Spyware Docter - Another Rogue?

Author	All Replies
MattUK Premium join:2003-03-23 UK	Spyware Docter - Another Rogue? A friend of mine on another forum downloaded Spyware Docter following a link from Virus Bulletin. He was angry when, after the scan finished, it had found 3 pieces of "spyware" on his machine, but wanted money to take them off. Although, in all fairness, their website states: quote: Please note the trial version is limited to scan only. The friend is suspicious that these are false positives. Should this program be considered for Eric's list? Thoughts? -- »forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk
	to forum · permalink · · 2005-06-11 11:54:43 ·
anthrorules Premium join:2003-09-14 Rollinsville, CO	yes, it's rogue...piece of *&^%
	to forum · permalink · · 2005-06-11 12:19:03 ·
sashwa Pixie Cat Crunchin' n Foldin' Premium,Mod join:2001-01-29 Alcatraz clubs: ·Comcast ·Alameda Power & Te.. Host: Broadband Modem (H.. MSN DSL Extreme Windstream Southeast Asian Br.. 1 edit	reply to MattUK One of my staff bought this program for his home computer. He likes it. I tried the scan and wasn't impresssed and it seemed to me to have false positives. It said I had 19 infections. Which I highly doubt. From my last scan: Scans (basic information only): Scan Results: scan start: 6/11/2005 9:08:34 AM scan stop: 6/11/2005 9:15:56 AM scanned items: 70604 found items: 19 found and ignored: 0 tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner Infection Name Location Risk Tracking Cookie(s) me@go[1].txt Medium Tracking Cookie(s) me@forbes[2].txt Medium Tracking Cookie(s) me@rating[1].txt Medium Tracking Cookie(s) me@tripod[1].txt Medium Tracking Cookie(s) me@www.all-yours[1].txt Medium Tracking Cookie(s) me@wellsfargo[2].txt Medium Tracking Cookie(s) me@pogo[1].txt Medium Tracking Cookie(s) me@login[2].txt Medium Tracking Cookie(s) me@www.netlingo[2].txt Medium Tracking Cookie(s) me@home[1].txt Medium HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} Elevated HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9}\iexplore Elevated MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} High MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\iexplore High NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} Info NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}\iexplore Info YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} High YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore High SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif Elevated Other Sections: -- Northern California Forum ~ Team Four ~ ECO Clicks
	to forum · permalink · · 2005-06-11 12:20:33 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to MattUK If you check the Rogue/Suspect list at »www.spywarewarrior.com/rogue_ant···ware.htm, you will find that PC Tools Spyware Doctor is not on the Rouge list. -- TheJoker
	to forum · permalink · · 2005-06-11 12:40:46 ·
dadkins Can you do Blu? Premium,MVM join:2003-09-26 Hercules, CA	reply to MattUK Eric L. Howes tested it his antispyware tests: »spywarewarrior.com/asw-test-results-1.htm Didn't do too bad either.
	to forum · permalink · · 2005-06-11 12:44:09 ·
eburger68 Premium,MVM join:2001-04-28 2 edits	reply to MattUK Hi All: Spyware Doctor from PC Tools is a completely legitimate anti-spyware utility. It's installed on on my box right now, and I test with it regularly. Sashwa, the vast majority of the detections reported by Spyware Doctor in your scan appear to be legitimate detections, not false positives. The first 10 detections are cookies. I've long advocated that anti-spyware utilities move cookie management out of the threat scanner and into a separate utility, but these aren't false positives per se -- they're simply cookies that Spyware Dcotor is offering to remove for you. The next several detections all involve CLSIDs that appear to be legitimate detections. These Registry keys are probably just remnants left behind from previous infestations or installations. Nothing serious, but they don't appear to be false positives. D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9 - see: »sarc.com/avcenter/venc/data/adwa···mon.html 15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6 - see: »sarc.com/avcenter/venc/data/pf/a···ind.html C1E58A84-95B3-4630-B8C2-D06B77B7A0FC - see: »castlecops.com/tk524-Nhelper_dll.html »www3.ca.com/securityadvisor/pest···53074928 42F2C9BA-614F-47C0-B3E3-ECFD34EED658 - see: »securityresponse.symantec.com/av···bar.html The last reported detection does indeed appear to be a false positive ( SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif). I would suggest reporting it to PC Tools. A few comments, if I may (and these are directed at no one in particular). 1) Don't assume that because you think you have a malware-free box that any reported detections by an anti-malware utility must be false positives. Do some research yourself and look into the reported detections. Until you do that, you can't say one way or the other what the detections are. 2) The mere existence of false positives does not make an anti-malware utility "rogue," because all anti-malware utilities will have false positives at some point. You've got to evaluate those false positives by asking: - How common are the false positives? - What were the causes of false positives? A poorly designed scan engine, bad data, or researcher error? - How diligent is the vendor in soliciting reports of false positives, testing for false positives, and correcting those false positives in a timely manner? Not all false positives are created equal. In any case, I hope the above has been of help. Edit: looks like this may be a bit more complicated than I first assumed. All of those CLSIDs were listed in this key: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ I'm still trying to find good info on just what that key is used for, but it appears to be an XP SP2 key, possibly a place where IE keeps track of the ActiveX controls that it has downloaded and/or installed. The data in this key appears to be harmless, but just what caused the keys to be created in the first place is still not clear. At the very least the ClSIDs do match known pieces of spyware/adware. Best, Eric L. Howes
	to forum · permalink · · 2005-06-11 12:51:11 ·
MattUK Premium join:2003-03-23 UK	reply to MattUK Thank you for clearing that up Eric. I shall let the person know, as I trust your analysis of A/S programs. I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion! Kindest regards and many thanks. Matt -- »forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk
	to forum · permalink · · 2005-06-11 13:04:26 ·
eburger68 Premium,MVM join:2001-04-28	RedhatCOC: You wrote: said by MattUK : I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion! I agree with you on this. I've been telling anti-spyware vendors for some time to ditch the trial versions in which removals are disabled. A program that reports detected malware but then demands money to remove it rubs many people the wrong way and raises suspicions. The vendors who use these kinds of trials are worried that if they offer a full-featured trial, perhaps with a time limit of 15 days, then users will simply use the trial version to resolve their current problems without paying for the full version. While it's likely that some users will use a full-featured/time-limited trial in that way, I think it much better to go out of your way to avoid doing anything that smacks of the "hard sell." Anti-spyware vendors play by a special set of rules. What's legitimate and above-board in the marketing and advertising for one type of software program can prove problematic when used to sell an anti-spyware utility, because many if not most of your customers are already victims -- of spyware and adware. As such, one must take great care in dealing with these victims. Best, Eric L. Howes
	to forum · permalink · · 2005-06-11 13:14:06 ·
sashwa Pixie Cat Crunchin' n Foldin' Premium,Mod join:2001-01-29 Alcatraz clubs: ·Comcast ·Alameda Power & Te.. Host: Broadband Modem (H.. MSN DSL Extreme Windstream Southeast Asian Br..	reply to eburger68 Thanks Eric for your response. I probably used the wrong terminology when I said "false positives". I wasn't really worried about the cookies. I was more concerned about the items that appeared in the HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ because it seemed like they were mostly Symantec/Norton entries. Im using NAV 2004 that is fully updated. Also as far as I know I have never been hijacked or infected. I run Ad-Aware, Spybot, and MS AntiSpyware regularly and none of them have ever identified any of those keys before. sash -- Northern California Forum ~ Team Four ~ ECO Clicks
	to forum · permalink · · 2005-06-11 15:11:48 ·


Sunday, 05-Jul 09:09:49	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9.5 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF