Adware and Under-Wear – The Definitive Guide

"Targeting, profiling, and tracking individuals across the Internet is UNETHICAL unless the individual has given these companies explicit permission to do so. Absent explicit permission, surveillance represents spying which should be prevented, banned, and outlawed." — Steve Gibson

Probably very few of us are above a bit of snooping every now and then. As kids, we’d play "Green Berets" in the woods, "spying" on the guys who were building the new house down the road. You probably did something similar. Now that we’re adults, you and I sometimes prick our ears up to "listen in" on another’s conversation, or peer over the pages of our magazine to watch the doings of a family member or fellow worker. If we don’t have much of a conscience, or if we see a pressing need, we might go even further — listen to another’s phone messages, pry into someone else’s email, poke around in their computer files. It’s part of the human condition. Parents snoop through their kids’ sock drawers, and the kids return the favor. Bosses keep track of their employees’ Net surfing habits. Spouses comb through their better halves’ credit card statements. It’s human nature to want to know what others are up to, and depending on the situation, it can be classed as harmless nosiness, standard business practice, harsh necessity, or an invasion of privacy.

Both the computing world and commercial enterprises indulge in as much snoopery as any other branch of human existence, and the ethical questions and variety of practices employed in both areas are just as wide-ranging as anywhere else — especially when they overlap. At the more objectionable end of personal and business computing is the branch of often harmful, usually unethical, and always invasive category of software utilities, browser add-ons, and advertising tactics clumped together under the terms "spyware," "adware," "thiefware," "malware," and other labels. These range from programs that transmit data on your surfing and purchasing habits to advertising cartels, all the way to virus-like programs that hijack your computer and force you to visit designated sites (anything from vendors to porn purveyors). They may change your computer’s settings, damage your file structure, disable other programs, and surreptitiously share your computer’s resources with other networks.

Business sites can find that shoppers are being led away from their sites to the competition’s Web catalogs. The loss in individual privacy is enormous; the loss in revenue to businesses victimized by these Internet boondogglers is incalculable. In some instances, home users find that these programs render their machines virtually unusable, while Net businesses find their attempts to honestly sell their goods are thwarted. Over 25% of Websites employ some kind of "in-your-face" advertising, according to the Internet research firm Cyveillance; many of these advertising techniques cross the line into what I’m terming, only somewhat whimsically, "underware." Government regulation is almost non-existent, so the only restraints on advertisers is their own sense of right and wrong, and what they believe the market will and will not tolerate.

And generally, the market will tolerate a lot.

Where Did It Come From? A Brief History of Adware

[T]he truth of the Web [is that the] early days were chaos, and nobody, no matter how smart he or she was, understood how it was going to unfold. More to the point, we still don’t. — Clay Shirky, August 2000

There seems little doubt that the whole idea of ad- and spyware came about as a legitimate extension of Internet advertising. It didn’t take long for the idealistic view of the Internet and the World Wide Web as being totally non-profit, everything-for-free venues, to fade away. Hotwired introduced Web advertising on its site in October 1994, featuring ads from Sprint, Volvo, AT&T, MCI, Zima, and others; by the time consumers began surfing the Web with the brand-new Netscape 1.0 in November of the same year, Web ads were already a fact of life. Spam — mass commercial emailings to legitimate mailing lists — appeared en masse in December (though the first spam reference I can find is the infamous April ’94 spamming from Canter and Siegel Legal Services). Affiliate marketing began in the same year, with PC Flowers and Gifts, Cybererotica, and others beating out better-known affiliate programs like Amazon.com to the Internet.

By 1996, tracking methodology had been implemented and was in use by such ad providers as ValueClick, Alexa, Be Free, LinkShare, and Commission Junction. Refer-it.com was launched in 1997 as an attempt to provide a centralized, detailed search function for affiliates. The idea was relatively straightforward: to reach out to as many Net consumers as possible, and somehow track their surfing and buying habits in order to fine-tune advertising tactics. Of course, the entire idea is predicated on invading Net users’ privacy at least to some degree. "Cookies," designed as part of the original Netscape protocols, were implemented to store login information, track surfers’ visits to commercial sites, and keep at least some record of personal and demographical information in order to assist sales and marketing tactics; ad banners were selected to target a site’s demographics; and so forth.

The thinking isn’t much different from the ideas driving mass postal mailings, catalog requests (why do you think they ask you for so much information for a simple catalog mailing?), telemarketing calls ("We see you’re a satisfied customer of Foobar Corporation’s MegaWidget, and as such, we’d like to introduce you to…") — even television ads marketed to a channel’s prime viewing audience (toys on Cartoon Network, shopping outlets on Lifetime, computer goodies on TechTV, etc.). All these advertising and marketing techniques are, by necessity, somewhat scattershot in approach and effectiveness, and the results bear this out. When a 1% "click-through" rate for banner ads is considered excellent, that says something. So the advertisers and the software designers decided to raise the bar a bit.

The idea of specifically targeted "adware" came about when the producers of freebie product found that they couldn’t make money — or enough money to suit their pocketbooks — by simply giving their products away, or hoping that folks who signed up for their services would click on the ads that ran on their sites. Thus they began to bundle advertising within their wares. Suddenly Websites and software developers that prided themselves on being aggressively non-profit found themselves forced to accept advertising to stay afloat. Developers found themselves embracing, or at least accepting, the idea of modifying their programs with commercial content, requiring users to either accept ads along with the freebies or register the programs, usually for a fee, to obtain the ad-free versions. Of course it didn’t end there. As Internet advertising showed itself to be a dicey-at-best proposition, the software used to promulgate advertising and encourage ecommerce on the Net became more and more sophisticated and, unfortunately, more intrusive.

Since HTTP is a "stateless" (non-persistent) protocol, it is impossible to differentiate between visits to a web site, unless the server can somehow "mark" a visitor. — David Whalen, The Unofficial Cookie FAQ, May 10, 1999

A major driving force behind adware technology has been the cyberporn industry. Porn meisters (who account for up to a fifth of American Web revenues) may market wares that are objectionable and offensive to the majority of Web surfers, but their ad techniques work quite well within their market, and their technology tends to be more sophisticated and "cutting-edge" than more mainstream advertisers.

The Web tracking firm Cyveillance has found that they’re routinely accepting technology and tactics once limited to porn vendors. These include the now-ubiquitous "pop-up" ads (appearing on 30% of the world’s Web sites as of November 2001), the newer "pop-unders," and the more annoying "mouse-trapping" tactics, which prevent users from exiting a page(showing up on over 5% of Websites). Vertical "skyscraper" banner ads split time with ads that spawn new browser boxes when a Website is downloaded. Other, more intrusive types of ads zoom across Web pages or fill computer screens while a Web page is being downloaded. These techniques were birthed on the porn sites, and as the mainstream advertisers learned just how effective they were proving to be, they adopted them for their own purposes.

According to a Cyveillance spokesman, "the most aggressive [advertising] sites continue to be the pornography sites, followed closely by the gambling sites. But you’re also finding more aggressive behavior on totally mainstream sites." Other techniques are also being employed, particularly using Flash and JavaScript technology to give the surfer a "richer experience" in the ads he or she peruses. Of course, one surfer’s "rich experience" results in another surfer lunging for the close button… if they can find one in the ad. "It’s a fine line between getting a client’s message out there and making people irritated," says one marketing firm.

InternetFuel’s advertising techniques include a blizzard of pop-ups as you leave a site, while Search-Explorer.com uses a mouseover script that automatically downloads advertising software to your hard drive. InternetAlert uses ads designed to look like Windows’ own system warnings to scare consumers into buying their product. A particularly onerous Web marketer, John Zuccarini, registered about 5500 Internet domains that were misspelled versions of popular, legitimate domains, including 41 misspellings of "Britney Spears." Surfers who misspelled the singer’s name in their Web searches often wound up at one of Zuccarini’s sites, where they were inundated with pop-up ads, including ads for porn sites and for the infamous "psychic" Miss Cleo.

Little, if any, of this is illegal as yet, mostly because the law hasn’t caught up with the latest online marketing strategies (Zuccarini was ordered by the courts to pay back $1.8 million in "ill-gotten gains," but disappeared without paying; he is still being sought by American authorities). Annoying? Aggravating? You betcha. One irate user goes so far as to label it all "cyberterrorism." But with spending on Internet advertising in 2002 topping $9 billion, you can bet it won’t be going away any time soon.

The reason why there’s an upsurge in advertising sleazeware is because it works. — Pesach Lattin, editor of Adbumb newsletter

What Does It All Mean?

The various terms used for these programs sometimes overlap in meaning, but let’s try to break the programs down into groups, each labeled, however arbitrarily, with one of the terms currently in use. Naturally there’s a good bit of overlap.

Adware is the least offensive of the bunch, though still quite intrusive, annoying, and sometimes disruptive. These programs do anything from send dozens of unwanted ads to your browser — pop-ups, pop-unders, Flash animations that temporarily hijack your screen, you name it — to more direct assaults on your machine, including:

  • resetting your home page,
  • adding links in your Favorites, and
  • yanking your browser to their sites while you’re trying to go elsewhere.

Some adware is perfectly above board, telling you up front that the software will direct ads to your display. Opera, the browser, and Eudora, the email client, offer no-cost, ad-supported versions of their programs, and require you to pay if you want to be ad-free; many other shareware developers offer similar versions of their wares. The more insidious ones install ad-channeling or tracking software without your knowledge. Often the data collected is used to "target" ads to the surfer, sending him advertisements tailored to his surfing habits. For example, if you visit several sites to peruse and download MP3s, this information will be sent back to the marketing company, resulting in them displaying MP3-related advertisements when you use the software.

Spyware is defined by Wikipedia as "technology that gathers information about a person and/or their computer, and transmits it to someone else: advertisers, law enforcement officials, hackers, etc." It sends information on you and/or your machine back to its home servers, including IP addresses, email addresses, system configurations, and in some instances, credit card and personal information.

