how-to block ads
|
MattUK
Premium
join:2003-03-23
UK
| Spyware Docter - Another Rogue? A friend of mine on another forum downloaded Spyware Docter following a link from Virus Bulletin. He was angry when, after the scan finished, it had found 3 pieces of "spyware" on his machine, but wanted money to take them off.
Although, in all fairness, their website states:
quote:
Please note the trial version is limited to scan only.
The friend is suspicious that these are false positives. Should this program be considered for Eric's list?
Thoughts?
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk | |
|  anthrorules
Premium
join:2003-09-14
Rollinsville, CO | Re: Spyware Docter - Another Rogue? yes, it's rogue...piece of *&^% | |
| 
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs: 
 ·Comcast
·Alameda Power & Te..
Host:
Broadband Modem (H..
MSN
DSL Extreme
Windstream
Southeast Asian Br..
1 edit | One of my staff bought this program for his home computer. He likes it.
I tried the scan and wasn't impresssed and it seemed to me to have false positives. It said I had 19 infections.  Which I highly doubt.
From my last scan:
Scans (basic information only):
Scan Results:
scan start: 6/11/2005 9:08:34 AM
scan stop: 6/11/2005 9:15:56 AM
scanned items: 70604
found items: 19
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
Infection Name Location Risk
Tracking Cookie(s) me@go[1].txt Medium
Tracking Cookie(s) me@forbes[2].txt Medium
Tracking Cookie(s) me@rating[1].txt Medium
Tracking Cookie(s) me@tripod[1].txt Medium
Tracking Cookie(s) me@www.all-yours[1].txt Medium
Tracking Cookie(s) me@wellsfargo[2].txt Medium
Tracking Cookie(s) me@pogo[1].txt Medium
Tracking Cookie(s) me@login[2].txt Medium
Tracking Cookie(s) me@www.netlingo[2].txt Medium
Tracking Cookie(s) me@home[1].txt Medium
HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} Elevated
HalfLemon HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9}\iexplore Elevated
MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} High
MediaPass HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\iexplore High
NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} Info
NavHelper HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}\iexplore Info
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore High
SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif Elevated
Other Sections:
--
Northern California Forum ~ Team Four ~ ECO Clicks | |
| | | eburger68
Premium,MVM
join:2001-04-28
2 edits | Hi All:
Spyware Doctor from PC Tools is a completely legitimate anti-spyware utility. It's installed on on my box right now, and I test with it regularly.
Sashwa, the vast majority of the detections reported by Spyware Doctor in your scan appear to be legitimate detections, not false positives.
The first 10 detections are cookies. I've long advocated that anti-spyware utilities move cookie management out of the threat scanner and into a separate utility, but these aren't false positives per se -- they're simply cookies that Spyware Dcotor is offering to remove for you.
The next several detections all involve CLSIDs that appear to be legitimate detections. These Registry keys are probably just remnants left behind from previous infestations or installations. Nothing serious, but they don't appear to be false positives.
D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9 - see:
»sarc.com/avcenter/venc/data/adwa···mon.html
15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6 - see:
»sarc.com/avcenter/venc/data/pf/a···ind.html
C1E58A84-95B3-4630-B8C2-D06B77B7A0FC - see:
»castlecops.com/tk524-Nhelper_dll.html
»www3.ca.com/securityadvisor/pest···53074928
42F2C9BA-614F-47C0-B3E3-ECFD34EED658 - see:
»securityresponse.symantec.com/av···bar.html
The last reported detection does indeed appear to be a false positive ( SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif). I would suggest reporting it to PC Tools.
A few comments, if I may (and these are directed at no one in particular).
1) Don't assume that because you think you have a malware-free box that any reported detections by an anti-malware utility must be false positives. Do some research yourself and look into the reported detections. Until you do that, you can't say one way or the other what the detections are.
2) The mere existence of false positives does not make an anti-malware utility "rogue," because all anti-malware utilities will have false positives at some point. You've got to evaluate those false positives by asking:
- How common are the false positives?
- What were the causes of false positives? A poorly designed scan engine, bad data, or researcher error?
- How diligent is the vendor in soliciting reports of false positives, testing for false positives, and correcting those false positives in a timely manner?
Not all false positives are created equal.
In any case, I hope the above has been of help.
Edit: looks like this may be a bit more complicated than I first assumed. All of those CLSIDs were listed in this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
I'm still trying to find good info on just what that key is used for, but it appears to be an XP SP2 key, possibly a place where IE keeps track of the ActiveX controls that it has downloaded and/or installed. The data in this key appears to be harmless, but just what caused the keys to be created in the first place is still not clear. At the very least the ClSIDs do match known pieces of spyware/adware.
Best,
Eric L. Howes | |
| | |
MattUK
Premium
join:2003-03-23
UK
| Thank you for clearing that up Eric. I shall let the person know, as I trust your analysis of A/S programs.
I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion!
Kindest regards and many thanks.
Matt
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk | |
| | eburger68
Premium,MVM
join:2001-04-28
| Re: Spyware Docter - Another Rogue? RedhatCOC:
You wrote:
said by MattUK  :I think another important point is if generally "security people" haven't heard of an antispyware utility, and it doesn't let you clean the infections without paying, then they will be suspicious. Just my opinion! I agree with you on this. I've been telling anti-spyware vendors for some time to ditch the trial versions in which removals are disabled. A program that reports detected malware but then demands money to remove it rubs many people the wrong way and raises suspicions.
The vendors who use these kinds of trials are worried that if they offer a full-featured trial, perhaps with a time limit of 15 days, then users will simply use the trial version to resolve their current problems without paying for the full version.
While it's likely that some users will use a full-featured/time-limited trial in that way, I think it much better to go out of your way to avoid doing anything that smacks of the "hard sell."
Anti-spyware vendors play by a special set of rules. What's legitimate and above-board in the marketing and advertising for one type of software program can prove problematic when used to sell an anti-spyware utility, because many if not most of your customers are already victims -- of spyware and adware. As such, one must take great care in dealing with these victims.
Best,
Eric L. Howes | |
| | | |
|
