Help
Add Reply
Last month, we published a simple test on how real time protection by antispyware should work to prevent installation of known spyware / adware on your system. Today, we will show another test of how some antispyware's detection and removal process work.
Also, if you are visiting security forums like this one, you may notice a question “Do I need another antispyware program in addition to the one I’m using?”. If not, you may wonder yourself if 1 or 2 antispyware is enough to detect/remove spyware / adware. Check out the following test to find out whether 1 or 2 antispyware is enough.
For this test, we used 8 Claria’s software:
- Gator eWallet
- WebSecureAlert
- DashBar
- DateManager
- WeatherScope
- PrecisionTime
- GotSmiley
- ScreenScenes (Beach Islands)
4 antispyware programs were use to detect/remove the above threats:
- CounterSpy
- Windows AntiSpyware Beta 1
- Ad-aware SE Personal
- Spybot Search & Destroy
The above image shows the 4 AntiSpyware products are installed in a clean system which we will use to detect and clean the system after installation of 8 Claria products.
Next image are the installers of Claria software:
The image below shows 8 Claria software products are now installed and the “About” windows of the said Claria software:
Please note that CounterSpy and Windows AntiSpyware were shutdown & the real time protection of antivirus was disabled to be able to install the Claria software without any interruption.
Scanning and Detection
What does one expect after the antiSpyware program finishes scanning? A user who installs Claria’s software will see an additional component called GAIN Publishing (see http://www.gainpubli...p/gainfaq.html) . This means we are expecting the antiSpyware programs to detect at least 9 threats (8 Claria software products mentioned above and the component GAIN Publishing).
The above is the scan result of CounterSpy v1.0.29 with definitions 200. It found 8 threats: Claria.DateManager, Claria.Adware, Claria.GAIN, Claria.PrecisionTime, Claria.WeatherScope, Claria.WebSecureAlert, Claria.DashBar and Gator. It failed to detect 2 threats: ScreenScenes and GotSmiley.
The above are the scan results of Windows AntiSpyware v1.0.614 with 5733 definitions. It found 9 threats: Claria.GAIN, Claria.GAIN.Trickler, Claria.PrecisionTime, Claria.WeatherScope, Claria.WebSecureAlert, Claria.DashBar, Claria.DateManager, Claria.ScreenScenes and Claria.GotSmiley.
It did not fail to detect all Claria’s software.
Note: Claria.GAIN.Trickler is also known Gator.
See:
http://doxdesk.com/parasite/Gator.html
http://www.liutilities.com/products/wintas...brary/trickler/
http://www.processli...files/trickler/
http://www.bleepingcomputer.com/startups/T...r.exe-7513.html
The above is the scan result of Spybot Search & Destroy v1.4 with the July 8th definitions. It found 6 threats: WebSecureAlert, GAIN.DashBar, GAIN.Gator, GAIN, Date Manager and PrecisionTime. It failed to detect 3 threats: GotSmiley, ScreenScenes and WeatherScope.
Note: Spybot S&D found only the shortcut for WebSecureAlert (the .lnk file)
Removal / Cleaning
Counterspy is the first antiSpyware program that we used to hopefully clean the system:
http://dozleng.com/i...ovalusingcs.jpg
http://dozleng.com/i...alprocesscs.jpg
http://dozleng.com/i...aningdonecs.jpg
After it finished cleaning the system, the system was rebooted. The system shows that CounterSpy successfully removed Claria’s Dashbar, Gator, WebSecureAlert, WeatherScope, DateManager and PrecisionTime. However, CounterSpy failed to detect/remove GotSmiley and ScreenScenes (Beach Islands):
http://dozleng.com/i...ctsleftbycs.jpg
As we can see on the above image, there are 2 other Claria software products left by CounterSpy - the GotSmiley and ScreenScenes which was visible in the list of Programs. The GotSmiley icon was also visible in the system tray. GotSmiley and ScreenScenes (Beach Islands) would still run:
http://dozleng.com/i...ungotsmiley.jpg
http://dozleng.com/i...creenscenes.jpg
So we scanned once again using CounterSpy to allow it to find GotSmiley and ScreenScenes. The scan result:
http://dozleng.com/i...ncompletecs.jpg
http://dozleng.com/i...ansummarycs.jpg
CounterSpy again found threats by Claria.DashBar, Gator and Claria but failed to detect GotSmiley and ScreenScenes again. We allowed CounterSpy to remove the 3 items it detected.
http://dozleng.com/i...moveusingcs.jpg
http://dozleng.com/i...aningdonecs.jpg
After the removal of the 3 threats by CounterSpy, the system was rebooted again to allow another scan using CounterSpy:
http://dozleng.com/i...ncompletecs.jpg
CounterSpy found the same 3 threats again. We allowed it to again remove the 3 threats.