The excellent spyware removal program Ad-aware discusses spyware in its documentation:

"The term ‘Spyware’ covers advertising systems which secretly use your Internet connection to download banner-ads or send various user data to a third parties server — with or without knowledge of the user. These companies build user profiles for statistical data, or they sell it to third parties to do target advertising. Often an attractive ‘Free’ host application is used to transport the parasite. Nearly all spyware systems hide their intentions (gathering user-specific information) behind a nice privacy policy, shown during or before the installation of their (customers’) software. Anyway, it is like the ‘fine print on the back of the ceiling.’ In our experience most of the time people were not aware of the fact that they installed an advertising parasite when they installed the so called ‘freeware’ application. When you decide to uninstall the host application (the freeware), the spyware will remain active on your system. This so-called ‘freeware’ is not free at all; it may cost your privacy or at least bandwidth and CPU resources. Since no trojan / virus scanner scans for them, it is not trivial to remove them entirely or even detect them."

Malware (short for MALicious softWARE) actively alters and/or damages your system, including the aforementioned browser resettings, rewrites of your configuration, entries into your Registry, system crashes, and more. Sometimes the line between malware and viruses is pretty blurred. The term is often used to cover the entire range of "hostile" software, including viruses, trojan horses, and worms. The author of Malware.org states that "the issue [of] whether a program is "malware" or not is in the mind of the person executing the code."

Sorting Out the Underware

There are several major players in the field along with a raft of smaller, lesser-known programs and Websites that invade your computer and steal your business profits. The following is by no means comprehensive.

Sharing the Wares

A large portion of the "underware" out there is promulgated on the file-sharing networks such as Kazaa, Morpheus, Bearshare, Gnutella, Limewire, Grokster, Aimster, iMesh, Audiogalaxy, and others. You probably associate these P2P clients with music file downloads, but other types of files are available on some of these networks as well.

Unfortunately, these sites also abound in a myriad of adware, spyware, malware, and outright viruses that come along for the ride with your Faith Hill or Eminem downloads. One of the founders of Audiogalaxy wrote of his history with that P2P provider, from its beginnings as a free file-sharing network to its current incarnation as a spyware-ridden "service":

"Towards the end of my time there, online advertising budgets fell through the floor and we were forced to find other methods of income. Sometime around then we began bundling so-called spyware into the satellite installer, simply because they paid good money and nobody else was. Despite all the accusations and misinformation flying around, the satellite always gave you either the option of not installing the spyware, or told you quite clearly what it was doing in all caps at the top of the readme that was automatically displayed (yet usually ignored). We all disliked having other software go along with the satellite, but we had to make money somehow and tried to make it as transparent as possible."

Other networks were less above board about the spyware they included with their file transfers. Today, anyone who uses any of these file-sharing clients puts themselves at serious risk of allowing potentially damaging crudware onto their computers. It’s worth noting that some noble programmers have created several ad-free versions of some of these clients, including Kazaa, Grokster, iMesh, and others. Some, like Grokster and iMesh, have embraced them and made them part of their sites; others, like Kazaa, are actively attempting to discredit and shut down these ad-free alternatives. "We mean to stamp it [KazaaLite] out," said Sharman CEO Nikki Hemming, whose company owns Kazaa.

Meanwhile, Kazaa continues to lead the way in spyware provision. Already Kazaa users run the risk of acquiring New.net, Onflow, WebHancer, msbb, TOPtext… and Cydoor ad- and spyware additions. For even more fun, they’re bundling new and increasingly intrusive programming inside their client software. Brilliant Digital, a known source of adware, has struck an agreement with Kazaa to offer its "Altnet" video and audio content alongside Kazaa’s own offerings.

The problem with Altnet is that there’s a "sleeper" program bundled inside its downloads. On a specified day, the program will "wake up," and immediately activate Brilliant Digital’s "SecureInstall" program the next time the user connects to the Kazaa network. Kazaa users will then be inundated with a wave of multimedia banner ads, and will be prompted to upgrade to a new, presumably cleaner version of Kazaa. Instead, they’ll be connected to the Altnet P2P network. Worse, some users’ computer resources will be conscripted into working in the Altnet network. Kontiki and RedSwoosh are doing something similar with the wares offered on their sites.

Kazaa is also a well-documented source of viruses; several viruses and worms specifically targeted for Kazaa users include Benjamin, Duload, and Kowbot. They all masquerade as MP3 or video files. Gnutella users have also been targets for worms.

Certainly the file-sharing sites are not the only sources for crudware, but they are major sources and need to be treated with caution.

There’s a lengthy list of programs that qualify as one sort or another of "underware." I won’t attempt to list every one of them, but here’s the scoop on some of the most malicious and/or well-known villains in the field.

Gator

888_gator

One of the most ubiquitous and successful spyware programs out there, Gator offers itself as a utility for filling out Internet forms — just give your info to Gator the first time and the big green reptile will take care of every form you encounter thereafter.

Unfortunately, Gator’s real purpose is to collect user information, track users’ shopping habits, and provide them with tailored advertising content. After criticism from the Interactive Advertising Bureau, and an unsuccessful lawsuit, Gator claims to have crippled this part of its software while they worked for a "more acceptable" solution, however, Symantec still lists Gator’s software as being infected with a trojan horse. Naturally, Gator claims no knowledge of any Trojans or security holes, but they do offer a software upgrade for "enhanced security."

Cexx.org, one of the premier Websites for fighting spyware, describes Gator as perpetrating "drive-by downloads" on unsuspecting users. "In this scheme, a normal banner or popup ad will attempt to install software (executable code) on the user’s PC. Depending on the browser’s security settings, the software will either download silently and without any user action, or present an install dialogue. Novice users may choose ‘Yes’ thinking the browser is asking to download a legitimate page-display plugin."

Gator also includes an even sneakier component, OfferCompanion, in its code. OfferCompanion not only lards down the user’s browser with banner ads and sends information on you and your surfing habits back to Gator, but it also replaces ad banners from legitimate vendors with its own content. Naturally the legitimate, paying advertisers are outraged that their ads are being displaced without warning, often by ads from competitors or even from adult sites. "Among other things, this ‘steals’ advertising revenue from the legitimate owner of that Website, as their banner is inaccessible and covered up by the Gator ad." In July 2002, a federal judge ordered Gator to temporarily stop displaying advertising over Web publishers’ pages without their permission, prompted by a lawsuit filed by the New York Times, the Washington Post, Dow Jones, and other publishers.

Gator has no problems with owning up to its shady practices, at least to a degree. In their own words:

" The small browser plug-ins, which users can download free, follow users’ movements throughout the Web. Through the browser, agents learn where a user is, what he or she might be about to do or buy, and for what price. Then the agents make a better offer. Users are motivated to check out the offer, since they activate the agents voluntarily by downloading them. Most consumers hear about the gimmick through an advertiser’s online campaign, or by word-of-mouth. … Instead of serving up a long list of ads across a network of preselected sites, agents serve specific ads to specific individuals whenever they shop a certain category or particular site, essentially ‘tailor-making’ ads. These banners or pop-ups feature coupons, rebates, product bundling, and so on. It’s highly targeted, direct Web marketing — in many ways, the original promise of the Internet."

Rosy, huh? Most advertisers who lose revenue from Gator’s switcheroo don’t think so.

Tribune Media Services says, "Gator tracks the sites that users visit and forwards that data back to the company’s servers. Gator sells the use of this information to advertisers who can purchase the opportunity to make ads pop up at certain moments, such as when specific words appear on a screen. It also lets companies launch a pop-up ad when users visit a competitor’s Web site." Matt Mickiewicz of our own SitePoint warns, "Because Gator is installed on a user’s PC, it can alter any Web page so that it delivers the advertising that Gator is paid for. In fact, that’s already what Gator is doing – serving pop-up ads that cover the EXACT space occupied by banner ads. In essence, they swap a publisher’s ad for their own. Gator has even resorted to serving the normal pop-up ads that promote competitors when a specific Website is visited. For example, visitors to AmericanAirlines.com can be hit with an offer to visit Delta Airlines."

You don’t need a marketing consultant to tell you just how costly, and how troublesome, this is for the Web marketer. The user is denied access to legitimate, bought-and-paid-for advertising, and worse, is inundated with many more pop-ups and banners than they would be during normal, Gator-free surfing. Now that a judge has restrained Gator from these practices, we’ll have to see what happens with Gator and with other, similar programs like TopText and Flyswat.

Gator has finally agreed to put removal instructions on its Website. Basically the user goes through Add/Remove in the Control Panel, locates Gator eWallet, and uninstalls it, making sure to check the "Delete User Information" box. OfferCompanion can also be removed through the Add/Remove applet.

EZula (TopText)

888_toptext

"Imagine how powerful it could be to widen the effectiveness of search engine keyword advertising to the entire Web. This will enable you to reach millions of qualified users from every web page that contextually matches your campaign objective and your product or service keywords, anywhere on the Web." — eZula

TopText is a program that works the same side of the street as Gator, but with a different approach — the use of the infamous "yellow links." Basically, what TopText does is to "hijack" certain key words and phrases that have been purchased by advertisers — say, "car" or "MP3." Users who have TopText on their computers see these words highlighted in yellow, no matter what Web site they’re visiting. Clicking on these highlighted words sends them to the page of the company who paid for the click-through on that specific keyword.

Matt Mickiewicz again warns Web vendors, "People are at this very minute leaving your Website by following links that were inserted by TopText, and you don’t have any say about it!" Meanwhile home users are being suckered into following links never intended by the Website owner. Similar products from Flyswat and WhenU use green highlighting and/or superimposed graphical links. For Website owners, this can draw consumers away from your business site and lead them to the competition — potentially disastrous for those who survive on "pay-per-click" (PPC) protocols. For Web surfers, this can slow your browsing, crash your computer, and track your surfing and buying habits without your knowledge.

