Spyware-Adaware

Tips > Adware and Spyware

Author's notes
The following discussion is targeted to basic and intermediate skill level home users. Advanced users may find some material of interest in Annotated additional resources. Also, some parts of the discussion including, but not limited to, excerpts from various End User License Agreements, make for tedious reading. Last update: February 22, 2004 (22 February 2004).
Special note about certain cites listed under Annotated additional resources
Certain on the sites listed below under Annotated additional resources are not currently online. According to currently available information, these sites have been the target of Distributed Denial of Service Attacks (DDOS) that have overwhelmed the host server. Attempts to download HijackThis or to login to forums that assist in interpreting the results of a scan have resulted in domain unavailable, page cannot be found or other errors. Reportedly the FBI has been alerted to the attacks, but little is known about the reason behind the attacks or the identity of the perpetrator or perpetrators of the attacks. One can reasonably surmise that these attacks have been orchestrated by dark elements that profit by foisting Adware/Spyware upon unsuspecting users. Suffice it to say, that these attacks are an outrageous affront to not only the eminently decent folks, who write programs for and provide assistance to thousands of home users, but to all legitimate users of the Web.
Description
Adware is a program that runs on your computer, monitors your surfing habits and delivers targeted advertisements, typically in the form of pop-up windows. Spyware is a program that runs on your computer, monitors your Web surfing habits and reports the habits to a remote computer. Both Adware and Spyware purloin precious system resources, resulting in performance degradation. Case in point: A customer presents a machine (Win98SE) complaining that the computer "runs slow." Known Adware/Spyware programs were observed and tools were run to remove these programs. After removal of over 500 files, folders and registry keys and some other tweaking system resources went from 16% (fresh boot) to 88%. In addition to seriously sapping system resources, some Adware/Spyware programs can create Internet connectivity problems, and can even cause system crashes.
Adware/Spyware evolution
Adware/Spyware has perniciously evolved into a hydra, referred to in various venues as as "malware", "scumware", "foistware", "crapware" and "parasites." For purposes of this discussion, we will use the term "Adware/Spyware" with the understanding that the relatively benign definitions appearing above no longer reflect the true parameters of these increasingly polymorphic programs. Emerging forms of Adware/Spyware, such as Browser Helper Object (BHOs), re-directors, Home Page hijackers and dialers go far beyond monitoring browsing habits and spawning pop-up and pop-under Javascript windows. These Adware/Spyware mutants can, for example, change your browser's start page to a pornographic or shopping site, re-direct you to pornographic or shopping sites when you use certain search engines and direct your dial-up connection to phone 900 numbers. The grim news for home users is that some of these programs are exceedingly difficult to remove from one's system, requiring in most cases a trip to the computer repair shop.
Theater of the Absurd: Act One
At www.kazanon.com, a "free" file-sharing anonymizer: "You can FINALLY - ANONYMOUSLY - safely and securely download, swap, and trade music, movies, software, everything - with your FAVORITE program (Kazaa, Morpheus, Grokster, WinMX, or any of the P2P programs!) KAZANON makes you TOTALLY ANONYMOUS and INVISIBLE - NO ONE WILL EVER KNOW YOUR REAL IDENTITY, LOCATION, or IP ADDRESS." If one read's the kazanon EULA ,as posted on 10/14/03, it is clear that this is not the case. From the EULA: "VII -The user understands, acknowledges, and gives express permission for the application and/or associated components to collect personal information, including, but not limited to, name, demographic data, interests, profession, education, marital status, sex, age, income, and any other information Odysseus Marketing, Inc. decides to collect regarding user, at its sole discretion." If you remain keen on downloading and installing this egregious example of Addware/Spyware, be aware of the following additional excerpts from the EULA: VIII -The user understands, acknowledges, and gives express permission for the application and/or associated components to collect information and data regarding Internet activity, including web sites visited, search queries conducted, applications installed and used, files present on user's hard drive or system, transactions conducted, and any other behavioral data deemed necessary by Odysseus marketing, Inc in its sole discretion. XI -User hereby understands and gives permission for application and/or any associated components to alter applications, files, and/or data so as to display information and/or marketing messages, including but not limited to file sharing applications, media viewers, and/or player applications. XII -User hereby understand, acknowledges, and gives express permission for application and/or associated components to disable or delete applications and/or files deemed unfriendly or harmful to Odysseus Marketing, Inc or any of its partners in Odysseus Marketing Inc.'s sole discretion without notice to the user, and may auto-reinstall application and/or any associated components, unless approved auto-uninstall application is used. According to the EULA, if one one installs kazanon and later develops reservations about using it, one must un-install kazanon using its un-installer. On October 14, 2003 the following appeared on the un-installer page: "The uninstall process is under construction. Try back in a few days."
