were the culprit.But you have not stated how you say it is logging and sending reports.How throgh File Manager.Generally anti-virus and anti-spyware have to immediately connect to the internet for update purposes.They have to install special drivers and deep hooks into the kernel of the OS.
Your reply will be welcome by all Dottech people as we all have concerns.Which application tells you that it is doing anything wrong and what is the exact message.If you have broadband,plz upload id to virustotal.It will be able to detect anything since Virustotal does heuristics scans as well.
Thanks,hope you reply
May 25, 2009
Thanks for all these explanation Ramesh !
As i said in your previous post, I recently found a software which removes any trace after desinstallation of the Iobit products.
The name is "BitRemover" (102 KB – safe for Total Virus).
I'll remove the 2 products by measure of precaution.
There are enough others products who make the same job efficiently.
May 25, 2009
I forget the link : http://www.t-tools.nl/bitremoveren.php
February 1, 2010
Hi Ruchir 9897 – Missed you the last few days. Positive attitude, supporting hands, sharp questions & helpful tips – that’s Ruchir all the way!
Since you’ve raised many issues I’ll break this reply into a couple of posts rather than than a single post. Some are replies to you & some are things I want to learn from you. Please teach me the things I wish to learn from you. I am counting on your help.
My replies to you
1) Digital Signature
2) Backdoor entry vs. payload
3) Advanced Sys Care Pro
4) Mischief-detection apps
What I want to learn from you
1) How do you use Deep Scan in Advanced SysCare Pro. The app does not explain the scan results at all?
2) What I do not understand is you have chosen to continue using an app inside Sandboxie even though the app has a poison. What is that app? What is its poison? Why are you using it in spite of its poison? Please share the insights. All I know is that Sandboxie offers the benefits & safety of a virtual computer.
3) Is there a standard operating procedure which can tell me in a foolproof manner as
to whether I have enough cpu resources and/or ram and/or virtual memory to
create a virtual computer for myself. I want to know before I create one
4) I’ve read Locutus post. Does creating a virtual computer automatically give me the advantages of a Sandboxie even if I do not use Sandboxie?
5) Will using VirusTotal clash with my antivirus Avast? Avast like all antivirus is a RAM resident app? So will it clash?
February 1, 2010
Digital Signatures – Technically an app has one & yet practically it does not!
1) Bullseye! You are absolutely right it has a digital signature because when you right click on its exe you get to read the properties of its digital signature. Sorry I had not elaborated my steps nor had I phrased my post clearly. Technically it has a digital signature. Practically it does not have a digital signature. Let me explain why I still say that it does not have a digital signature as far as I am concerned. It is inferential & not a factual statement. The inference however is more useful than the fact.
2) Ideally the following things should happen. Firstly the developer should have created a developer profile especially (or at least) in a trustworthy website (cnet.com etc etc) from where you download the exe or zip from. Right? Yet not every developer creates a developer profile even in a trustworthy website like Cnet! Do they have something to hide? This is sad behaviour – even though he gives you a digital signature in your file manager (windows explorer)
3) Secondly the developer’s own website should always be accessible in a giveaway site. Sometimes it is not (I am not referring to IObit but generally). Even if you use different browsers or different user agents within your browser to mimic other browsers even then his site remains inaccessible. This is sad behaviour – even though he gives you a digital signature in your file manager (windows explorer). Why?
4) Thirdly pedigreed apps like Spyware Terminator 220.127.116.11 are user friendly whistle blowers. They blow the whistle if “according to their database” your app does not have a digital signature. These guys are pedigreed, friendly & skilled specialists in their area of expertise. They won’t get fooled by an app simply because it has given its digital signature to windows explorer. Therefore they do not put that app into their “good boy list” database. They alert you if the app gets opened not by internet explorer or by itself but by someone who is not authorized to open it. That is why they squealed about IObit Security 360. They were protectively indignant that an antispyware opened the app when it is not supposed to do so. Spyware Terminator 18.104.22.168 points out the culprit by giving you the name of the parent process – in this case IObit Security 360.
In the next post I’ll share my reasoning as to why our OS tolerates such transgressions & how such a transgression occurs.
