Re: Spyware Docter - Another Rogue? in Security http://www.dslreports.com/forum/r13633399 en Fri, 04 Dec 2009 16:10:39 EDT Fri, 04 Dec 2009 16:10:39 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13634334 sashwa : Thanks Eric for your response. I probably used the wrong terminology when I said "false positives". I wasn't really worried about the cookies. I was more concerned about the items that appeared in the

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

because it seemed like they were mostly Symantec/Norton
entries. Im using NAV 2004 that is fully updated.

Also as far as I know I have never been hijacked or infected. I run Ad-Aware, Spybot, and MS AntiSpyware regularly and none of them have ever identified any of those keys before.

sash :)
--
Northern California Forum ~ Team Four ~ ECO Clicks]]> http://www.dslreports.com/forum/remark,13634334 Sat, 11 Jun 2005 15:11:48 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633582 eburger68 : RedhatCOC:

You wrote:

said by MattUK See Profile:

I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion!
I agree with you on this. I've been telling anti-spyware vendors for some time to ditch the trial versions in which removals are disabled. A program that reports detected malware but then demands money to remove it rubs many people the wrong way and raises suspicions.

The vendors who use these kinds of trials are worried that if they offer a full-featured trial, perhaps with a time limit of 15 days, then users will simply use the trial version to resolve their current problems without paying for the full version.

While it's likely that some users will use a full-featured/time-limited trial in that way, I think it much better to go out of your way to avoid doing anything that smacks of the "hard sell."

Anti-spyware vendors play by a special set of rules. What's legitimate and above-board in the marketing and advertising for one type of software program can prove problematic when used to sell an anti-spyware utility, because many if not most of your customers are already victims -- of spyware and adware. As such, one must take great care in dealing with these victims.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13633582 Sat, 11 Jun 2005 13:14:06 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633525 MattUK : Thank you for clearing that up Eric. I shall let the person know, as I trust your analysis of A/S programs.

I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion!

Kindest regards and many thanks.
Matt
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk]]> http://www.dslreports.com/forum/remark,13633525 Sat, 11 Jun 2005 13:04:26 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633441 eburger68 : Hi All:

Spyware Doctor from PC Tools is a completely legitimate anti-spyware utility. It's installed on on my box right now, and I test with it regularly.

Sashwa, the vast majority of the detections reported by Spyware Doctor in your scan appear to be legitimate detections, not false positives.

The first 10 detections are cookies. I've long advocated that anti-spyware utilities move cookie management out of the threat scanner and into a separate utility, but these aren't false positives per se -- they're simply cookies that Spyware Dcotor is offering to remove for you.

The next several detections all involve CLSIDs that appear to be legitimate detections. These Registry keys are probably just remnants left behind from previous infestations or installations. Nothing serious, but they don't appear to be false positives.

D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9 - see:
»sarc.com/avcenter/venc/data/adwa···mon.html

15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6 - see:
»sarc.com/avcenter/venc/data/pf/a···ind.html

C1E58A84-95B3-4630-B8C2-D06B77B7A0FC - see:
»castlecops.com/tk524-Nhelper_dll.html
»www3.ca.com/securityadvisor/pest···53074928

42F2C9BA-614F-47C0-B3E3-ECFD34EED658 - see:
»securityresponse.symantec.com/av···bar.html

The last reported detection does indeed appear to be a false positive ( SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif). I would suggest reporting it to PC Tools.

A few comments, if I may (and these are directed at no one in particular).

1) Don't assume that because you think you have a malware-free box that any reported detections by an anti-malware utility must be false positives. Do some research yourself and look into the reported detections. Until you do that, you can't say one way or the other what the detections are.

2) The mere existence of false positives does not make an anti-malware utility "rogue," because all anti-malware utilities will have false positives at some point. You've got to evaluate those false positives by asking:

- How common are the false positives?
- What were the causes of false positives? A poorly designed scan engine, bad data, or researcher error?
- How diligent is the vendor in soliciting reports of false positives, testing for false positives, and correcting those false positives in a timely manner?

Not all false positives are created equal.

In any case, I hope the above has been of help.

Edit: looks like this may be a bit more complicated than I first assumed. All of those CLSIDs were listed in this key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

I'm still trying to find good info on just what that key is used for, but it appears to be an XP SP2 key, possibly a place where IE keeps track of the ActiveX controls that it has downloaded and/or installed. The data in this key appears to be harmless, but just what caused the keys to be created in the first place is still not clear. At the very least the ClSIDs do match known pieces of spyware/adware.

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/remark,13633441 Sat, 11 Jun 2005 12:51:11 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633399 dadkins : Eric L. Howes tested it his antispyware tests:
»spywarewarrior.com/asw-test-results-1.htm

Didn't do too bad either.]]> http://www.dslreports.com/forum/remark,13633399 Sat, 11 Jun 2005 12:44:09 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633366 TheJoker : If you check the Rogue/Suspect list at »www.spywarewarrior.com/rogue_ant···ware.htm, you will find that PC Tools Spyware Doctor is not on the Rouge list.
--
TheJoker]]> http://www.dslreports.com/forum/remark,13633366 Sat, 11 Jun 2005 12:40:46 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633248 sashwa : One of my staff bought this program for his home computer. He likes it.

I tried the scan and wasn't impresssed and it seemed to me to have false positives. It said I had 19 infections. :o Which I highly doubt.

From my last scan:

Scans (basic information only):

Scan Results:
scan start: 6/11/2005 9:08:34 AM
scan stop: 6/11/2005 9:15:56 AM
scanned items: 70604
found items: 19
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner



Infection Name Location Risk
Tracking Cookie(s) me@go[1].txt Medium
Tracking Cookie(s) me@forbes[2].txt Medium
Tracking Cookie(s) me@rating[1].txt Medium
Tracking Cookie(s) me@tripod[1].txt Medium
Tracking Cookie(s) me@www.all-yours[1].txt Medium
Tracking Cookie(s) me@wellsfargo[2].txt Medium
Tracking Cookie(s) me@pogo[1].txt Medium
Tracking Cookie(s) me@login[2].txt Medium
Tracking Cookie(s) me@www.netlingo[2].txt Medium
Tracking Cookie(s) me@home[1].txt Medium
HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} Elevated
HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9}\iexplore Elevated
MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} High
MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\iexplore High
NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} Info
NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}\iexplore Info
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore High
SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif Elevated


Other Sections:

--
Northern California Forum ~ Team Four ~ ECO Clicks]]> http://www.dslreports.com/forum/remark,13633248 Sat, 11 Jun 2005 12:20:33 EDT Re: Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633241 anthrorules : yes, it's rogue...piece of *&^%]]> http://www.dslreports.com/forum/remark,13633241 Sat, 11 Jun 2005 12:19:03 EDT Spyware Docter - Another Rogue? http://www.dslreports.com/forum/remark,13633093 MattUK : A friend of mine on another forum downloaded Spyware Docter following a link from Virus Bulletin. He was angry when, after the scan finished, it had found 3 pieces of "spyware" on his machine, but wanted money to take them off.

Although, in all fairness, their website states:

quote:
Please note the trial version is limited to scan only.


The friend is suspicious that these are false positives. Should this program be considered for Eric's list?

Thoughts?
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk]]> http://www.dslreports.com/forum/remark,13633093 Sat, 11 Jun 2005 11:54:43 EDT