The number of misleading applications (aka rogue products) have escalated and there are now hundreds of rogue software floating around the net. Users need protection not only from common threats (such as viruses etc) but also from rogue software. Luckily, the trustworthy malware scanners have added detections of rogue products.

This second part of the test consist of more rogue samples. First part is located here.
Total samples: 70 rogue applications

To complete the test we gathered some old (2 years ago), not so old (last year) and new (this year) rogue samples.

Some misleading applications in this test were picked-up by searching the internet using keywords that is similar to non-misleading and popular software. (Example: AntivirProtect is similar to Antivir by AVIRA, SpyBlaster is similar to SpywareBlaster by Javacool). Others were picked by visiting websites that offer database of software (free downloads website). Some were picked by directly going to rogue software vendor's website.

Note: There are rogue products in these test that were not picked but was offered by existing rogue software e.g. PCTurboPro offers another rogue software: WinAntivirus 2007 Pro.

We selected most of the samples not by risk level but by it's age level. Please read on to find out why it is IMPORTANT that age level (old, not so old, new threats) is important to be detected especially if the method to get the samples is easy as searching the internet, using a search engine or by going to any website that is offering free downloads.

We've run the test by scanning the system with the following free antispyware/antimalware applications:

1. A-Squared by Emsisoft (A2)
2. Ad-Aware 2007 by Lavasoft (AAW)
3. Malwarebytes Anti-Malware by Malwarebytes (MBAM)
4. RogueRemover by Malwarebytes (RR)
5. SUPERAntispyware by Superantispyware.com (SAS)
6. Spyware Doctor Starter Edition by PC Tools (SD)
7. Spybot Search & Destroy by Safer Networking (SSD)
8. Windows Defender by Microsoft (WD)

Please note that it is IMPORTANT that a scanner to be able to detect not only the newer threats but also old threats because these threats are still in the wild and are available through different distributions (email, website, ads, phishing etc).

If you've visited some websites that provide STATISTICS of their detections, you will notice that some of their Top 10 threats consists not only by new threats but often with OLD threats.

Example of old threats in the Top 10 current threats: (Go to the following websites below:)

http://www.virustotal.com/estadisticas.html
http://www.messagelabs.com/intelligence.aspx
http://www.symantec.com/business/security_response/index.jsp
http://research.sunbelt-software.com/default.aspx
http://www.microsoft.com/security/portal/



Another example is the above ThreatNet by Sunbelt, maker of CounterSpy antispyware. As you can see, Hotbar and Virtumonde are two of the old risks but Sunbelt's ThreatNet discovered active infections from their CounterSpy users' PC.



Below are the screenshots of the detection results (please do not hotlink to the screenshots. Thanks! If you want to share this information, please send this topic link).

To view the screenshots, links and the EXTRA test, you will need to download the compressed document (in Excel format).

Note: Extra test is the detection by the above-mentioned applications and 32 malware scanners using the service of Virustotal against the installers/downloader/setup of rogue products.
The reason we thought of running an extra test is.. we believe that antispyware, antivirus or antimalware scanner's real-time protection (if available) will greatly help and protect the user by blocking, detecting and removing not only the traces of installed rogue products but also prevent the download or installation of the rogue installers. In our previous study, we've seen how the real-time protection will protect the user's system from malicious or rogue installers. View the previous study here.



Category column legend:



More info at http://forum.hosts-file.net/viewtopic.php?f=23&t=76

The above are detection tests only. They are not removal tests.

To view the detailed results (with link to screenshots, sorted A-Z, sorted to Risk Level, sorted Threat's Age, Rogue Installer's Detection, Features Comparison) and the "EXTRA" test (Rogue Installer's Detection), you will need to download the attached compressed spreadsheet in this topic. The worksheet is protected, you can only use "sort" and "auto-filter" functions. You cannot add or delete columns or edit the spreadsheets. Only Calendar of Updates' registered members can download the worksheet. Worksheet to be re-uploaded this week.

You can view 5 spreadsheets when you download the compressed file:


Note to users who will download the compressed document: To view the screenshot of test result by the scanner on a particular rogue sample, simply click on the legends: or

If you do not have Excel Viewer to view the said document, you can download the free Excel Viewer from Microsoft. Note: Microsoft Office and OpenOffice.org will let you view Excel documents.



Test date: April 23 to May 4
System: Windows XP Pro SP2 as guest system (using Virtual PC 2007 by Microsoft) and Windows Vista as host system
Screen Capture Utility: SnagIt by TechSmith
Icons by http://sweetie.sublink.ca/



1. It goes without saying, but we'll say it, anyway, a perfect malware scanner does not exist.
2. Of the scanners tested, a-squared by Emisoft performed significantly better than the others. It only failed to detect six items. This product performed equally well detecting the old, not so old and new threats.
3. Malwarebytes' Anti-Malware and RogueRemover both performed well on the tests. RogueRemover failed to detect 24 rogue samples and Malwarebytes' Anti-Malware, concidentally, also failed to detect 24 rogue samples. It should be noted that the failed samples were not the same items on both scanners. When scanned with both of scanners, the total number of samples missed was only ten. This is important to note since it clearly displays the benefit of using multiple scanners. One succeeds where the other fail, but both used together failed on a much smaller group of samples.
4. Ad-aware, Spyware Doctor, Spybot S&D, Windows Defender and SUPERAntispyware all performed very poorly. As this test clearly indicates, there are other scanners available that did a better job detecting threats. If you are currently using any of the scanners in this group, you should consider using the other scanners highlighted in this test either in addition to, or instead of, this group.

Additional Information: Feature Comparisons of Free editions





1. All studies show that you will need to use more than one antispyware scanners. There is no single scanner that will detect all malware or rogue products.
2. An ounce of prevention is worth a pound of cure. If you use third party HOSTS file, lock down your browser, enable security features of the browser and choose an antivirus that will try to detect, not only common risks (such as viruses, trojans, worms, etc.) but all risks, including spyware, rootkit, hacktools, bots, rogue installers and its traces etc.
3. Practice SafeHex. Users need to practise safe computing (aka Safehex or Safe Hex). It means users will use technique in keeping their computer and data safe. Users should be:

• Protecting your computer and data from computer viruses, worms, trojans and other type of malicious software
• Protecting yourself from becoming a victim of identity theft and fake websites or emails that will steal your personal information such as bank, credit cards etc
• Protecting your family by supervising and guiding your family members on how to keep the computer and themselves protected from many types of risks on the net

Please see our disclaimer at http://www.dozleng.com/updates/index.php?act=boardrules

Download below attachment to view the test result (with link to screenshots) and the Extra's test results. (Download is NOT available right now. I will re-upload this week)
Preview of the Extra test: