Spyware Warrior

[bigos]

Whilst I was on holiday I had access to the internet via a laptop that was used by everyone who was staying there, it was the owners own personal laptop. Someone told me that they had scanned it two days earlier and had found 2000+ things on the laptop, they said that as far as they knew it was fairly clean but not a 100% clean, so I scanned it with Ad-aware SE and it reported it as clean, I then downloaded SUPERantispyware did a scan, it took some time but it found 84-90(Bad memory!) things(spyware,viruses etc). A scan using Kaspersky`s free online scanner confirmed these results. I thought this might be of interest for those of you who still rely on, or just plain prefer to use scanners rather than other methods like VM`s and HIPS etc. I didn`t test the removal ability of SUPERantispy as I never had time as I was 'on holiday' and had better things to do with my time (I didn`t bother to access my e-mail as I didn`t want the whole world to know my password)
_________________


Life is for living not just for prolonging!
B uzzz

[fcukdat]

Whoop there it is

I've found on a dozen clean ups for clients so far that SAS has outperformed Adaware in the overall detection & cleaning stakes.

But at this point it should be pointed out that Adaware did detect& remove a few things that SAS missed,i discovered this since they are both in my toolbox for cleaning duties but since SAS seems to be more dominent it now always gets first bite

Since both softwares provide free versions then theres no harm having both in your toolkit/arsenal.

I'm surprised that SAS free has'nt crept onto Eric's L Howes shortlist of reccomended antispywares yet
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Moore]

Someone very trustworthy [ name witheld to protect the guilty ] told me a funny story about super antispyware just last week.. I think it was something like if you rename a harmless file as a malware file that gets detected by the program , say something like wintools.exe [ cant remember exactly which file was mentioned ] and do a scan it will pick it up , but then rename the real malware file to something else and it doesnt get detected..

I didnt try it myself yet but thats not a very good thing to hear. I'm sure someone would have tested such things by now right ?
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[Nick]

That's not a good thing to hear about Superantispyware. I'm busy with other things right now, but I'll have to try that out to see.
_________________
Nick's Security Ticker

[bigos]

I would like to try this, what full virus/spy file names should I use?
_________________


Life is for living not just for prolonging!
B uzzz

[fcukdat]

Hi Moore i have contacted the vendor with hope he will address these alledged flaws but as Nick i'm busy tied up with other things to test myself but hopefully in a day or 3.

BTW hopefully you anon freind can come to the party too ?

But fwiw i have distain& distrust for someone who sits on such alledged information and withholds it from the security community in general

Afterall this bug has not been reported elsewhere todate.It either is or it is'nt

Does the OP have an agenda

Ps a trusted freind of mine told me George W Bush was really a very nice man and played golf with Osama Bin Laden and also that Elvis lives.I personally don't believe him but then i don't believe all that i'm told without qualifying for myself first
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Moore]

[fcukdat]

Thx Moore

I did'nt realise you were your own anon freind....
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Moore]

lol, more like my own worst enemy.. but friends for now.

Still trying to find the real wintools.exe file in my storage to see how detection goes when that is renamed to something harmless.
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[fcukdat]

Anyhow let us know how it goes

But to provide some balance,I'm off to grab a DR supplied adware s***storm(Real infections/pests) to give a comparitive between the 2 softwares(Warts n all but minus renamed files etc) .Be back in a wee while
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[bigos]

What did I do wrong? SAS found nothing!


In Documents and settings

In Windows

In System 32
_________________


Life is for living not just for prolonging!
B uzzz

[Moore]

The renamed files shouldnt be showing up as text documents bigos.



First make sure hidden files [ file extensions ] is set to show all.. http://www.xtra.co.nz/help/0,,4155-1916458,00.html .. then try renaming them again.
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[SUPERAntiSpy]

Hello all - Nick Skrepetos from SUPERAntiSpyware here. I wanted to address this thread personally.

We at SUPERAntiSpyware.com focus on dealing with REAL infections, in the REAL world, on REAL users systems and our product is very effective if you test it on REAL systems and read the reviews from REAL users such as here:
http://www.download.com/SUPERAntiSpyware-Free-Edition/3640-8022_4-10564983.html?sb=1&v=0

It is possible to "fool" or "trick" any anti-spyware application to detect items falsely - that is not testing an anti-spyware application properly (in my opinion). We have done this same thing here with SpyBot, AdAware, SpySweeper, PCTools, CounterSpy, etc. It is quite easy to make any of those applications, including SUPERAntiSpyware, detect non-spyware items as spyware.

I have chosen to put my, and my teams energy, into creating software to remove REAL infections in the REAL world and not on passing dubious tests where users try and trick the software. REAL users systems don't have this problem, and that's who we are protecting and helping.