Security experts who have taken an in-depth look at Kazanon have concluded that it does not, in fact, cloak a user's identity. It does, however, install a component of known Adware/Spyware that can download still more Adware/Spyware without the user's knowledge.
Theater of the Absurd: Act Two
ZDNet in an article posted on February 4, 2004 (http://zdnet.com.com/2100-1104_2-5153485.html) reported of a defunct program named SpyBan, an alleged anti-Adware/Spyware program, that actually installed Look2Me, known Adware/Spyware. According to ZDNet, citing Download. com, the program was downloaded 44,000 times.
What Adware/Spyware can do
Adware/Spyware can do all of the following: Install a DLL (dynamic link library) file or other executable on your computer. Infect your computer with a virus. Investigators have determined that the worm known in various venues as W32/Novarg.A, W32/Shimg, W32/Mydoom, or W32/Mimail.R had its genesis in Kazaa and migrated to e-mail. Communicate continuously with a Web server ("phoning home") to transparently install more programs on your computer, continuously monitor your computer activities, and transmit activity data to the Web server. Invite other Adware/Spyware programs to enter your computer. Scan the files on your hard drive. Change your browser's Home Page and prevent you from re-setting the Home Page. Insert unwanted sites into your Favorites or Bookmarks folder. Remove Internet Options from Internet Explorer®, effectively causing you to lose control of your browser. Hinder removal by providing no un-install option or, in the case of "tricklers", re-install itself after you un-install and re-boot. Monitor your keystrokes. Spawn pop-up advertisements even you are not online. Attempt to disable or actually disable Adware/Spyware removal programs. Read, write to and delete files on your hard drive. Re-direct you to knockoff, pornographic or shopping sites. Interfere with the removal of legitimate programs. After starting to un-install a McAfee application, the un-installer quit, advising that we had to first quit Bonzai Buddy before the un-install could be completed. We later ran Spybot to dispatch the creature back to the jungle. Cause your computer to freeze or crash. Cause you to spend money to have a computer technician rid your system of Adware/Spyware. Some forms of Adware/Spyware are much more difficult to remove than a virus.
Legal issues
Companies and developers that supply Adware/Spyware are largely insulated from legal action for costs of Adware/Spyware removal, loss of productivity and other claims on account of the End User License Agreement (EULA). A EULA is a contract between a company or developer and a user that sets forth the terms under which the user acquires a license to use the program. In the case of boxed software, the user accepts the EULA upon removing the shrink wrap from packaging containing disk, breaking the seal on a jewel case or by installing the program. In the case of a program distributed online, one accepts the EULA upon clicking a "Yes" or "I agree" button on the page displaying the EULA. Most Web sites have a "Terms of Use" or "Privacy Policy" page where one typically finds the EULA for programs downloaded from the site. The EULA is most times displayed using very small fonts, may be ten to 20 printed pages and usually contains a provision allowing unilateral changes without prior notice to users. Even if one thoroughly reads a EULA, it is not possible to unearth all the terms and conditions that a user agrees to, since the EULA frequently incorporates by reference one or more other EULAs. While making a second, third or fourth EULA part of the first EULA is legally proper, it effectively prevents even a determined user from understanding the ramifications of hitting the "Download Now" button. If a person with legal training vets a typical Adware/Spyware EULA, it becomes abundantly clear that a competently drafted EULA will effectively insulate a company or developer against legal action by a disgruntled consumer.
While the Federal Trade Commission has received complaints about Adware/Spyware, it has done little more than pay lip service to privacy issues. Don't look to the effete, Pecksniffian politicians in Washington or state capitols to protect users. Although poorly drafted measures targeting Adware/Spyware are sporadically hyped by politicians seeking to curry favor with privacy advocates, they serve to benefit only self-perpetuating political interest, not users. First Amendment, definitional and jurisdictional issues conflate to stymie the few intelligent, low key folks who contemplate a viable legislative solution.