Most Website owners don’t appreciate any additions or modifications to their site; as Appleworks phrases it, "This is akin to having advertising stickers slapped on your backside as you walk down the street." TopText installs itself surreptitiously when you visit any affiliated sites (which currently include the search engine LookSmart, the file sharing networks Kazaa and iMesh, Gator, and Commission Junction). Fred Langa says, "[T]hese links are not placed there by the web site creator or author; they’re inserted by the software, which bases its decisions not on simple contextual relevance, but on who’s *paying* to be linked. In other words, the ‘links’ are really ads."

If you’re a user who’s been a beneficiary of the TopText download, you might find a file called EZULAMAIN.EXE on your hard drive. You can get rid of this one easily enough through the Add/Remove applet in Control Panel. Webmasters may be able to block TopText from running on their pages by adding the anti-Smart Tags META tag:

<META NAME="MSSmartTagsPreventParsing" CONTENT="TRUE">

though this is not yet verified.

Other TopText-like programs are floating around out there. SurfPlus is, ironically, a browser plugin that purports to stop annoying pop-up ads. It used to install a program called EasyLink that reportedly specialized in pornographic links, but now claims that the EasyLink functionality is disabled. AdPointer, another similar utility, seems to be missing from the Net, though I imagine copies of the program are still floating around.

Cydoor

888_cydoor

Sneaky — this particular Cydoor installation doesn’t even identify itself except as "adware support." Cydoor uses its CD_CLINT.DLL file as the central nexus for its variety of installations. CD_LOAD.EXE runs in the background for offline uses. It downloads ads for on- and offline viewing.

Cydoor now seems to be behaving better than it once did. Earlier versions had it leaving it up to the host vendor’s installation procedure (as in the illustration above) to warn the user that they were about to install Cydoor. It also used to use a GUID to track individual users across multiple browsing sessions. They have since halted those actions. However, it still installs itself into your Registry, making it more difficult to remove, and can install itself even if you don’t approve the installation of its parent utilities.

Ad-aware seems to delete Cydoor fairly effectively, but to be sure, you can access a more in-depth removal feature on this site.

TSADBOT

A proud member of the Cydoor adware family and considered a virus by several sources, TSADBOT connects to the Internet when you fire up your Net connection, downloads ads, and implements an unauthorized proxy server on your system which cloaks the program’s network connections. AdGateway "profiles", which are demographic, behavioral, or both, are stored in encrypted files on the user’s system, and are sent to Cydoor. It’s pernicious, remaining after you delete its accompanying software, difficult to remove, and likely to reinstall itself if you do remove it. If for some reason the adbot is prevented from connecting to Cydoor by a firewall or other security measures, it starts to attempt continually, up to 10 times a second, which can overload local network facilities. It may even attempt to connect using Telnet or other ports, coming back to the HTTP connects after a time. Lovely, huh? PKZip is one known source of this piece of code.

As I said, it isn’t easy to remove this one. The folks at CounterExploitation provide good removal instructions here.

Aureate/Radiate

An infamous source of ads overlaid on your browser, this one comes along with over 300 files and sources, including Go!Zilla, CuteFTP, GetRight, Buddyphone and others. Some of the ads it sends your way are fullscreen 640×480 ones. While we know that Aureate/Radiate transmits a goodly amount of information to its parent company and/or its licensees, exactly what is being sent is hard to determine. Better yet, it secretly installs itself as a Windows Service, and registers itself as a browser helper app that loads with your Web browser, giving itself the capability of monitoring every site you visit. Web advertisers can’t be too happy with it either, since Aureate skims off 40% of the developers’ revenue right off the top for using their wares. If you’re running Aureate/Radiate, you’ll have a file called ADVERT.DLL somewhere in your system; there are others, but this .DLL is the heart of the system.

Uninstalling the program(s) that gave you Radiate won’t delete the intruder, but Ad-aware will, deleting the 9 associated files and accompanying Registry entries. The CounterExploitation page on Aureate/Radiate tells you how to uninstall the program manually, and Aureate/Radiate also provides a tool for getting rid of it that reportedly removes both the associated files and Registry entries. Be aware that some "parent" programs such as Go!Zilla won’t run without the Aureate/Radiate software.

Alexa

Released in 1997, Alexa is a search toolbar that integrates with your browser and provides a variety of links and functions. It’s currently partnered with Google, and was bought out by Amazon in 2000, so you might think Alexa is a completely aboveboard and innocent program. In many ways, it is.

However, it ran afoul of the law in 2001 when it was accused of selling private information to Amazon without users’ consent, and paid over $1.9 million after a court found Alexa guilty of violating users’ privacy.

Although Alexa claims to have cleaned up its act, Ad-Aware still lists Alexa as adware. Personally, I’d certainly be leery of having this program on my machine. Note, though, that Alexa comes bundled with Microsoft Internet Explorer. Therefore, everyone will have this on their machine at one point or another. It’s safe to remove.

SaveNow

Created by a company called WhenU.com, "SaveNow" is described as "[o]ne of the most pervasive pieces of piggyback software" on the filesharing networks. BearShare, iMesh, and the Global DivX online movie player, among others, distribute this little goodie. It tracks where you surf and uses that information to target you with pop-up ads.

While this one doesn’t send information back to its parent company, it does continuously download updated information about new offers and keep a record of where you surf on your machine. It stays on in the background no matter if its associated program is running or not. It can be removed by going through Add/Remove, and uninstalling both SaveNow and WhenUShop. After doing this, you’ll need to remove a WhenUDownloadClass object from your browser’s temporary files, or it may reinstall itself.

Lop.com

Lop.com is known far and wide as a major purveyor of spyware and underhanded advertising techniques. Owed by C2 Media, it’s mainly a pay-per-click search portal where other Websites pay for each click-through to their sites through Lop. So far so good, but the Lopsters got devious on us by creating a program either labeled as an MP3 or porn search program. Once installed, the program uses its own stripped-down browser code to reconfigure your browser to "everything Lop." Your start page and default search engine are reset to Lop or to www.mp3search.com, your toolbar is modified, unwanted links are added to your bookmarks, your browser redirects to Lop if an error is detected in loading any other page, and a spyware plugin is installed. Older versions gave your desktop an HTML wallpaper loaded with shortcuts to Lop, but those were discontinued due to bugs in the code.

CounterExploitation notes, "The user becomes a visitor to Lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window. A recently discovered variant of lop’s software omits the browser and BHO altogether, and instead installs dozens of Internet shortcuts and sets the home page to http://unitedstates.rub.to. The installer for this variant may be named MP3.EXE or FREEMP3Z.EXE."

The heart of the Lop installer is the file PLG_IE1.DLL; older versions use the DOWNLOAD_PLUGIN.EXE file.

Getting rid of it is tedious but not too difficult; right-clicking the taskbar icon gives you a Help button in the Menu option that takes you to an uninstall tool. Running Ad-aware immediately thereafter removes the debris left behind by Lop, though you may find yourself manually deleting added bookmarks. You’ll now need to delete your Windows Temp files, then look inside your WINDOWSWINDOWSWEBWALLPAPER folder (WINNTWEBWALLPAPER for NT/2K users) and hunt for two files, DESKTOP.EXE and DESKTOP.SWF. Delete them if you find them, and reset your wallpaper if need be.

BHODemon from Definitive Solutions also removes the program itself, as does Ad-aware, but you still may find yourself making some of the manual deletions as detailed above.

RadLight

The multimedia player RadLight comes with a full complement of adware, but a recent discovery that one of its components deliberately disables the anti-spyware program Ad-aware really raised some eyebrows. This puts it dangerously near, if not fully into, the area of virus behavior. RadLight also comes with the SaveNow component described above. Ad-aware has updated its utility to handle RadLight’s disable attempt.

BonziBuddy

BonziBuddy is an Internet search facility targeted at children to assist them in finding "kid-friendly" Websites. It sends information on your surfing activities to its home site at www.bonzi.com, and may also make your machine vulnerable to hackers looking for open ports. Other Bonzi products that are suspicious include InternetAlert and InternetBoost.

It can be removed by going through its own Uninstall procedure. Bonzi also gives us the ubiquitous "InternetBOOST" ads that thunder, "Your Internet Connection Is Not Optimized. Download InternetBOOST Now!" After the Better Business Bureau became involved, Bonzi changed the wording of the ad to more clearly reflect its status as an advertisement and not a system warning. However, the most recent incarnation of the ad intones, "Your Computer’s Data is Currently At Risk." It certainly is, but the Bonzi program is part of the problem, not part of the solution.

CometCursor

CometCursors add "fun" cursors to the usual range of cursors on your machine, as well as "smart" cursors that link to encyclopedia definitions, Websites, and so forth. Since it collects marketing information from its users, it falls within the definition of spyware. CometCursors can be removed by going through Add/Remove in Control Panel.

GoHip.com

GoHip, a Web portal similar to Yahoo!, earn inclusion by the actions of a button on its home page that allows you to make GoHip your home page. The button adds an entry in your Registry that changes Internet Explorer’s default search engine to GoHip, as well as changing your home page. A removal tool is available here.

Onflow

Onflow is a browser plugin that forces ads onto your browser display, and sends "back-channel" info on your surfing habits to Onflow. Installed by BearShare and others. You can get rid of it through Add/Remove.

PhoenixNet BIOS

This is a particularly annoying piece of spyware, which actually resides on the BIOS of some PhoenixNet-enabled motherboards, and subsequently cannot be removed. It presents users with sponsored Websites and downloads, displays "Special Offers" on the boot screen, allows third-party affiliates to change your home page and search engine defaults, and tinkers with your system settings. PhoenixNet discontinued offering these spyware-enabled motherboards in 2001.

WNAD.EXE

This program installs itself as part of the popular "Yo Mamma, Osama" game from www.twistedhumor.com as well as other games from this site and the SwapNut filesharing utility. WNAD hijacks your browser to display ads every hour. The ads purport to solicit donations for the Red Cross, but this claim is suspicious at best. WNAD also tends to cause computer crashes and is responsible for a whole range of instability problems. Ad-aware removes this little critter, or you can manually delete it by removing the WNAD.EXE and WNAD.DAT files, and making the proper deletions in the Registry.

VX2, Blackstone Data Transponder, Etc.

Installed or used by Audiogalaxy, iMesh, AADCOM, NetGeo, Akamai, Mindset Interactive, TrueData, and others, this one is available under a raft of names, including Transponder (from Blackstone Data Corp.), VX2 / RespondMiter / Sputnik (from VX2 Corp.), AADCOM Extreme Targeting (from Aadcom Corp.), NetPal (from NetPalNow / Mindset Interactive), and TPS108 Transponder (tps108.org, from DigitalRooster.com).

It bills itself as a free movie viewer for watching pornography, but it is also a BHO (Browser Helper Object) that installs itself in your browser and directs advertisements to you based on its tracking of your surfing habits. It also causes crashes and major stability problems with both browsers and Windows Explorer. Ad-aware gets rid of this one. VX2.com, the home for this little pest, claims that it will delete all collected info on a user upon request, but the request form asks for far more personal information than most of us care to provide.

Flashtrack

Another BHO, Flashtrack monitors Web pages viewed and terms entered into forms on search engines. The original version, FlashTrack/FTApp, writes into C:Program FilesFTApp regardless of where your actual Program Files folder is. FlashTrack/flt, a newer variant, installs into C:Program Filesflt instead. Among other places, iMesh provides this little beastie. Flashtrack often causes browser crashes. You can find manual removal instructions available at and.doxdesk.com/parasite/FlashTrack.html .

DLDER.EXE, ClickTillUWin, Explorer Trojan

Installed by numerous file-sharing clients as well as Net2Phone, DLDER is actually a trojan horse that masks itself under the ClickTillUWin component. Once you’re asked whether you want to install ClickTillUWin, DLDER invades your system even if you refuse the install.

Upon installation, the virus first connects to the Website www.2001-007.com and transmits data, including a GUID, the user’s IP address and browser version. Then the software downloads and installs a trojan file named Explorer.exe from the same site, to C:WINDOWSEXPLOREREXPLORER.EXE (not to be confused with the required Windows file EXPLORER.EXE, located at C:WINDOWSEXPLORER.EXE). DLDER then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup, and adds a Registry key. It may also add icons for Clicktilluwin.com, an online gambling game, to the desktop. While you surf, the bogus EXPLORER.EXE file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Websites the user has visited since the last check-in — not something any of us want on our systems. You can find out how to remove it here.

MediaCharger (Movie Network.EXE)

This one, once installed, displays lots of popup ads as you surf. Worse, Mediacharger may also function as a dialer for 1-900 #s for billing of adult movie downloads. Check for removal entries in Add/Remove Programs, and obtain detailed removal instructions here.

NETBUIE.EXE

This one is really offensive for those of us who dislike porn. Provided by a downloadable program called Port Detective among others, Netbuie insinuates itself into your WindowsSystem directory and continually sends porn ads and displays to your browser while you surf. According to a poster at C|Net, you can remove it by disabling it in MSCONFIG, deleting all Registry entries that reference NetBuie, and deleting all instances of files with "pink4free" in their titles. Lastly, remove NETBUIE.EXE from your System directory.

NE.EXE (Network Essentials, SmartPops)

Like so many others, this one displays stealthy popups while you surf or use a search engine. You may be able to get this one simply by visiting certain Websites. It can be squashed easily enough through Add/Remove.

Download Managers

Many programs that handle your Net downloads do so perfectly well. Some, however, like RealNetworks RealDownload, Netscape/AOL Smart Download, or NetZip Download Demon, track the files you download. The Netscape product even transmits your IP address to the program’s publisher. RealDownload has removed the main spyware .DLL from its program; a lawsuit filed in July 2002 is still in the courts. These can be eradicated through Add-Remove.

Broadjump

Part of the software provided by reputable ISPs like Comcast, BellSouth, and TimeWarner, the Broadjump ChannelDirect program sends ad content to subscribers whenever the ISP chooses to relay the code. It’s not the worst of the offenders, but it’s still intrusive. One source says that the program’s own uninstall routine is worthless, so it’s probably better to remove it through your Control Panel.

Not Quite, but Still Questionable

Internet Filtering Programs

Plenty of programs out there purport to "keep your surfing safe" from pornography, objectionable content, and other material you may not want to view while you or your family or co-workers surf the Net. Bess, Cyberpatrol4, NetNanny, Cyber Sitter, Cybersnoop, Eye Guard, Surf Watch, and other programs fall into this category. While this is legitimate software lawfully installed by parents, schools, employers, and others, it is in essence client-side censorship. The folks at Cexx.org make the case:

"By blocking access to ‘inappropriate’ sites and keeping intricate logs of any ‘offensive’ sites you’ve tried to visit, these programs not only restrict your freedoms, but could also violate your privacy by telling your employer/co-workers/parents all the sites you’ve tried to access — be they about breast cancer, certain religious, political or sexual orientations, drug/alcohol use, AIDS, sites for helping you find a new employer…. The privacy and job-security ramifications are far-reaching to say the least. Censorware is a tool-of-choice for overprotective parents and paranoid employers, and is typically fairly easy to disable despite password-protection and other schemes designed to deter cybersabotage."

The same page at Cexx tells how you can disable or get around most Internet filters. Be warned: some parents, teachers, and employers won’t take kindly to your efforts to work around these programs.

Web Bugs

"Web bugs" are tiny, transparent .GIF images that are loaded onto your browser when you visit their sites. If cookies are tracked, or if a procedure called "fake dating" is used, your download of the .GIF can be used to track and record your visit.

Ultraseek

Visitors to Ultraseek’s Website might be rattled when the site shows them the contents of their own hard drives and claims that they’re vulnerable to hacking. If the surfer is suitable shaken up, he or she might buy the program this site is offering, the $100 Internet Eraser Pro, which the site claims will protect the surfer from unwanted intrusions.

It’s bad enough that the program does no more than various free programs and code blocks do, but worse, the program tries to dupe the surfer by sending a harmless "file://c:/" command to your browser, showing you (but no one else) the contents of your computer in your browser display. Ultraseek hasn’t found a vulnerability in your system and its program is dubious at best. A thoroughly underhanded marketing technique, and one not limited to Ultraseek.

A Cautionary Tale

Most Net marketers and business folks know the sad, sordid tale of Website Results, an Internet marketing firm that achieved short-lived success by lying to and spying on their customers. They told their clients that they were helping them achieve the highest possible ratings on search engines such as Google and AltaVista, and when their clients checked, lo and behold, they were ranked very highly. Huzzah! Unfortunately, it turned out that the clients (including Orvis, WebMB, eBay, and ESPN) were being duped by a combination of fraudulent reporting techniques and spyware (a specially written program dramatically dubbed "The Zebra Project").

In May 2001 three of the top perpetrators were fired and Website Results, acquired by 24/7 Media, began reinventing itself as a legitimate purveyor of providing search engine placement for online advertisers. The three fellows who were fired went on to found IntelliTech, and while there perpetrated an even more egregrious fraud on unsuspecting visitors to their client site Flowgo, as well as other affiliated sites. Their ad on Flowgo, a family Web portal, redirected visitors to IntelliTech’s own "Kool Katalog" site. Once at KoolKatalog, users with older Java engines had a flaw in those engines exploited, which allowed up to 10 spyware files to be installed on their machines without their knowledge.

The spyware monitored what sites their victims were visiting, sent updates and other files to the infected computers, terminated firewall applications, and more. The site Online1Net.com also infected your machine. Trend Microsystems has released a free tool that automates the 49 steps necessary to purge infected machines. TrendMicro has dubbed the whole thing a virus, TROJ_SUA.A. More removal information is also avaiable.

How Do I Keep Adware Off My Machine?

In October 2000, U.S. Senator John Edwards introduced the "Spyware Control Act" that would force manufacturers to warn users when their products include spyware. The Spyware Control Act is currently still in committee, according to a letter I received from Senator Edwards. Though there’s no word yet as to the final dispensation of this bill, if it is indeed made into law, it would give users the right to sue manufacturers who violate the provisions of the bill. We’ll keep an eye on that from "this side of the pond." And the American Federal Trade Commission is taking legal action against sites that force users to download programs that cause their machines to dial 1-900 phone advertisements.

Meanwhile, you can take some precautions of your own. These sites maintain lists of all known spyware:

All are excellent sources of information and worth checking regularly as new critters crawl their way over the Web toward your computer.

Next, you should always read the fine print in every licensing agreement for every piece of software you download. In most instances, you’ll get at least some clue to what, if any, kind of sleazeware is being introduced to your computer, and can decide for yourself if you want it on your machine.

Keep your browser’s Security settings to at least Medium, if not High. This gives you warning of anything trying to insinuate itself on your computer.

Don’t hesitate to inform advertisers of sleazy marketing tactics. In many cases, reputable advertisers are unaware of the tactics used by the firms they hire. Advertising.com severed its ties with C2 Media after it was alerted to that firm’s unscrupulous advertising tactics by a PCWorld reporter.

You’ll also want to install some protective software. All of the products listed below are very good at what they do, but the gold standard of the industry is Ad-aware, a freeware program first written to remove Aureate/Radiate spyware and now expanded to protect your machine from a plethora of bad guys. Other off-the-shelf programs are available as well, but in my opinion these programs do as good a job of keeping the gunk off of your machine as any of the commercial offerings.

Last week one of my co-workers complained to me that her computer was misbehaving. When I saw that she had Kazaa on her computer, I installed Ad-aware on her machine and found 157 separate spyware components. She used the program on the other PCs in her office and found as many or more components on them — the eventual winner came in at 283. Needless to say, the machines now run better.

In summary: "Underware" of any kind is bad for everyone. Computers misbehave, malfunction, and crash. Businesses lose revenue and customers. Users are annoyed, have their privacy violated, and have their surfing and Net shopping experiences disrupted. The more that all of us do, on both sides of the commercial fence, to combat the underware epidemic, the better off we all are.

