Help
This topic is locked
In this Part 2 of "How many antispyware do we need to detect and remove spyware?", Spy Sweeper and Spyware Doctor antispyware programs were added to find out if one or two antispyware is enough to detect and remove known threats. The difference of this second test from the first part is we used Microsoft's Windows AntiSpyware Beta 1 as the first "removal tool".
Scanning and Detection Results
Antispyware
- Ad-aware SE Personal by Lavasoft
- CounterSpy by Sunbelt
- Spybot - Search & Destroy by Safer-Networking
- Spyware Doctor by PC Tools
- Spy Sweeper by Webroot
- Windows AntiSpyware by Microsoft
- GotSmiley
- ScreenScenes
- DateManager
- DashBar
- Gator eWallet
- WebSecureAlert
- WeatherScope
- PrecisionTime
- GAIN Publishing Component
Scanning and Detections
Scan results from Windows AntiSpyware Beta
Windows AntiSpyware v1.0.614 with definitions 5735 detected all of Claria’s software.
Scan results from CounterSpy
CounterSpy v1.0.29 with definitions 202 detected all or Claria’s software.
Scan results from Ad-aware SE Personal
While scanning the system using Ad-aware SE Personal, an error with the GAIN component of Claria software occured.
Ad-aware SE Personal Build 1.06r1 with SER154 definitions detected 6 Claria’s software. It failed to detect 3 of Claria’s software: WebSecureAlert, GotSmiley and ScreenScenes.
Scan results from Spybot Search & Destroy
Spybot Search & Destroy v1.4 with July 15th definitions detected 5 Claria’s software. It failed to detect 4 of Claria’s software: WeatherScope, GotSmiley, ScreenScenes and WebSecureAlert.
Note: Spybot Search & Destroy detected only the LNK file for WebSecureAlert!
Scan results from Spyware Doctor
http://www.dozleng.c...anresultsdr.jpg
http://www.dozleng.c...nsummarysdr.jpg
Spyware Doctor with database 3.02600 detected all Claria’s software.
Scan results from Spy Sweeper
http://www.dozleng.c...ansummaryss.jpg
http://www.dozleng.c...ondetailsss.jpg
Spy Sweeper v4.0.3 Build 405 with definitions 504 detected 7 Claria’s software. It failed to detect 2 of Claria’s software: GotSmiley and ScreenScenes.
Removal / Cleaning
Cleaning with Windows AntiSpyware Beta 1
http://www.dozleng.c...removalmsas.jpg
After the cleaning process with Windows AntiSpyware, we rebooted the system. The program list still showed GotSmiley shortcuts but Windows could not locate it:
http://www.dozleng.c...ermsremoval.jpg
http://www.dozleng.c...valshortcut.jpg
Windows AntiSpyware failed to remove the DashBar toolbar entry in Add/Remove Programs:
http://www.dozleng.c...ermsremoval.jpg
We ran another scan using Windows AntiSpyware:
http://www.dozleng.c...5/m_2ndscan.jpg
Since it reported 0 spyware, we ran CounterSpy to hopefully find and clean the rest of the spyware / adware.
Cleaning with CounterSpy
http://www.dozleng.c...n_2ndscancs.jpg
http://www.dozleng.c...ansummarycs.jpg
CounterSpy found 6 threats so we now used it to clean the system:
http://www.dozleng.c...completedcs.jpg
We rebooted the system. The program list still showed the GotSmiley directory. The DashBar tool was gone from Add/Remove Programs:
http://www.dozleng.c...ercsremoval.jpg
http://www.dozleng.c...valshortcut.jpg
http://www.dozleng.c...aladdremove.jpg
The system was rebooted again to allow another scan using CounterSpy:
http://www.dozleng.c...o_3rdscancs.jpg
We ran Ad-aware SE Personal to check for threats and hopefully clean them:
Cleaning with Ad-aware SE Personal
http://www.dozleng.c...criticaltab.jpg
http://www.dozleng.c..._aawremoval.jpg
We allowed another scan using Ad-aware SE Personal:
http://www.dozleng.c..._aaw3rdscan.jpg
Cleaning with Spybot Search & Destroy
http://www.dozleng.c...dscanresult.jpg
http://www.dozleng.c...onfirmedfix.jpg
We allowed another scan using Spybot Search & Destroy:
http://www.dozleng.c...ssdcongrats.jpg
Cleaning with Spy Sweeper
We wanted to see if Spy Sweeper would find threats after using the above antispware tools:
http://www.dozleng.c...eeperresult.jpg
http://www.dozleng.c...eeperdetail.jpg
http://www.dozleng.c...weeperstep3.jpg
Spy Sweeper found traces/threats in IE Cache which we allowed it to remove.
We ran another scan to confirm that the above removal was successful:
http://www.dozleng.c...sultsweeper.jpg
Cleaning with Symantec's GAIN.Adware removal tool
We ran Symantec's Adware.GAIN Removal Tool v1.05:
http://www.dozleng.c.../t_symantec.jpg
Note: Spyware Doctor by PC Tools was not used to remove the items it detected because the trial version of Spyware Doctor did not offer removal of detected items.
Antispyware's detections and removal findings
- Windows AntiSpyware detected all threats and removed the threats. However it left harmless remnants in the Program List and in Add/Remove Programs which could be remove manually by the user. In the above example, the GotSmiley program shortcuts and entry for Dashbar toolbar in Add/Remove Programs were visible to users. A beginner may think that his system still contained adware or spyware if an antispyware failed to remove all files that were created by the detected threat!