According to an article posted on cnet news.com (http://news.com.com/2100-1032-5095051.html, See you later, anti-Gators, October 22, 2003), Gator (now named "Claria") filed a civil action alleging trade libel and other theories of recovery aginst PC Pitstop, a site that classified Gator as Spyware. PC Pitstop settled the action and removed material offending Gator from its Web site. Gator claimed that its programs are not Spyware since users who download Gator products receive clear notice of what will be installed and since users receive value in the form of useful applications, such as file-sharing programs. Spyware on the other hand, according to Gator, is secretly installed and provides no benefit to users. While a settlement does not make legal precedent, it can have a chilling effect on parties similarly situated to the defendant. It has chilled us. Gator has been removed from our list of Adware/Spyware. For the record, if you have installed a Gator product, it is not Spyware, you knowingly installed it and you are enthralled by the functionality of the umbrella program.
Installing Adware/Spyware
How is Adware/Spyware installed on a system? It is typically installed unknowingly by a user, who installs a freeware program, such as Kazaa, Xupiter or Grokster. If you download freeware, read the End User License Agreement (EULA) carefully. You may agree to the installation of Adware/Spyware programs. Consider the following extracts from the EULA for Xupiter, a freeware search agent: To further enhance your media viewing experience, Xupiter reserves the right to run advertisements and promotions based on URLs and/or search terms users enter when navigating the Internet. Our software license requires that users browser start page be set to Xupiter.com in order to continue use of the Xupiter toolbar, from time to time we verify that users start page url is set to Xupiter.com, if it is not we reserve the right to alter it back. Think about it: If you install Xupiter, you agree to relinquish substantial control over your Web browser to Xupiter. If that does not concern you or if you can't live without small purple gorillas, enchanting insects or cute cursor changes, stop reading right now and enjoy the pop-up and pop-under advertisements.
File-sharing programs
You are much more likely to introduce Adware/Spyware into your system if you download and install file-sharing programs, such as Kazaa, Morpheus and Grokster, than if you abstain from using file-sharing programs. Few people read the End User License Agreement (EULA) before downloading and installing programs. Only a Philadelphia lawyer would read and understand Kazaa's EULA, estimated to contain 5,000 words. Even if one reads and understands Kazaa's EULA, there is more to digest. Some EULAs incorporate by reference other EULAs. Consider the this extract from the EULA, Section 9.1 (Third Party Software) of Kazaa's EULA that provides in part: " During the process of installing the Software, you may be offered the possibility to download or install software from third party software vendors pursuant to licences or other arrangements between such vendors and yourself ("Third Party Software"). In the event you do not wish to download this THIRD PARTY SOFTWARE you should uncheck the appropriate boxes. Please note that the THIRD PARTY SOFTWARE is subject to different licences or other arrangements, which you should read carefully. By downloading and using this THIRD PARTY SOFTWARE you accept these THIRD PARTY SOFTWARE licences or other arrangements and acknowledge that you have read them and understand them." It gets better. Section 10.1 of Kazza's EULA provides: "10.1 This Licence as well as all disputes arising out of or in connection with this Licence shall be governed by the laws of the New South Wales, Australia, without regard to or application of choice of law rules or principles." How many people will pour over the EULAs before downloading and installing programs? How many people can pick up the phone to call a friend who is well versed in the statutes of New South Wales? If you download a file-sharing program, you are getting a pig in a poke, a pig that invades your privacy, can infect your computer with a virus and pokes you with pop-up and pop-under advertisements.
Typical user reaction following installation of file-sharing program
The following was culled from a Google group search, using as the search logic the name of a popular, free file-sharing program: "'Spyware and Adware Avalanche!' You will be swamped with spyware and adware. For a free program you expect flashing ad banners etc... but this?? If you remove the adware and spyware it renders the program useless. Also some of this stuff can't be removed with add/remove programs. Even ad-aware and spybot don't detect everything that this piece of garbage can deliver. I ultimately had to replace my hard drive."