http://dozleng.com/i...anremovalcs.jpg
http://dozleng.com/i...rdremovalcs.jpg
Since CounterSpy failed to detect and remove the 2 Claria software products(GotSmiley and ScreenScenes) after 3 consecutive scans and removal process (with system reboot in between), we now used Windows AntiSpyware to scan the system and allowed it to clean whatever it would detect:
http://dozleng.com/i...scanprocess.jpg
http://dozleng.com/i...ompletemsas.jpg
http://dozleng.com/i...summarymsas.jpg
Windows AntiSpyware detected Claria software: GotSmiley and ScreenScenes that CounterSpy failed to detect and some other Claria software. We allowed Windows AntiSpyware to remove the 4 threats it found:
http://dozleng.com/i...removalmsas.jpg
http://dozleng.com/i...processmsas.jpg
http://dozleng.com/i...processmsas.jpg
http://dozleng.com/i...erebootmsas.jpg
http://dozleng.com/i...processmsas.jpg
After the removal process by Windows AntiSpyware, the system was rebooted. The system shows ScreenScenes was not listed anymore but GotSmiley was still listed though the GotSmiley icon in the system tray was gone:
http://dozleng.com/i...msasremoval.jpg
We tried to run the GotSmiley program but Windows could not locate it which means Windows AntiSpyware succeed in removing the Claria software – GotSmiley and ScreenScenes but left the harmless GotSmiley shortcuts.
http://dozleng.com/i...msasremoval.jpg
http://dozleng.com/i...msasremoval.jpg
We scanned again using Windows AntiSpyware to find out if it would find any other threats. Scan results were:
http://dozleng.com/i...2ndscanmsas.jpg
Windows AntiSpyware reported 0 items.
We will then tried again to scan the system using CounterSpy:
http://dozleng.com/i...bycs0threat.jpg
Finally, CounterSpy found 0 items too which meant Windows AntiSpyware was successful in detecting and removing the spyware / adware that CounterSpy failed to detect and remove earlier.
We ran Spybot Search & Destroy and Ad-ware SE antiSpyware scanners:
http://dozleng.com/i...dlogentries.jpg
Spybot Search & Destroy found log files which we allowed it to remove:
http://dozleng.com/i...riorremoval.jpg
http://dozleng.com/i.../z_ssdfixed.jpg
Next, Ad-aware found 1 critical tracking cookie:
http://dozleng.com/i...etest/z_aaw.jpg
http://dozleng.com/i...test/z_aaw2.jpg
http://dozleng.com/i...test/z_aaw3.jpg
Last but not the least, we ran the Symantec’s GAIN Adware removal tool to find out whether the system was spyware / adware clean:
http://dozleng.com/i...ntecgainrem.jpg
http://dozleng.com/i...antecfound0.jpg
Findings
- The above test clearly shows that a user needs to use more than 1 antiSpyware to hopefully clean a system!
- The recommended action by CounterSpy to "Quarantine" was great. However, it failed to detect all Claria’s software and kept finding the same 3 threats and failed to remove them each time the removal process was done.
- The recommended action by Windows AntiSpyware was "Ignore" (an issue that Microsoft explained by publishing an answer to customers). Hopefully the Microsoft AntiSpyware Beta team will consider changing it to remove or quarantine in the future. Even though the recommended action was "Ignore", the Windows AntiSpyware did detect all known threats in this test system and removed them properly.
- System: Microsoft Windows XP Pro with Service Pack 2 installed in Microsoft Virtual PC 2004 with Service Pack 1
- Software:
- Claria’s software which installed GAIN Publishing software as a component for it’s products: Gator eWallet, DashBar, WeatherScope, PrecisionTime, DateManager, ScreenScenes, GotSmiley and WebSecureAlert
- AntiSpyware: CounterSpy by Sunbelt Software (on a 15 days trial), Microsoft's Windows AntiSpyware Beta 1, Safer-Networking’s Spybot Search & Destroy, Ad-aware SE Personal by Lavasoft - Utility/Tool:
- Adware.GAIN Removal tool by Symantec. The version of the tool was 1.0.5 and did have a digital signature timestamp equivalent to 07/05/2005 04:20 PM
- Screen Capture utility: SnagIt by TechSmith
Disclaimer: The above products or company that were used on this test do not represent the author or this site dozleng.com. For questions or comments, please post them here. No PM or email will be entertained on the above test other than scan log files request. Do not use the above test as your basis in purchasing or using a product. The antispyware programs may act differently (depending on what type of spyware / adware bundled application is installed). Kindly view our Disclaimer on Product Reviews and Research
MultiQuote
Posted 13 July 2005 - 05:50 AM
