Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Spyware Docter - Another Rogue?
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Your Opinion on SpywareGuard »
« Michael Jackson 'suicide'  
eburger68
Premium,MVM
join:2001-04-28

2 edits

Re: Spyware Docter - Another Rogue?

Hi All:

Spyware Doctor from PC Tools is a completely legitimate anti-spyware utility. It's installed on on my box right now, and I test with it regularly.

Sashwa, the vast majority of the detections reported by Spyware Doctor in your scan appear to be legitimate detections, not false positives.

The first 10 detections are cookies. I've long advocated that anti-spyware utilities move cookie management out of the threat scanner and into a separate utility, but these aren't false positives per se -- they're simply cookies that Spyware Dcotor is offering to remove for you.

The next several detections all involve CLSIDs that appear to be legitimate detections. These Registry keys are probably just remnants left behind from previous infestations or installations. Nothing serious, but they don't appear to be false positives.

D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9 - see:
»sarc.com/avcenter/venc/data/adwa···mon.html

15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6 - see:
»sarc.com/avcenter/venc/data/pf/a···ind.html

C1E58A84-95B3-4630-B8C2-D06B77B7A0FC - see:
»castlecops.com/tk524-Nhelper_dll.html
»www3.ca.com/securityadvisor/pest···53074928

42F2C9BA-614F-47C0-B3E3-ECFD34EED658 - see:
»securityresponse.symantec.com/av···bar.html

The last reported detection does indeed appear to be a false positive ( SahAgent C:\Program Files\EmotiPad Plus\Cache\smile_omfg.gif). I would suggest reporting it to PC Tools.

A few comments, if I may (and these are directed at no one in particular).

1) Don't assume that because you think you have a malware-free box that any reported detections by an anti-malware utility must be false positives. Do some research yourself and look into the reported detections. Until you do that, you can't say one way or the other what the detections are.

2) The mere existence of false positives does not make an anti-malware utility "rogue," because all anti-malware utilities will have false positives at some point. You've got to evaluate those false positives by asking:

- How common are the false positives?
- What were the causes of false positives? A poorly designed scan engine, bad data, or researcher error?
- How diligent is the vendor in soliciting reports of false positives, testing for false positives, and correcting those false positives in a timely manner?

Not all false positives are created equal.

In any case, I hope the above has been of help.

Edit: looks like this may be a bit more complicated than I first assumed. All of those CLSIDs were listed in this key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

I'm still trying to find good info on just what that key is used for, but it appears to be an XP SP2 key, possibly a place where IE keeps track of the ActiveX controls that it has downloaded and/or installed. The data in this key appears to be harmless, but just what caused the keys to be created in the first place is still not clear. At the very least the ClSIDs do match known pieces of spyware/adware.

Best,

Eric L. Howes
permalink · 2005-06-11 12:51:11 · Print · Reply to this

sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs:
·Comcast
·Alameda Power & Te..

Host:
Broadband Modem (H..
MSN
DSL Extreme
Windstream
Southeast Asian Br..

Re: Spyware Docter - Another Rogue?

Thanks Eric for your response. I probably used the wrong terminology when I said "false positives". I wasn't really worried about the cookies. I was more concerned about the items that appeared in the

HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\

because it seemed like they were mostly Symantec/Norton
entries. Im using NAV 2004 that is fully updated.

Also as far as I know I have never been hijacked or infected. I run Ad-Aware, Spybot, and MS AntiSpyware regularly and none of them have ever identified any of those keys before.

sash
--
Northern California Forum ~ Team Four ~ ECO Clicks
permalink · 2005-06-11 15:11:48 · Print · Reply to this
Forums » Up and Running » Security » SecurityYour Opinion on SpywareGuard »
« Michael Jackson 'suicide'  

Sunday, 29-Nov 22:06:44 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [124] Time Warner Cable Fires Broadside At Broadcasters
· [112] New AT&T Ad Campaign Hits Back At Verizon
· [96] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [81] Weekend Open Thread
· [80] TiVo Sees Record Customer Losses
· [79] Verizon CEO: Hulu Will Be Dead Soon
· [69] In-Flight Internet Headed For Bumpy Landing?
· [63] Thanksgiving Open Thread
· [41] ICANN Slams DNS Redirection
Most people now reading
· Are GPS's better today? [General Questions]
· Is Easynews down? [Filesharing Software]
· Grey Cup on the Web? [Canadian Chat]
· Considering Leaving Vonage, who should I Consider? [VOIP Tech Chat]
· [Newsgroups] Newzleech down? [Filesharing Software]
· Windows 7 boot manager editing questions [Microsoft Help]
· Surfers beware !!! [TekSavvy]
· [NFL] Week 12 Games Thread [Sports Chat]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]