Addendum

When I wrote this article in September 2002, Ad-aware was indeed the "gold standard" of spyware prevention software. It was free, regularly updated, and very good at keeping the pests out of your system. Unfortunately, while it is still free, it hasn’t been updated since Sept. 29, 2002, and therefore can no longer be relied upon to remove the latest spyware crawling around the Net. According to Fred Langa, Ad-aware is working on a new version (version 6), but 4-5 months between updates is too long to wait. Those of us who purchased the $15 Plus version should be particularly irate.

SpywareInfo recommends the following programs to keep your system pest-free: either the free Spybot Search & Destroy or the $30 Aluria Spyware Eliminator for removing adware, and for removing surveillance spyware, keyloggers, and password-stealing Trojans, either the $70 Spycop or the $40 X-Cleaner. Langa provides a more frugal alternative, recommending using the free Spybot S&D in conjunction with the $30 PestPatrol. Check both SpywareInfo and Langa.com for discounts on some of the above programs.

Of course, it’s your call. You can wait for version 6 of Ad-aware to come out (target date February 2003), though it doesn’t look as if the new version will be free; you can try any or all of the programs listed above; you can use other programs to defend your system against pesky malware; or you can do whatever suits you and your needs. But all of us need to be aware of the thousand different kinds of malicious software that constantly threatens our computers, and take the proper precautions.

Sources:

Langa Newsletter 1-13-03
http://www.langa.com/newsletters/2003/2003-01-13.htm

Spyware Weekly Newsletter 12-25-02
http://www.spywareinfo.com/newsletter/archives/december-2002/12252002.php

Bibliography

About Alexa
http://pages.alexa.com/company/index.html

Ad-Aware
www.lavasoftusa.com/
www.lavasoft.de/aaw/index.html

Ad-Aware
members.tripod.co.jp/eazyfox/SecuTool/ADaware/AdAware1.htm

Advertising Spyware: Aureate/Radiate
www.cexx.org/aureate.htm

Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll
www.cexx.org/cydoor.htm

Advertising Spyware: PhoenixNet BIOS
www.cexx.org/phoenix.htm

Advertising Spyware: TSADBOT.HTM
www.cexx.org/tsadbot.htm

Advertising Spyware: WNAD.EXE
www.cexx.org/osama.htm

Adware – Spyware – Beware
freebies.about.com/library/weekly/aa060202a.htm

Adware, Spyware Help, and Resources
www.rottenrhonda.com/spyware.html

Adware, Spyware, and Advertising Trojans
www.cexx.org/adware.htm
Huge page of links and info about a plethora of adware programs that ferry info on you, your computer, and your surfing habits to various unauthorized locations

Alert to RadLight’s removal of Ad-aware from systems
www.lavasoft.nu/cgi-bin/forums/ikonboard.cgi?s=3cc486614effffff;act=ST;f=20;t=13

and.doxdesk.com: parasite: FlashTrack
and.doxdesk.com/parasite/FlashTrack.html

Anonymous Surveillance
grc.com/oo/ethics.htm

Altnet Opens Kazaa’s Doors to Paid Content
www.itworld.com/Net/4087/020520altnet/

Backdoor Santa Spyware
www.cexx.org/dltools.htm

The Biz: A History of Porn on the Net
www.bananaguide.com/bizhistory.htm

Bonzi Software
accs-net.com/smallfish/bonzi.htm

Boom Times Have Passed For Online Porn
www.siliconvalley.com/mld/siliconvalley/3200456.htm

Broadjump
www.broadjump.com/

Caution! Don’t let Brilliant hijack your PC
www.zdnet.com/anchordesk/stories/story/0,10738,2859775,00.html

Commentary: Another New Technology to Deep-Six
www.applelinks.com/articles/2001/08/20010803142336.shtml

Competition Spawns Pushier WebAdvertising
kansascity.bizjournals.com/kansascity/stories/2001/12/17/story5.html

Computer Pests: The Hidden Threat
www.sunbelt-software.com/product.cfm?id=911

Cookies
livinginternet.com/

CounterExploitation (a tremendous source of information on adware, spyware, and the like)
www.cexx.org/

Dot-com noir
www.salon.com/tech/feature/2002/07/01/spyware_inc/index.html

Don’t Eat the Yellow Links
slashdot.org/features/01/07/31/2015216.shtml

Dr. Damn Cleans House for File-Swappers
zdnet.com.com/2100-1105-891761.html

dw.exe, Movie Network.exe (Downloadware / Mediacharger / Movienetworks)
www.cexx.org/adware.htm

Even More "Scumware" To Watch Out For
www.langa.com/newsletters/2002/2002-01-28.htm#3

eZula
www.ezula.com/

Filters and Firewalls
Wikipedia as "technology that gathers information about a person and/or their computer, and transmits it to someone else: advertisers, law enforcement officials, hackers, etc." It sends information on you and/or your machine back to its home servers, including IP addresses, email addresses, system configurations, and in some instances, credit card and personal information.

The excellent spyware removal program Ad-aware discusses spyware in its documentation:

"The term ‘Spyware’ covers advertising systems which secretly use your Internet connection to download banner-ads or send various user data to a third parties server — with or without knowledge of the user. These companies build user profiles for statistical data, or they sell it to third parties to do target advertising. Often an attractive ‘Free’ host application is used to transport the parasite. Nearly all spyware systems hide their intentions (gathering user-specific information) behind a nice privacy policy, shown during or before the installation of their (customers’) software. Anyway, it is like the ‘fine print on the back of the ceiling.’ In our experience most of the time people were not aware of the fact that they installed an advertising parasite when they installed the so called ‘freeware’ application. When you decide to uninstall the host application (the freeware), the spyware will remain active on your system. This so-called ‘freeware’ is not free at all; it may cost your privacy or at least bandwidth and CPU resources. Since no trojan / virus scanner scans for them, it is not trivial to remove them entirely or even detect them."

Malware (short for MALicious softWARE) actively alters and/or damages your system, including the aforementioned browser resettings, rewrites of your configuration, entries into your Registry, system crashes, and more. Sometimes the line between malware and viruses is pretty blurred. The term is often used to cover the entire range of "hostile" software, including viruses, trojan horses, and worms. The author of Malware.org states that "the issue [of] whether a program is "malware" or not is in the mind of the person executing the code."

Sorting Out the Underware

There are several major players in the field along with a raft of smaller, lesser-known programs and Websites that invade your computer and steal your business profits. The following is by no means comprehensive.

Sharing the Wares

A large portion of the "underware" out there is promulgated on the file-sharing networks such as Kazaa, Morpheus, Bearshare, Gnutella, Limewire, Grokster, Aimster, iMesh, Audiogalaxy, and others. You probably associate these P2P clients with music file downloads, but other types of files are available on some of these networks as well.

Unfortunately, these sites also abound in a myriad of adware, spyware, malware, and outright viruses that come along for the ride with your Faith Hill or Eminem downloads. One of the founders of Audiogalaxy wrote of his history with that P2P provider, from its beginnings as a free file-sharing network to its current incarnation as a spyware-ridden "service":

"Towards the end of my time there, online advertising budgets fell through the floor and we were forced to find other methods of income. Sometime around then we began bundling so-called spyware into the satellite installer, simply because they paid good money and nobody else was. Despite all the accusations and misinformation flying around, the satellite always gave you either the option of not installing the spyware, or told you quite clearly what it was doing in all caps at the top of the readme that was automatically displayed (yet usually ignored). We all disliked having other software go along with the satellite, but we had to make money somehow and tried to make it as transparent as possible."

Other networks were less above board about the spyware they included with their file transfers. Today, anyone who uses any of these file-sharing clients puts themselves at serious risk of allowing potentially damaging crudware onto their computers. It’s worth noting that some noble programmers have created several ad-free versions of some of these clients, including Kazaa, Grokster, iMesh, and others. Some, like Grokster and iMesh, have embraced them and made them part of their sites; others, like Kazaa, are actively attempting to discredit and shut down these ad-free alternatives. "We mean to stamp it [KazaaLite] out," said Sharman CEO Nikki Hemming, whose company owns Kazaa.

Meanwhile, Kazaa continues to lead the way in spyware provision. Already Kazaa users run the risk of acquiring New.net, Onflow, WebHancer, msbb, TOPtext… and Cydoor ad- and spyware additions. For even more fun, they’re bundling new and increasingly intrusive programming inside their client software. Brilliant Digital, a known source of adware, has struck an agreement with Kazaa to offer its "Altnet" video and audio content alongside Kazaa’s own offerings.

The problem with Altnet is that there’s a "sleeper" program bundled inside its downloads. On a specified day, the program will "wake up," and immediately activate Brilliant Digital’s "SecureInstall" program the next time the user connects to the Kazaa network. Kazaa users will then be inundated with a wave of multimedia banner ads, and will be prompted to upgrade to a new, presumably cleaner version of Kazaa. Instead, they’ll be connected to the Altnet P2P network. Worse, some users’ computer resources will be conscripted into working in the Altnet network. Kontiki and RedSwoosh are doing something similar with the wares offered on their sites.

Kazaa is also a well-documented source of viruses; several viruses and worms specifically targeted for Kazaa users include Benjamin, Duload, and Kowbot. They all masquerade as MP3 or video files. Gnutella users have also been targets for worms.

Certainly the file-sharing sites are not the only sources for crudware, but they are major sources and need to be treated with caution.

There’s a lengthy list of programs that qualify as one sort or another of "underware." I won’t attempt to list every one of them, but here’s the scoop on some of the most malicious and/or well-known villains in the field.

Gator

888_gator

One of the most ubiquitous and successful spyware programs out there, Gator offers itself as a utility for filling out Internet forms — just give your info to Gator the first time and the big green reptile will take care of every form you encounter thereafter.

Unfortunately, Gator’s real purpose is to collect user information, track users’ shopping habits, and provide them with tailored advertising content. After criticism from the Interactive Advertising Bureau, and an unsuccessful lawsuit, Gator claims to have crippled this part of its software while they worked for a "more acceptable" solution, however, Symantec still lists Gator’s software as being infected with a trojan horse. Naturally, Gator claims no knowledge of any Trojans or security holes, but they do offer a software upgrade for "enhanced security."