- CounterSpy detected what Windows AntiSpyware failed to remove (registry keys and the entry in Add/Remove Programs) but similar to Windows AntiSpyware, CounterSpy failed also to clean-up the system thoroughly by removing the shortcuts of GotSmiley. In the above example, the GotSmiley program shortcuts were visible to users. Again, a beginner may think that his system still contained adware or spyware if an antispyware fails to remove all files that was created by the detected threat. CounterSpy detected 12 threats because it can detect cookies. In the above screenshot (detection with CounterSpy), it showed 2 cookies were detected. Note: Windows AntiSpyware Beta 1 does not scan for cookies. CounterSpy grouped it’s detections differently from Windows AntiSpyware but both program (as per their logs) detected all Claria software as threats.
CounterSpy failed to detect GotSmiley and ScreenScenes in the first part of this test due to update error or update server malfunction. Please read the comments and possible work-around by Sunbelt staff here.
Like Windows AntiSpyware, there is a known issue in updating the definitions of CounterSpy:
On the first part of this test, the definitions that were loaded by CounterSpy's built-in software updater were definitions 200. However, we learned that the loaded definitions were not actually 200 but 144. It meant definitions 144 of CounterSpy failed to detect GotSmiley and ScreenScenes and there is a known problem in CounterSpy's software updater or updates server.
Hopefully the updating issue with CounterSpy will be resolved. If the provided work-around fails, it would be nice if they allowed users to download the updates manually. Just like what Microsoft's Windows AntiSpyware, Spybot Search & Destroy and Ad-aware SE Personal customers can do.
Some CounterSpy customers experienced similar problem in updating the definitions:
- DSLReports
- Wilders Security
- Wilders Security
- CastleCops
The update issue with CounterSpy is documented on Sunbelt's website with possible solutions.
- Spybot Search & Destroy requires update on definitions to hopefully detect other GAIN-bundled applications! It failed to detect 4 known threats.
- Ad-aware SE Personal also requires updates on definitions because the current definitions failed to detect other GAIN-bundled applications!
- Spyware Doctor detected all threats but removal the feature is not available with the trial version.
- Like Spybot S&D and Ad-aware SE, Spy Sweeper also failed to detect all GAIN-bundled applications!
General Recommendations
- It is recommend you install more than 2 antispyware programs. No single antispyware will detect and remove all threats. Only allow one real time protection to avoid system instability. Before installing additional antispyware program, consult the vendor for known issues. Some users are using more than 1 antispyware because not all antispyware can detect or remove all known threats. Remnants maybe harmless but a good antispyware should be able to remove all traces (including setup logs, contact info et al). Some adware / spyware bundled application will allow the user to completely remove the application using its own uninstaller or Add/Remove Programs utility in Windows. In some cases, An antispyware that may not remove all the visible remnants or traces of the adware / spyware bundled application, a user may require another antispyware tool or privacy tool to remove it.
- Scan the system for spyware / adware regularly. Remember to use the uninstaller or the Add/Remove Programs utility in Windows to remove detected threats prior running a clean-up using any tools. You may not need to use 3 or 5 antispyware tools if Add/Remove Programs can remove the program successfully!
- The detections and removal method of antispyware programs differ from one another for many reasons: threat are not always identified, failure to end the running processes of the threat which may cause the failure to remove the known threat, threat analysis and classification etc. These are the reasons that we need more than 1 antispyware to allow another antispyware to lookup for any missed or undetected common or known threats.
- If you suspect spyware behavior in your system but the tool reports 0 spyware /adware, get the HijackThis diagnostic tool by Merijn. Seek advise in forums that offer HijackThis analysis. You can find these forum in Alliance of Security Analysis Professionals
- Get involved by submitting suspicious files to antispyware vendors. Report false positives too. If the antispyware failed to detect a known threat, let the vendor know and demand updates and fixes!
- Don't be fooled by some antispyware products. Visit The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites before downloading or buying one.
- System: Microsoft Windows XP Pro with Service Pack 2 installed in Microsoft Virtual PC 2004 with Service Pack 1
- Software:
- Claria’s software which installed GAIN Publishing software as a component for it’s products: Gator eWallet, DashBar, WeatherScope, PrecisionTime, DateManager, ScreenScenes, GotSmiley and WebSecureAlert
- AntiSpyware: CounterSpy by Sunbelt Software, Microsoft's Windows AntiSpyware Beta 1, Safer-Networking’s Spybot Search & Destroy, Ad-aware SE Personal by Lavasoft, Spy Sweeper by Webroot (on 30 days trial) and Spyware Doctor by PC Tools (on 30 days trial) - Utility/Tool:
- Adware.GAIN Removal tool by Symantec. The version of the tool was 1.0.5 and did have a digital signature timestamp equivalent to 07/05/2005 04:20 PM
- Screen Capture utility: SnagIt by TechSmith
- The above products or company that were used in this test do not represent the author or this site dozleng.com. For questions or comments, please post them here. No PM or email will be entertained on the above test other than scan log files requests (logs were saved for reference)
- Do not use the above test as your basis in purchasing or using a product. The antispyware programs may act differently (depending on what type of spyware / adware bundled application is installed).