Other vehicles for Adware/Spyware introduction into a system
As mentioned, file-sharing programs are significant hosts of Adware/Spyware, but these insidious programs can be introduced into a system by other means, including: Security holes in browsers. Instant Messaging programs. Browser search bars/toolbars. If you can't live without a search bar, get the Google toolbar bar, the only one that we recommend. Some seemingly benign programs from well-known commercial entities. Advertisements (usually pop-ups) displaying dire error messages or offering to stop pop-ups or spam and prompting the user to "Click Now" to immediately get the fix. Even if you click "No", "Cancel" or "Don't install", a program may be downloaded and installed on your system. Don't click on these pop-ups. Use <Ctrl> + <F4> to close the pop-up window. In addition, don't follow any links in spam for free downloads. Downloaded games. "Drive-by download". A "drive-by download", according to whatis.com, is " (A) program that is automatically downloaded to your computer, often without your consent or even your knowledge. Unlike a pop-up download, which asks for assent (albeit in a calculated, contrived manner likely to lead to a 'yes'), a drive-by download is carried out invisibly to the user: it can be initiated by simply visiting a Web site or viewing an HTML e-mail message." Physical access to a machine.
Some examples
Adware/Spyware programs that present the potential for serious system performance degradation, invasion of privacy and system crashes include, but are not limited to, the following: Alexa. BargainBuddy. BDE/Brilliant Digital. CoolWebSearch. (Some variants use HOSTS file to block access to anti-Adware/Spyware sites.) Cydoor. DownloadWare. Grokster. IGetNet. IMesh. Kazanon. Lop. MediaUpdate. New.net RapidBlaster. SaveNow. Vloading. webHancer. Xupiter Toolbar.
Dialers
While dialers don't fit the classic definition of Adware/Spyware, they are included in this discussion since they are installed and run without your knowledge or informed consent, just as Adware/Spyware programs do. If you consider a $1,700 phone bill a matter of some consequence, you will want to know about dialers. Dialers are programs that enter your computer by boring though security holes in your browser or instant messaging program and are typically installed by clicking on a link on an adult or other shady site. They can also be installed if you click on a link in an e-mail message. When the site loads, the dialer is installed. These programs use a dial-up modem connection to call 900 and international numbers, resulting in exorbitant charges (typically $5 per minute or $300 per hour) on your phone bill. These programs can dial anytime that your computer is on and your modem is connected to a phone line. On average, 10% of the machines that come to our shop for repair have a resident dialer. To battle dailers, make certain that you download and install all critical updates and refrain from visiting - or accepting an e-mail invitation to visit - adult sites. For more information on safeguarding your computer from dialers, see our discussion of protecting your PC.
Un-installing Adware/Spyware generally
Un-installing Adware/Spyware will in many cases cripple the umbrella program. For example, if you downloaded and installed a program to remember your name and password and you un-install the Adware/Spyware component, the name and password storage functionality will likely be lost. In some cases, the Adware/Spyware programs contain tricklers that attempt to re-install files as you delete them. In some cases, un-installing a Adware/Spyware program will prevent you from accessing the Internet. Removal of Adware/Spyware folders, files and registry keys should not be taken lightly. We use PepiMK Software's Spybot Search and Destroy (free, but donation requested) to remove Adware/Spyware in the shop. It can be download from this site. A word of caution: Don't use this program, unless you understand what it will do. Some sites will not allow entry unless the site's Adware/Spyware is loaded. Using Spybot may make entry into these sites difficult, if not impossible. Note that the program developer provides updates to address recently discovered Adware/Spyware programs. To make efficacious use of the program, you must check for updates and download and install them before running the program. We recently encountered problems downloading the updates. Try selecting one of the mirrors, in particular Rootboxen.net (USA).This page, which includes screen shot, shows how to update Spybot. (Tip: Apparently, a considerable load is being heaped upon Spybot's main and mirror sites. Be patient when downloading updates.) Read this excellent, brief tutorial to learn about running Sypbot generally. Be advised that Spybot is not a cure-all. Spybot is a free program and the developer and his colleagues simply do not possess the resources to keep pace with the developers. In quite a few cases, one must resort to the always dangerous act of editing the registry and deleting files in safe mode to remove especially obstinate Adware/Spyware programs.