February 1, 2010
Backdoor entry versus payload drop
1) Every payload drop requires a backdoor entry but every backdoor entry does not throw a payload drop at you …….. at least for some time.
2) The gestation period between a backdoor entry & payload drop may either be very short or very long. A thief who enters your house at night while you sleep could choose to come in & go out without stealing anything (entry but no payload), come in & steal your laptop (entry & payload), come in, steal your laptop & also eat a sandwich from your refrigerator (entry & larger payload). Analogically the gestation period is the largest in the last category
3) The door through which the metaphorical thief enters is Internet Explorer. Among all browsers it is generically unique since it is the only browser which sits on top of a file manager (Windows Explorer). Due to various reasons we keep it. I am skipping the reasons only because it is not relevant to this particular forum thread.
4) Therefore I do not accept a digital signature just because Windows Explorer says so. The cleverness of Windows Explorer is low even though its sincere intention to protect you is unquestioned. Since its cleverness is far lower than its sincerity I do not blindly accept even if it delivers a verdict that the app has a digital signature
5) Now how did I infer that Internet Explorer was the door. Simple! Whenever you clean your traces or your registry some apps have a huge number of logs & files while others have hardly any. These apps accumulate lots of logs & files either because they diligently monitor your computer usage and/or also because they’ve been backdoored. Might even be both. Cannot conclude more than this. BTW IE is one of those apps. It has a long log list & file list even if you do not use IE during a particular session. You can check out the veracity of this. There are other such apps too.
6) My negative inference was actually a no-brainer due to one more reason – the intellectual property rights issue itself blew the lid off any remaining doubts I had.
February 1, 2010
Why does Windows OS suffer all these transgressions?
I feel they allow the transgression simply because they are not suffering………yet.
1)Common sense tells me that Microsoft has realized this long back – they are a smart company. So why do they tolerate it? An OS deals with developers of differing levels of morality. The OS wants to get as many apps to work in their OS platform as possible. The OS guys reason it this way. If an app becomes a “big boy” within that OS platform in terms of usage they can always arm-twist that app into not serving other competitor OS platforms. Now even when you arm-twist you must at least provide one face saver to that poor guy. Therefore they need to overlook at least one sin in order to provide a face saver. The OS guy rationalizes by saying “since the app has not yet dropped a payload why should I bother. If or when they do I can always develop a hotfix or a security patch & send a single patch through Windows Updates or create a new amalgam of security patches & call that SP7 or SP8 or whatever”. Therefore the OS guy accepts a digital signature of even a “bad boy app”.
2)In this case the OS big bosses are dealing with an app from China – which incidentally had banned Windows from selling newer versions of OS in Nov 2009. A businessman has to balance various issues – just like some policeman Ha! Ha! They wanted to get good & cosy. So they let go on this one issue.
3)However as a user I cannot allow myself to get shafted. Conventionally we respond only after both backdoor & payload drop. Laterally speaking why not be proactive & remove the app the moment it backdoors. I don’t want to find out if it is a case of “only backdoor but no payload drop” or whether the gestation period between backdooring & payloading is going to be a long one. Why take a risk?
February 1, 2010
February 1, 2010
Mischief Detection Apps
1) Spyware Terminator 22.214.171.124 – friendly whistle blower. BTW I chose not to migrate to its latest version.
2) Anvir Task Manager 6.2.1 – an incredibly well featured task manager par excellence. Identifies phoners & non phoners. Does lots of other good things too. Thank you Ashraf
3) WinPatrol – sniffs out process hijackers etc
4) “What’s My Computer Doing” – tells you what your computer is reading and/or writing
February 1, 2010
Sorry I forgot Snoopfree Privacy Shield 1.0.7. It tells you which app – including name & filepath is trying to:-
read the screen i.e. its own window
read the screen i.e. a window the app does not own
hook your keyboard
hook through a keyboard filter driver
It has a useful help file & its author Stephen Nichols offers an FAQ which explains when each of these 4 intrusions are malevolent & when they are not
Most Users Ever Online: wp_sferrorlog
Currently Browsing this Page:
Guest Posters: 9
Newest Members: ChelladuraiPalanisamy, hary, AlisaAlly, oxfordrecovery, asmrkt, seemaagrawal
Administrators: Ashraf (1741), Locutus (1886), amnesia (270)