Cexx.org, one of the premier Websites for fighting spyware, describes Gator as perpetrating "drive-by downloads" on unsuspecting users. "In this scheme, a normal banner or popup ad will attempt to install software (executable code) on the user’s PC. Depending on the browser’s security settings, the software will either download silently and without any user action, or present an install dialogue. Novice users may choose ‘Yes’ thinking the browser is asking to download a legitimate page-display plugin."

Gator also includes an even sneakier component, OfferCompanion, in its code. OfferCompanion not only lards down the user’s browser with banner ads and sends information on you and your surfing habits back to Gator, but it also replaces ad banners from legitimate vendors with its own content. Naturally the legitimate, paying advertisers are outraged that their ads are being displaced without warning, often by ads from competitors or even from adult sites. "Among other things, this ‘steals’ advertising revenue from the legitimate owner of that Website, as their banner is inaccessible and covered up by the Gator ad." In July 2002, a federal judge ordered Gator to temporarily stop displaying advertising over Web publishers’ pages without their permission, prompted by a lawsuit filed by the New York Times, the Washington Post, Dow Jones, and other publishers.

Gator has no problems with owning up to its shady practices, at least to a degree. In their own words:

" The small browser plug-ins, which users can download free, follow users’ movements throughout the Web. Through the browser, agents learn where a user is, what he or she might be about to do or buy, and for what price. Then the agents make a better offer. Users are motivated to check out the offer, since they activate the agents voluntarily by downloading them. Most consumers hear about the gimmick through an advertiser’s online campaign, or by word-of-mouth. … Instead of serving up a long list of ads across a network of preselected sites, agents serve specific ads to specific individuals whenever they shop a certain category or particular site, essentially ‘tailor-making’ ads. These banners or pop-ups feature coupons, rebates, product bundling, and so on. It’s highly targeted, direct Web marketing — in many ways, the original promise of the Internet."

Rosy, huh? Most advertisers who lose revenue from Gator’s switcheroo don’t think so.

Tribune Media Services says, "Gator tracks the sites that users visit and forwards that data back to the company’s servers. Gator sells the use of this information to advertisers who can purchase the opportunity to make ads pop up at certain moments, such as when specific words appear on a screen. It also lets companies launch a pop-up ad when users visit a competitor’s Web site." Matt Mickiewicz of our own SitePoint warns, "Because Gator is installed on a user’s PC, it can alter any Web page so that it delivers the advertising that Gator is paid for. In fact, that’s already what Gator is doing – serving pop-up ads that cover the EXACT space occupied by banner ads. In essence, they swap a publisher’s ad for their own. Gator has even resorted to serving the normal pop-up ads that promote competitors when a specific Website is visited. For example, visitors to AmericanAirlines.com can be hit with an offer to visit Delta Airlines."

You don’t need a marketing consultant to tell you just how costly, and how troublesome, this is for the Web marketer. The user is denied access to legitimate, bought-and-paid-for advertising, and worse, is inundated with many more pop-ups and banners than they would be during normal, Gator-free surfing. Now that a judge has restrained Gator from these practices, we’ll have to see what happens with Gator and with other, similar programs like TopText and Flyswat.

Gator has finally agreed to put removal instructions on its Website. Basically the user goes through Add/Remove in the Control Panel, locates Gator eWallet, and uninstalls it, making sure to check the "Delete User Information" box. OfferCompanion can also be removed through the Add/Remove applet.

EZula (TopText)

888_toptext

"Imagine how powerful it could be to widen the effectiveness of search engine keyword advertising to the entire Web. This will enable you to reach millions of qualified users from every web page that contextually matches your campaign objective and your product or service keywords, anywhere on the Web." — eZula

TopText is a program that works the same side of the street as Gator, but with a different approach — the use of the infamous "yellow links." Basically, what TopText does is to "hijack" certain key words and phrases that have been purchased by advertisers — say, "car" or "MP3." Users who have TopText on their computers see these words highlighted in yellow, no matter what Web site they’re visiting. Clicking on these highlighted words sends them to the page of the company who paid for the click-through on that specific keyword.

Matt Mickiewicz again warns Web vendors, "People are at this very minute leaving your Website by following links that were inserted by TopText, and you don’t have any say about it!" Meanwhile home users are being suckered into following links never intended by the Website owner. Similar products from Flyswat and WhenU use green highlighting and/or superimposed graphical links. For Website owners, this can draw consumers away from your business site and lead them to the competition — potentially disastrous for those who survive on "pay-per-click" (PPC) protocols. For Web surfers, this can slow your browsing, crash your computer, and track your surfing and buying habits without your knowledge.

Most Website owners don’t appreciate any additions or modifications to their site; as Appleworks phrases it, "This is akin to having advertising stickers slapped on your backside as you walk down the street." TopText installs itself surreptitiously when you visit any affiliated sites (which currently include the search engine LookSmart, the file sharing networks Kazaa and iMesh, Gator, and Commission Junction). Fred Langa says, "[T]hese links are not placed there by the web site creator or author; they’re inserted by the software, which bases its decisions not on simple contextual relevance, but on who’s *paying* to be linked. In other words, the ‘links’ are really ads."

If you’re a user who’s been a beneficiary of the TopText download, you might find a file called EZULAMAIN.EXE on your hard drive. You can get rid of this one easily enough through the Add/Remove applet in Control Panel. Webmasters may be able to block TopText from running on their pages by adding the anti-Smart Tags META tag:

<META NAME="MSSmartTagsPreventParsing" CONTENT="TRUE">

though this is not yet verified.

Other TopText-like programs are floating around out there. SurfPlus is, ironically, a browser plugin that purports to stop annoying pop-up ads. It used to install a program called EasyLink that reportedly specialized in pornographic links, but now claims that the EasyLink functionality is disabled. AdPointer, another similar utility, seems to be missing from the Net, though I imagine copies of the program are still floating around.

Cydoor

888_cydoor

Sneaky — this particular Cydoor installation doesn’t even identify itself except as "adware support." Cydoor uses its CD_CLINT.DLL file as the central nexus for its variety of installations. CD_LOAD.EXE runs in the background for offline uses. It downloads ads for on- and offline viewing.

Cydoor now seems to be behaving better than it once did. Earlier versions had it leaving it up to the host vendor’s installation procedure (as in the illustration above) to warn the user that they were about to install Cydoor. It also used to use a GUID to track individual users across multiple browsing sessions. They have since halted those actions. However, it still installs itself into your Registry, making it more difficult to remove, and can install itself even if you don’t approve the installation of its parent utilities.

Ad-aware seems to delete Cydoor fairly effectively, but to be sure, you can access a more in-depth removal feature on this site.

TSADBOT

A proud member of the Cydoor adware family and considered a virus by several sources, TSADBOT connects to the Internet when you fire up your Net connection, downloads ads, and implements an unauthorized proxy server on your system which cloaks the program’s network connections. AdGateway "profiles", which are demographic, behavioral, or both, are stored in encrypted files on the user’s system, and are sent to Cydoor. It’s pernicious, remaining after you delete its accompanying software, difficult to remove, and likely to reinstall itself if you do remove it. If for some reason the adbot is prevented from connecting to Cydoor by a firewall or other security measures, it starts to attempt continually, up to 10 times a second, which can overload local network facilities. It may even attempt to connect using Telnet or other ports, coming back to the HTTP connects after a time. Lovely, huh? PKZip is one known source of this piece of code.

As I said, it isn’t easy to remove this one. The folks at CounterExploitation provide good removal instructions here.

Aureate/Radiate

An infamous source of ads overlaid on your browser, this one comes along with over 300 files and sources, including Go!Zilla, CuteFTP, GetRight, Buddyphone and others. Some of the ads it sends your way are fullscreen 640×480 ones. While we know that Aureate/Radiate transmits a goodly amount of information to its parent company and/or its licensees, exactly what is being sent is hard to determine. Better yet, it secretly installs itself as a Windows Service, and registers itself as a browser helper app that loads with your Web browser, giving itself the capability of monitoring every site you visit. Web advertisers can’t be too happy with it either, since Aureate skims off 40% of the developers’ revenue right off the top for using their wares. If you’re running Aureate/Radiate, you’ll have a file called ADVERT.DLL somewhere in your system; there are others, but this .DLL is the heart of the system.

Uninstalling the program(s) that gave you Radiate won’t delete the intruder, but Ad-aware will, deleting the 9 associated files and accompanying Registry entries. The CounterExploitation page on Aureate/Radiate tells you how to uninstall the program manually, and Aureate/Radiate also provides a tool for getting rid of it that reportedly removes both the associated files and Registry entries. Be aware that some "parent" programs such as Go!Zilla won’t run without the Aureate/Radiate software.

Alexa

Released in 1997, Alexa is a search toolbar that integrates with your browser and provides a variety of links and functions. It’s currently partnered with Google, and was bought out by Amazon in 2000, so you might think Alexa is a completely aboveboard and innocent program. In many ways, it is.

However, it ran afoul of the law in 2001 when it was accused of selling private information to Amazon without users’ consent, and paid over $1.9 million after a court found Alexa guilty of violating users’ privacy.

Although Alexa claims to have cleaned up its act, Ad-Aware still lists Alexa as adware. Personally, I’d certainly be leery of having this program on my machine. Note, though, that Alexa comes bundled with Microsoft Internet Explorer. Therefore, everyone will have this on their machine at one point or another. It’s safe to remove.

SaveNow

Created by a company called WhenU.com, "SaveNow" is described as "[o]ne of the most pervasive pieces of piggyback software" on the filesharing networks. BearShare, iMesh, and the Global DivX online movie player, among others, distribute this little goodie. It tracks where you surf and uses that information to target you with pop-up ads.