Spybot versus Norton AntiVirus 2004
Aside from the stability, support and performance issues that have plagued Norton AntiVirus 2004, it is not as effective as Spybot in identifying and removing Adware/Spyware. Digressing a bit from Adware/Spyware, we have investigated error messages at Symantec's site, only to find that Symantec is aware of the error and that there is no fix. If your subscription to NAV 2003 has not expired, renew it before it expires. Incredibly, the following appears on a Symantec page pushing the properties of two of its products: "Although most malware programs are legitimate, they are often installed to your computer without your direct knowledge. This poses privacy concerns for many people."
Un-installing Brower Helper Objects (BHOs)
According to the developer of HijackThis, an excellent, free BHO removal tool: "Autoloading entries can load a Registry script, VB script or JavaScriptfile, possibly causing the IE Start Page, Search Page, Search Bar and Search Assistant to revert back to a hijacker's page after a system reboot. Also, a DLL file can be loaded that can hook into several parts of your system." Certain BHOs will put you in an endless loop. After you remove them by using Spybot, when you re-boot, they will find that they have re-installed themselves. (We call this form of scumware, a "Freddie Kruger program." Like the horror movie character, after you think that you have permanently disposed of the program, it keeps coming back.) Spybot and Ad-aware use databases to identify certain files and registry sub-keys and values that are associated with known Adware/Spyware programs. Polymorphism (the capacity to assume different forms) is apparently becoming rampant, as developers of Adware/Spyware try to keep one step ahead of the developers of removal tools by making minor changes in code or re-directing to dynamically addressed sites. Lop, it has been observed, has 20 or more know variants that install themselves in various locations on your system. Even if you apply the most recent Spybot includes file and run Spybot, you may not be able to rid your system if the program. In the unlikely event that a BHO contains an un-install option, in many cases the un-install is incomplete. A CLSID value will be remain in the registry, linking to an executable that will re-install the program. For more information on un-installing BHOs, read this outstanding article. Recently, Spybot found Vloading and MediaUpdate, both "tricklers", and fixed them, but they re-installed themselves upon re-boot. In such cases, download and install HijackThis or follow the manual removal instructions at doxdesk.com (links at bottom of page). If you follow either of these routes, back up the registry and if you are running XP®, set a manual restore point. While we are not quite there yet, it may be necessary in the near future to re-install the operating system to finally put some especially pernicious pests to rest.
Avoiding installation of Adware/Spyware
Adware/Spyware avoidance must be approached generally in the context of an overall strategy to protect your PC against security threats. See our discussion of Protecting Your PC. Specifically, use a browser that is more secure than Internet Explorer®. Mozilla is an open-source, free browser that handles security issues far better than Internet Explorer®, and its e-mail client includes effective spam blocking features. The default browser and e-mail client on one of our machines, we categorically suggest it to users willing to spend some time learning how to use it. If you are running Internet Explorer®, download, install and update an excellent freeware/donationware program called SpywareGuard (Runs real-time scans against Adware/Spyware and provides download and browser hijacking protection.). If you use the program, we recommend that you make a donation using PayPal.
Your choice
A rapidly dwindling number of users are willing tolerate Adware/Spyware in exchange for the functionality of the umbrella program. Others have found that the price exacted by Adware/Spyware outweighs the benefits of the using the umbrella program. Whatever your position on Adware/Spyware, it seems abundantly clear that Adware/Spyware poses real potential for serious system performance degradation, start page hijacking, re-directing, invasion of privacy, system crashes and other .
Additional resources
The following is a list of assets useful in contending with Adware/Spyware: Spybot Home Page. Spybot dictionary of threats. http://www.doxdesk.com/parasite/ - script checks for Adware/Spyware, candid explanation of "parasites" and alphabetical list of nasty programs. If the above site is unavailable, try this site for an online scan. Ad-aware 6 download page - close earlier versions of Ad-aware, un-install and install newest version. HijackThis download page - not for beginners, but help available in forums. This basic tutorial explains the log file that the program creates. CWShredder - Removal tool for CoolWebSearch, a polymorphic browser hijacker that can be extremely difficult to remove from a system. Download the tool, check for updates and run. SpywareInfo - how to kill BHOs. SpywareInfo - toolbar CLSIDs. SpywareInfo - BHO list. Spybot - Spybot BHO list. Use <Ctrl> + <F> keys to find helper. Follow link at top of page for manual removal instructions. Another BHO list. Spyware forums site - volunteers assist in dealing with Spyware issues.