If you really want to test SUPERAntiSpyware vs AdAware (or whatever) why don't you infect the system with the JROD infection where it hides itself from the Windows API and AdAware, Spybot, etc. won't even SEE the files becuase they are hidden by the JROD userland rootkit, and those programs don't have an kernel level access ability. SUPERAntiSpyware will see, and detect those items with ease - without booting to Safe Mode.

I appreciate your concerns, but I would think you would test the software against real infections which is what users in the real-world will be fighting against.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[Kimberly]

Well I'm very sorry to see that you seem to base your detections on filenames. You maybe don't consider it as fair when we rename files, but in the REAL world you have spyware that changes names too. So what's gonna happen if SUPERAntiSpyware does not delete a "bad" notepad.exe, svchost.exe ...

Let's presume I'm a malware writer and I decide to change the name of my file to evade dectections or just because I like to change it ... and even make it random. Your program won't detect the file anymore unless someone submits it. What about the many random Qoologic files for example ?

[SUPERAntiSpy]

Kimberly - We don't just base our detections on "filename" - we have heuristic defintions, look inside defintions, code sequence identifying defintions in addition to other proprietary technologies which I will not disclose here.

You are incorrect on you assumption on how our system and scanning works - of course we deal with the randomly changing names and fingerprints. We handle the Vundo, QoolLogic, LOP, WinFixer, etc. infections with our smart definitions. We fully realize that they change their names on every install - we are not amateurs at the anti-spyware and/or security game.

Ewido may pass the specific test you tested today, but we have tests in our labs where ANY product can be fooled - it's not difficult to throw a wrench into any product, including SUPERAntiSpyware.

If you look around the forums, SpywareWarrior, WildersSecurity, Google Groups, MSN Groups, DSL/Broadband Reports, etc. you will see that I take every user concern into consideration and that we try and accomodate all user concerns.

We have even updated our latest definition set so that it won't detect the MMOD and WTOOLS if you simply rename a file. All that within a couple of hours of being notified. It will be in our definition set release later today.

SUPERAntiSpyware performs well in the real-world against real-world infections - we receive and analyze thousands of samples per week and update our defintions sometimes 2-3 times PER DAY to handle zero-day and emerging threats to protect our users.

We focus on the real infections - if you take a car and try to drive it on water, it will sink - if you drive it on the road as intended it will work properly. Does that mean the car is flawed because you can force it through specific situations where it will fail?

I will always focus my energy on dealing with real-world infections and protecting our hundreds of thousands of users against the latest threats. I will also listen to and take into consideration any "flaw", "weakness" or other issue with our software. That said, I will also prioritize our time and development energy on squashing the latest threats.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[ipl_001]

Hi Kim, Nick, hi everyone,

Nick, you'll reckon "Win Tools" is a common name that might be used by anyone for a collection around Windows.

-> This is the name chosen by

[fcukdat]

Right on Nick S


Unfortunetly for most vendors my amateur tests are not spoofed(although i suppose there is certainly the opportunity for any dishonest tester to manipulate/influence tests outcome and reported results) but as always i shoot from the hip and call it as i see it.No agenda here


So as promised i've got a pc infected with multiple infections c/o the slime at DollarRevenue>>>
http://www3.dslreports.com/forum/remark,16573690
* Registered vendor/rep access only,soz

Thanks to an activeX consented install in came more malware then you can shake a stick at.2 reboots later+2 half hour sessions connected to the web without defending software active left the 'puter in a very bad way

Initial HJT report>>>

Scan saved at 13:05:15, on 01/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


**EDITED to only show malware related entries


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwkcj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,arrgtll.exe
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [pqy69399] RUNDLL32.EXE w008ba02.dll,n 002693970000000a008ba02
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [b314e4d7.exe] C:\WINDOWS\system32\b314e4d7.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [wwrq] C:\PROGRA~1\COMMON~1\wwrq\wwrqm.exe
O4 - HKCU\..\Run: [b314e4d7.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\b314e4d7.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\SSTEM~1\wuauboot.exe" -vt yazr
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\nktlogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T2ggbm9lczExMg\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe


I flipped a coin and Adaware got first bite of the cherry

For the first time ever using Adaware and early in the scan the DCOM service would fail and computer went into auto shutdown.This happened on repeated attempts so the first adaware scan was done from safe mode sucessfully albeit at an operating advantage to Adaware + pointed at some malware/adaware being the culprits for failure.



There were some items it could'nt remove and offered the option to scan at next reboot so the pc was rebooted and rescanned.This time round the scan was in normal mode and the previous gremlin was nowhere to be seen



2nd HJT scan>>>

**(File missing entries) removed


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwkcj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,arrgtll.exe
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll"
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [pqy69399] RUNDLL32.EXE w008ba02.dll,n 002693970000000a008ba02
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [b314e4d7.exe] C:\WINDOWS\system32\b314e4d7.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [wwrq] C:\PROGRA~1\COMMON~1\wwrq\wwrqm.exe
O4 - HKCU\..\Run: [b314e4d7.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\b314e4d7.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\system32\SSTEM~1\wuauboot.exe" -vt yazr
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\mv68l9ju1.dll

*Certainly some well entrenched infections and a few that are resucitating under different names

Adaware has had its bite now SAS goes up against the remainders



Final HJT>>>


R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwkcj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,arrgtll.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\mv68l9ju1.dll



Image rollback time and now reversal of previous test

SAS has first bite in normal mode



HJT>>>

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwkcj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,arrgtll.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\k280lclm1fqa.dll

Then reboot to clean & final scan with Adaware



Let Adaware do its cleaning thing

Final HJT>>>

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pwkcj.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,arrgtll.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\k280lclm1fqa.dll

Testers observations

1)Good detection& cleaning performed by both softwares.SAS edges Adaware to the winners rossette on this occaision but for me they make a good double act.

2)Despite Surfsidekick3 being tagged by both softwares its still alive&kicking and delivering "pops"

3) k280lclm1fqa.dll appears to be a new look2me variant* that will further import more malware



4)Both F2 entries point to files in the system32 folder that cannot be found anywhere by the tools that i use.Combine this with when i connected the PC back to the web in its semi cleaned condition the following event occured shortly after switching on the firewall



At this point i strongly suspect there is at least one rootkit imported with malware files cloaked but cannot confirm as of yet.More tools needed for definate confirmation.

*With that on this infected PC image i also have CounterSpy,SpywareDoctor,SpySweeper,Ewido,SpyBot and PestPatrol installed(on demand/no realtime active ) and updated to yesterdays defs.So in the next few days i'm going to give them all a crack of the whip to get a fair comparison on SAS/Adawares performance and will report it on a new topic

HTH

Ps Thats it for amateur hour today and yes all samples grepped will be submitted to the respective vendors through the usual channels
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Kimberly]

Very nice infection fcukdat, I hope you can manage the cleanup or that you have a clean image

[fcukdat]

[SUPERAntiSpy]

fcukdat - thanks for the detailed post. Did you reboot after scanning and deleting with SAS? If not, then I can see why the SSK stuff was left over, sometimes it needs to be deleted on a reboot.

And please submit the samples as we will promptly update our definitions as per usual to remove those harmful items!

I agree 100%, no single product, including SUPERAntiSpyware can find everything on a given day and it is good practice to use multiple products.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[SUPERAntiSpy]

We already released definition set 3039 that addresses the issue with WinTools:
http://www.superantispyware.com/definitions.html

Check for updates, and scan again, and the incorrect file(s) should not be detected. In the hundreds of thousands of downloads, and literally millions of scans that have been done with SUPERAntiSpyware, the problem with the ONE FILE you are describing has NEVER been an issue in the REAL WORLD.

Is the file PWKCJ.EXE still on the drive, or is it only the reference in the system.ini file? If we did not removed the file when Fcukdat submits us the file, we will have it analyzed and in our defintions tomorrow morning. You can check with Fcukdat to see how fast we process the hundreds of samples he sends to us.

Kimberly - What about the 227 items the AdAware missed? I am curious about that - you seemed to have neglected to point that out.

It does not sound like SUPERAntiSpyware is right for a couple of the members of this group - and that is ok - we have hundreds of thousands of happy users that is growing daily by over ten thousand users - no single product can please anyone all the time.

We are always here to make our product better for our loyal users - and will deal with any issues brought up. I look forward to helping any of the users of our products!

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

[SUPERAntiSpy]

[Kimberly]

[SUPERAntiSpy]

[Kimberly]

[fcukdat]

Hi Nick S

Your welcome and no problemo in submitting samples to Vendors that take the time to say thankyou once in a while whilst providing a free version to people.

With reguards SSK3,SAS was allowed to reboot after first scan run to clean.But hey the files are on the way since i've finished testing SAS against this particular test infections.

With reguards to the qoologic see my last screenshot,this occured after the second run of cleaning whilst coming online to post my findings.

Rootkitrevealer is drawing a blank,so i give a couple more RK tools a go before continuing with testing other softwares versus this test infection

I now regret not running inctrl5 before/after i grepped this infection
I'm fairly sure the test pc is rooted but hey thank heavens for system imaging

Kimberly i'm not convinced that this look2me var is dated at all.If anything i strongly suspect it is a new variant



Neither Ewido or KaspAv have it in their databases and they have always been ahead of the game for trojans in my experiences with malware hunting.
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[ipl_001]

Hi Kim, SUPERAntiSpy, fcukdat, hi everyone,

[Kimberly]

Hello fcukdat,

[SUPERAntiSpy]

[fcukdat]

Kimberly

The tests were conducted offline with the modem unplugged since during cleaning the malware was making attempts to launch internet connections as it does.I already learnt that back awhile the hard way. Not going there again!