While this one doesn’t send information back to its parent company, it does continuously download updated information about new offers and keep a record of where you surf on your machine. It stays on in the background no matter if its associated program is running or not. It can be removed by going through Add/Remove, and uninstalling both SaveNow and WhenUShop. After doing this, you’ll need to remove a WhenUDownloadClass object from your browser’s temporary files, or it may reinstall itself.

Lop.com

Lop.com is known far and wide as a major purveyor of spyware and underhanded advertising techniques. Owed by C2 Media, it’s mainly a pay-per-click search portal where other Websites pay for each click-through to their sites through Lop. So far so good, but the Lopsters got devious on us by creating a program either labeled as an MP3 or porn search program. Once installed, the program uses its own stripped-down browser code to reconfigure your browser to "everything Lop." Your start page and default search engine are reset to Lop or to www.mp3search.com, your toolbar is modified, unwanted links are added to your bookmarks, your browser redirects to Lop if an error is detected in loading any other page, and a spyware plugin is installed. Older versions gave your desktop an HTML wallpaper loaded with shortcuts to Lop, but those were discontinued due to bugs in the code.

CounterExploitation notes, "The user becomes a visitor to Lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window. A recently discovered variant of lop’s software omits the browser and BHO altogether, and instead installs dozens of Internet shortcuts and sets the home page to http://unitedstates.rub.to. The installer for this variant may be named MP3.EXE or FREEMP3Z.EXE."

The heart of the Lop installer is the file PLG_IE1.DLL; older versions use the DOWNLOAD_PLUGIN.EXE file.

Getting rid of it is tedious but not too difficult; right-clicking the taskbar icon gives you a Help button in the Menu option that takes you to an uninstall tool. Running Ad-aware immediately thereafter removes the debris left behind by Lop, though you may find yourself manually deleting added bookmarks. You’ll now need to delete your Windows Temp files, then look inside your WINDOWSWINDOWSWEBWALLPAPER folder (WINNTWEBWALLPAPER for NT/2K users) and hunt for two files, DESKTOP.EXE and DESKTOP.SWF. Delete them if you find them, and reset your wallpaper if need be.

BHODemon from Definitive Solutions also removes the program itself, as does Ad-aware, but you still may find yourself making some of the manual deletions as detailed above.

RadLight

The multimedia player RadLight comes with a full complement of adware, but a recent discovery that one of its components deliberately disables the anti-spyware program Ad-aware really raised some eyebrows. This puts it dangerously near, if not fully into, the area of virus behavior. RadLight also comes with the SaveNow component described above. Ad-aware has updated its utility to handle RadLight’s disable attempt.

BonziBuddy

BonziBuddy is an Internet search facility targeted at children to assist them in finding "kid-friendly" Websites. It sends information on your surfing activities to its home site at www.bonzi.com, and may also make your machine vulnerable to hackers looking for open ports. Other Bonzi products that are suspicious include InternetAlert and InternetBoost.

It can be removed by going through its own Uninstall procedure. Bonzi also gives us the ubiquitous "InternetBOOST" ads that thunder, "Your Internet Connection Is Not Optimized. Download InternetBOOST Now!" After the Better Business Bureau became involved, Bonzi changed the wording of the ad to more clearly reflect its status as an advertisement and not a system warning. However, the most recent incarnation of the ad intones, "Your Computer’s Data is Currently At Risk." It certainly is, but the Bonzi program is part of the problem, not part of the solution.

CometCursor

CometCursors add "fun" cursors to the usual range of cursors on your machine, as well as "smart" cursors that link to encyclopedia definitions, Websites, and so forth. Since it collects marketing information from its users, it falls within the definition of spyware. CometCursors can be removed by going through Add/Remove in Control Panel.

GoHip.com

GoHip, a Web portal similar to Yahoo!, earn inclusion by the actions of a button on its home page that allows you to make GoHip your home page. The button adds an entry in your Registry that changes Internet Explorer’s default search engine to GoHip, as well as changing your home page. A removal tool is available here.

Onflow

Onflow is a browser plugin that forces ads onto your browser display, and sends "back-channel" info on your surfing habits to Onflow. Installed by BearShare and others. You can get rid of it through Add/Remove.

PhoenixNet BIOS

This is a particularly annoying piece of spyware, which actually resides on the BIOS of some PhoenixNet-enabled motherboards, and subsequently cannot be removed. It presents users with sponsored Websites and downloads, displays "Special Offers" on the boot screen, allows third-party affiliates to change your home page and search engine defaults, and tinkers with your system settings. PhoenixNet discontinued offering these spyware-enabled motherboards in 2001.

WNAD.EXE

This program installs itself as part of the popular "Yo Mamma, Osama" game from www.twistedhumor.com as well as other games from this site and the SwapNut filesharing utility. WNAD hijacks your browser to display ads every hour. The ads purport to solicit donations for the Red Cross, but this claim is suspicious at best. WNAD also tends to cause computer crashes and is responsible for a whole range of instability problems. Ad-aware removes this little critter, or you can manually delete it by removing the WNAD.EXE and WNAD.DAT files, and making the proper deletions in the Registry.

VX2, Blackstone Data Transponder, Etc.

Installed or used by Audiogalaxy, iMesh, AADCOM, NetGeo, Akamai, Mindset Interactive, TrueData, and others, this one is available under a raft of names, including Transponder (from Blackstone Data Corp.), VX2 / RespondMiter / Sputnik (from VX2 Corp.), AADCOM Extreme Targeting (from Aadcom Corp.), NetPal (from NetPalNow / Mindset Interactive), and TPS108 Transponder (tps108.org, from DigitalRooster.com).

It bills itself as a free movie viewer for watching pornography, but it is also a BHO (Browser Helper Object) that installs itself in your browser and directs advertisements to you based on its tracking of your surfing habits. It also causes crashes and major stability problems with both browsers and Windows Explorer. Ad-aware gets rid of this one. VX2.com, the home for this little pest, claims that it will delete all collected info on a user upon request, but the request form asks for far more personal information than most of us care to provide.

Flashtrack

Another BHO, Flashtrack monitors Web pages viewed and terms entered into forms on search engines. The original version, FlashTrack/FTApp, writes into C:Program FilesFTApp regardless of where your actual Program Files folder is. FlashTrack/flt, a newer variant, installs into C:Program Filesflt instead. Among other places, iMesh provides this little beastie. Flashtrack often causes browser crashes. You can find manual removal instructions available at and.doxdesk.com/parasite/FlashTrack.html .

DLDER.EXE, ClickTillUWin, Explorer Trojan

Installed by numerous file-sharing clients as well as Net2Phone, DLDER is actually a trojan horse that masks itself under the ClickTillUWin component. Once you’re asked whether you want to install ClickTillUWin, DLDER invades your system even if you refuse the install.

Upon installation, the virus first connects to the Website www.2001-007.com and transmits data, including a GUID, the user’s IP address and browser version. Then the software downloads and installs a trojan file named Explorer.exe from the same site, to C:WINDOWSEXPLOREREXPLORER.EXE (not to be confused with the required Windows file EXPLORER.EXE, located at C:WINDOWSEXPLORER.EXE). DLDER then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup, and adds a Registry key. It may also add icons for Clicktilluwin.com, an online gambling game, to the desktop. While you surf, the bogus EXPLORER.EXE file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Websites the user has visited since the last check-in — not something any of us want on our systems. You can find out how to remove it here.

MediaCharger (Movie Network.EXE)

This one, once installed, displays lots of popup ads as you surf. Worse, Mediacharger may also function as a dialer for 1-900 #s for billing of adult movie downloads. Check for removal entries in Add/Remove Programs, and obtain detailed removal instructions here.

NETBUIE.EXE

This one is really offensive for those of us who dislike porn. Provided by a downloadable program called Port Detective among others, Netbuie insinuates itself into your WindowsSystem directory and continually sends porn ads and displays to your browser while you surf. According to a poster at C|Net, you can remove it by disabling it in MSCONFIG, deleting all Registry entries that reference NetBuie, and deleting all instances of files with "pink4free" in their titles. Lastly, remove NETBUIE.EXE from your System directory.

NE.EXE (Network Essentials, SmartPops)

Like so many others, this one displays stealthy popups while you surf or use a search engine. You may be able to get this one simply by visiting certain Websites. It can be squashed easily enough through Add/Remove.

Download Managers

Many programs that handle your Net downloads do so perfectly well. Some, however, like RealNetworks RealDownload, Netscape/AOL Smart Download, or NetZip Download Demon, track the files you download. The Netscape product even transmits your IP address to the program’s publisher. RealDownload has removed the main spyware .DLL from its program; a lawsuit filed in July 2002 is still in the courts. These can be eradicated through Add-Remove.

Broadjump

Part of the software provided by reputable ISPs like Comcast, BellSouth, and TimeWarner, the Broadjump ChannelDirect program sends ad content to subscribers whenever the ISP chooses to relay the code. It’s not the worst of the offenders, but it’s still intrusive. One source says that the program’s own uninstall routine is worthless, so it’s probably better to remove it through your Control Panel.

Not Quite, but Still Questionable

Internet Filtering Programs

Plenty of programs out there purport to "keep your surfing safe" from pornography, objectionable content, and other material you may not want to view while you or your family or co-workers surf the Net. Bess, Cyberpatrol4, NetNanny, Cyber Sitter, Cybersnoop, Eye Guard, Surf Watch, and other programs fall into this category. While this is legitimate software lawfully installed by parents, schools, employers, and others, it is in essence client-side censorship. The folks at Cexx.org make the case:

"By blocking access to ‘inappropriate’ sites and keeping intricate logs of any ‘offensive’ sites you’ve tried to visit, these programs not only restrict your freedoms, but could also violate your privacy by telling your employer/co-workers/parents all the sites you’ve tried to access — be they about breast cancer, certain religious, political or sexual orientations, drug/alcohol use, AIDS, sites for helping you find a new employer…. The privacy and job-security ramifications are far-reaching to say the least. Censorware is a tool-of-choice for overprotective parents and paranoid employers, and is typically fairly easy to disable despite password-protection and other schemes designed to deter cybersabotage."

