Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Spyware Docter - Another Rogue?
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Your Opinion on SpywareGuard »
« Michael Jackson 'suicide'  
AuthorAll Replies

eburger68
Premium,MVM
join:2001-04-28

2 edits		reply to MattUK
Re: Spyware Docter - Another Rogue?

Hi All:

Spyware Doctor from PC Tools is a completely legitimate anti-spyware utility. It's installed on on my box right now, and I test with it regularly.

Sashwa, the vast majority of the detections reported by Spyware Doctor in your scan appear to be legitimate detections, not false positives.

The first 10 detections are cookies. I've long advocated that anti-spyware utilities move cookie management out of the threat scanner and into a separate utility, but these aren't false positives per se -- they're simply cookies that Spyware Dcotor is offering to remove for you.

The next several detections all involve CLSIDs that appear to be legitimate detections. These Registry keys are probably just remnants left behind from previous infestations or installations. Nothing serious, but they don't appear to be false positives.

D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9 - see:
»sarc.com/avcenter/venc/data/adwa···mon.html

15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6 - see:
»sarc.com/avcenter/venc/data/pf/a···ind.html

C1E58A84-95B3-4630-B8C2-D06B77B7A0FC - see:
»castlecops.com/tk524-Nhelper_dll.html
»www3.ca.com/securityadvisor/pest···53074928

42F2C9BA-614F-47C0-B3E3-ECFD34EED658 - see:
»securityresponse.symantec.com/av···bar.html

The last reported detection does indeed appear to be a false positive ( SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif). I would suggest reporting it to PC Tools.

A few comments, if I may (and these are directed at no one in particular).

1) Don't assume that because you think you have a malware-free box that any reported detections by an anti-malware utility must be false positives. Do some research yourself and look into the reported detections. Until you do that, you can't say one way or the other what the detections are.

2) The mere existence of false positives does not make an anti-malware utility "rogue," because all anti-malware utilities will have false positives at some point. You've got to evaluate those false positives by asking:

- How common are the false positives?
- What were the causes of false positives? A poorly designed scan engine, bad data, or researcher error?
- How diligent is the vendor in soliciting reports of false positives, testing for false positives, and correcting those false positives in a timely manner?

Not all false positives are created equal.

In any case, I hope the above has been of help.

Edit: looks like this may be a bit more complicated than I first assumed. All of those CLSIDs were listed in this key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

I'm still trying to find good info on just what that key is used for, but it appears to be an XP SP2 key, possibly a place where IE keeps track of the ActiveX controls that it has downloaded and/or installed. The data in this key appears to be harmless, but just what caused the keys to be created in the first place is still not clear. At the very least the ClSIDs do match known pieces of spyware/adware.

Best,

Eric L. Howes
to forum · permalink · · 2005-06-11 12:51:11 · Reply to this


sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs:
·Comcast
·Alameda Power & Te..

Host:
Broadband Modem (H..
MSN
DSL Extreme
Windstream
Southeast Asian Br..
 Thanks Eric for your response. I probably used the wrong terminology when I said "false positives". I wasn't really worried about the cookies. I was more concerned about the items that appeared in the

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

because it seemed like they were mostly Symantec/Norton
entries. Im using NAV 2004 that is fully updated.

Also as far as I know I have never been hijacked or infected. I run Ad-Aware, Spybot, and MS AntiSpyware regularly and none of them have ever identified any of those keys before.

sash
--
Northern California Forum ~ Team Four ~ ECO Clicks
to forum · permalink · · 2005-06-11 15:11:48 · Reply to this
Forums » Up and Running » Security » SecurityYour Opinion on SpywareGuard »
« Michael Jackson 'suicide'  

Sunday, 05-Jul 10:27:10 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 9.5 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [146] Biden Unveils Broadband Stimulus
· [95] AT&T: 65,000 SMS Sent Per SECOND
· [91] Compuserve Classic Says Goodnight
· [83] Thomas To Appeal Huge RIAA Fines
· [79] Fourth Of July Open Thread
· [78] Obama Using NSA, AT&T For New Snooping Project
· [71] iPhone 3GS Already Jailbroken
· [67] Verizon: Cut Your Landline To Save Money
· [61] Cable Carriers Miss Tru2Way Deadline
· [60] The Pirate Bay Gets Sold
Most people now reading
· TekSavvy Down [TekSavvy]
· 6 firetrucks at 151 [TekSavvy]
· Symantec executive: dangerous to run free antivirus [Security]
· Recommend a used one? [Automotive]
· Best free email accounts? [General Questions]
· [ Professions] Northrend Herbalism and Mining Tracks [World of Warcraft]
· Chinese Translation WWII [General Questions]
· Connection lost in Toronto tonight? [TekSavvy]
· wasp problemb [Home Repair & Improvement]
· Uncanceled Echo high from 11 to 3 or 4pm. DSL disconnects [Qwest]