As mentioned in my first *test* post the PC was infected by activeX,all defenders deactivated so they could not impede infection.30mins online,reboot,30mins online,reboot to allow malware to settle down&mport bonus offerings and then imaged.

Ist round of testing HJT> adaware in safe mode>reboot>adaware@bootup>HJT>SAS then reboot to clean>> HJT

2nd round Image rollback >SAS in normal mode>reboot to clean>HJT>Adaware&reboot>HJT

HTH
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[SUPERAntiSpy]

[Kimberly]

Hello Nick,

[SUPERAntiSpy]

[fcukdat]

Hi Kimberly

Blacklight has hit a snag,all defenders are off/whilst offline


Nick S if i kindly take up the offer of RK detection tools it would be much appreciated.I love a good mystery but it has to be solved in the end :
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html

[Kimberly]

That's normal, your SeDebug privs are borked since you have look2me installed. Your privs need to be restored first and you should run l2mfix or look2me-destroyer for that.

This tool can get them back too but you might loose them again as long as you're infected with look2me.

http://www.downloads.subratam.org/VX2Finder.exe
Double click it & hit "restore policy"
Reboot the PC after.

So Look2me detection / removal needs some adjustments too.
_________________
Microsoft MVP Windows-Security 2006 - 2009
Help us to take down malicious Flash ads

[Nick]

I did some brief "amateur" tests last night before going to bed. Yes, renaming a text file as wintools.exe does cause Superantispyware to flag it as a bad file. Ad Aware, Ewido, Spybot, and Counterspy did not detect this file.

Bigos, you need to save the file as an all files type in addition to changing the file extension as a txt one

While this is not a real test per se, it does show that Superantispyware is relying on name detection and not verifying the file itself. Certainly not good.

Adding a change to the definitions to remove the detection of Wintools being detected in this manner is not the way to fix the problem. Many years ago Ad Aware got some flak for detecting files and folders being named gator. Back then, I didn't know that much about the antispyware industry as I do now. What I found to be alarming was that the novice that I was at the time could easily defeat the preeminate antispyware tool at that time. At that time I simply made a new folder and named it gator. Ad Aware flagged it as spyware. In response, I was attacked and accused of being another poster (mikey) trying to smear Ad Aware. At that time, Lavasoft stopped supporting Ad Aware 5.8 and provided no definitions or updates for over 4 months. I was thinking about buying Ad Aware Plus just before that happened.

Now I am not comparing SuperAntispyware to Ad Aware back then. Just giving some background on why I am adamant about the seriousness of false detections from something so simple as renaming a file.

If it is easy for anyone to trick Superantispyware, then what about the real bad guys who have very smart and talented programmers?

In any event, I will be testing these two programs against each other in a "real" test.
_________________
Nick's Security Ticker

[SUPERAntiSpy]

[Moore]

Hi Nick S

Thanks for fixing that problem with the two fake files I tested above , but how many other files in your database are detected by name only ?

I did run a few tests with other malware files renamed and SAS did a decent job at detecting the renamed files.. so it does seem that there is more than simple name identification for the most part.. and I'm glad to hear it.

Superantispyware doesnt seem too bad overall , the detection rate for me personally is not what I was expecting though.

As you've said , the real " testing against actual, current real-world infections" should be the main focus..

Here's my results .. I scanned a small variety of nasties, straight from actual real life hijacks , just moved them all into one folder for sanity reasons.. First scanned with with Ewido and then Superantispyware for comparison:

Ewido:



SAS:


Thats Ewido = 40 , SAS = 3

I'd be glad to submit some files for you to look at.

I know this thread was meant to be AdAware vs SAS , but I dont have AdAware..
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |

[Nick]

There is some benefit to these "amateur" or non real world tests. Most of the newer antispyware products that came out in the last 2 years had false positives from bad sites being added to the restricted zone. Microsoft Antispyware and Spyware Doctor are examples of some that had this problem. They weren't checking the value of the urls in the zone map to see if they were in the restricted zone.

Most people don't add sites to the restricted zone to protect their computer. So it was people like myself who noticed this and reported it. Errors from atypical systems do have merit.

I did forget to mention on the last test that Superantispyware did find 2 tracking cookies. This is good, but I was prompted to reboot the computer to finish the spyware cleaning. Seems to me that having to reboot the computer to remove cookies shouldn't be necessary.
_________________
Nick's Security Ticker

[roger_m]

I too have found SuperAntiSpyware to over zealous about asking you to reboot after cleaning infections.

This should only be asked if there are locked files which can't be deleted until rebooting - when they will no longer be locked.