The same page at Cexx tells how you can disable or get around most Internet filters. Be warned: some parents, teachers, and employers won’t take kindly to your efforts to work around these programs.

Web Bugs

"Web bugs" are tiny, transparent .GIF images that are loaded onto your browser when you visit their sites. If cookies are tracked, or if a procedure called "fake dating" is used, your download of the .GIF can be used to track and record your visit.

Ultraseek

Visitors to Ultraseek’s Website might be rattled when the site shows them the contents of their own hard drives and claims that they’re vulnerable to hacking. If the surfer is suitable shaken up, he or she might buy the program this site is offering, the $100 Internet Eraser Pro, which the site claims will protect the surfer from unwanted intrusions.

It’s bad enough that the program does no more than various free programs and code blocks do, but worse, the program tries to dupe the surfer by sending a harmless "file://c:/" command to your browser, showing you (but no one else) the contents of your computer in your browser display. Ultraseek hasn’t found a vulnerability in your system and its program is dubious at best. A thoroughly underhanded marketing technique, and one not limited to Ultraseek.

A Cautionary Tale

Most Net marketers and business folks know the sad, sordid tale of Website Results, an Internet marketing firm that achieved short-lived success by lying to and spying on their customers. They told their clients that they were helping them achieve the highest possible ratings on search engines such as Google and AltaVista, and when their clients checked, lo and behold, they were ranked very highly. Huzzah! Unfortunately, it turned out that the clients (including Orvis, WebMB, eBay, and ESPN) were being duped by a combination of fraudulent reporting techniques and spyware (a specially written program dramatically dubbed "The Zebra Project").

In May 2001 three of the top perpetrators were fired and Website Results, acquired by 24/7 Media, began reinventing itself as a legitimate purveyor of providing search engine placement for online advertisers. The three fellows who were fired went on to found IntelliTech, and while there perpetrated an even more egregrious fraud on unsuspecting visitors to their client site Flowgo, as well as other affiliated sites. Their ad on Flowgo, a family Web portal, redirected visitors to IntelliTech’s own "Kool Katalog" site. Once at KoolKatalog, users with older Java engines had a flaw in those engines exploited, which allowed up to 10 spyware files to be installed on their machines without their knowledge.

The spyware monitored what sites their victims were visiting, sent updates and other files to the infected computers, terminated firewall applications, and more. The site Online1Net.com also infected your machine. Trend Microsystems has released a free tool that automates the 49 steps necessary to purge infected machines. TrendMicro has dubbed the whole thing a virus, TROJ_SUA.A. More removal information is also avaiable.

How Do I Keep Adware Off My Machine?

In October 2000, U.S. Senator John Edwards introduced the "Spyware Control Act" that would force manufacturers to warn users when their products include spyware. The Spyware Control Act is currently still in committee, according to a letter I received from Senator Edwards. Though there’s no word yet as to the final dispensation of this bill, if it is indeed made into law, it would give users the right to sue manufacturers who violate the provisions of the bill. We’ll keep an eye on that from "this side of the pond." And the American Federal Trade Commission is taking legal action against sites that force users to download programs that cause their machines to dial 1-900 phone advertisements.

Meanwhile, you can take some precautions of your own. These sites maintain lists of all known spyware:

All are excellent sources of information and worth checking regularly as new critters crawl their way over the Web toward your computer.

Next, you should always read the fine print in every licensing agreement for every piece of software you download. In most instances, you’ll get at least some clue to what, if any, kind of sleazeware is being introduced to your computer, and can decide for yourself if you want it on your machine.

Keep your browser’s Security settings to at least Medium, if not High. This gives you warning of anything trying to insinuate itself on your computer.

Don’t hesitate to inform advertisers of sleazy marketing tactics. In many cases, reputable advertisers are unaware of the tactics used by the firms they hire. Advertising.com severed its ties with C2 Media after it was alerted to that firm’s unscrupulous advertising tactics by a PCWorld reporter.

You’ll also want to install some protective software. All of the products listed below are very good at what they do, but the gold standard of the industry is Ad-aware, a freeware program first written to remove Aureate/Radiate spyware and now expanded to protect your machine from a plethora of bad guys. Other off-the-shelf programs are available as well, but in my opinion these programs do as good a job of keeping the gunk off of your machine as any of the commercial offerings.

Last week one of my co-workers complained to me that her computer was misbehaving. When I saw that she had Kazaa on her computer, I installed Ad-aware on her machine and found 157 separate spyware components. She used the program on the other PCs in her office and found as many or more components on them — the eventual winner came in at 283. Needless to say, the machines now run better.

In summary: "Underware" of any kind is bad for everyone. Computers misbehave, malfunction, and crash. Businesses lose revenue and customers. Users are annoyed, have their privacy violated, and have their surfing and Net shopping experiences disrupted. The more that all of us do, on both sides of the commercial fence, to combat the underware epidemic, the better off we all are.

Addendum

When I wrote this article in September 2002, Ad-aware was indeed the "gold standard" of spyware prevention software. It was free, regularly updated, and very good at keeping the pests out of your system. Unfortunately, while it is still free, it hasn’t been updated since Sept. 29, 2002, and therefore can no longer be relied upon to remove the latest spyware crawling around the Net. According to Fred Langa, Ad-aware is working on a new version (version 6), but 4-5 months between updates is too long to wait. Those of us who purchased the $15 Plus version should be particularly irate.

SpywareInfo recommends the following programs to keep your system pest-free: either the free Spybot Search & Destroy or the $30 Aluria Spyware Eliminator for removing adware, and for removing surveillance spyware, keyloggers, and password-stealing Trojans, either the $70 Spycop or the $40 X-Cleaner. Langa provides a more frugal alternative, recommending using the free Spybot S&D in conjunction with the $30 PestPatrol. Check both SpywareInfo and Langa.com for discounts on some of the above programs.

Of course, it’s your call. You can wait for version 6 of Ad-aware to come out (target date February 2003), though it doesn’t look as if the new version will be free; you can try any or all of the programs listed above; you can use other programs to defend your system against pesky malware; or you can do whatever suits you and your needs. But all of us need to be aware of the thousand different kinds of malicious software that constantly threatens our computers, and take the proper precautions.

Sources:

Langa Newsletter 1-13-03
http://www.langa.com/newsletters/2003/2003-01-13.htm

Spyware Weekly Newsletter 12-25-02
http://www.spywareinfo.com/newsletter/archives/december-2002/12252002.php

Bibliography

About Alexa
http://pages.alexa.com/company/index.html

Ad-Aware
www.lavasoftusa.com/
www.lavasoft.de/aaw/index.html

Ad-Aware
members.tripod.co.jp/eazyfox/SecuTool/ADaware/AdAware1.htm

Advertising Spyware: Aureate/Radiate
www.cexx.org/aureate.htm

Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll
www.cexx.org/cydoor.htm

Advertising Spyware: PhoenixNet BIOS
www.cexx.org/phoenix.htm

Advertising Spyware: TSADBOT.HTM
www.cexx.org/tsadbot.htm

Advertising Spyware: WNAD.EXE
www.cexx.org/osama.htm

Adware – Spyware – Beware
freebies.about.com/library/weekly/aa060202a.htm

Adware, Spyware Help, and Resources
www.rottenrhonda.com/spyware.html

Adware, Spyware, and Advertising Trojans
www.cexx.org/adware.htm
Huge page of links and info about a plethora of adware programs that ferry info on you, your computer, and your surfing habits to various unauthorized locations

Alert to RadLight’s removal of Ad-aware from systems
www.lavasoft.nu/cgi-bin/forums/ikonboard.cgi?s=3cc486614effffff;act=ST;f=20;t=13

and.doxdesk.com: parasite: FlashTrack
and.doxdesk.com/parasite/FlashTrack.html

Anonymous Surveillance
grc.com/oo/ethics.htm

Altnet Opens Kazaa’s Doors to Paid Content
www.itworld.com/Net/4087/020520altnet/

Backdoor Santa Spyware
www.cexx.org/dltools.htm

The Biz: A History of Porn on the Net
www.bananaguide.com/bizhistory.htm

Bonzi Software
accs-net.com/smallfish/bonzi.htm

Boom Times Have Passed For Online Porn
www.siliconvalley.com/mld/siliconvalley/3200456.htm

Broadjump
www.broadjump.com/

Caution! Don’t let Brilliant hijack your PC
www.zdnet.com/anchordesk/stories/story/0,10738,2859775,00.html

Commentary: Another New Technology to Deep-Six
www.applelinks.com/articles/2001/08/20010803142336.shtml

Competition Spawns Pushier WebAdvertising
kansascity.bizjournals.com/kansascity/stories/2001/12/17/story5.html

Computer Pests: The Hidden Threat
www.sunbelt-software.com/product.cfm?id=911

Cookies
livinginternet.com/

CounterExploitation (a tremendous source of information on adware, spyware, and the like)
www.cexx.org/

Dot-com noir
www.salon.com/tech/feature/2002/07/01/spyware_inc/index.html

Don’t Eat the Yellow Links
slashdot.org/features/01/07/31/2015216.shtml

Dr. Damn Cleans House for File-Swappers
zdnet.com.com/2100-1105-891761.html

dw.exe, Movie Network.exe (Downloadware / Mediacharger / Movienetworks)
www.cexx.org/adware.htm

Even More "Scumware" To Watch Out For
www.langa.com/newsletters/2002/2002-01-28.htm#3

eZula
www.ezula.com/

Filters and Firewalls
www.cexx.org/apps.htm
List of useful free- and shareware programs for keeping your PC ad- and spyware-free.

Foistware: eZula Top Text
www.cexx.org/toptext.htm

Foistware / Spyware – Gator, OfferCompanion, Trickler, GAIN (Gator Advertising Information Network)
www.cexx.org/gator.htm

Gator, See Ya Later
www.dslreports.com/shownews/15862

Gator’s Own Claims, From "One Last Chance To Snare a Customer"
www.business2.com/articles/mag/0,,14601,FF.html

Go!Zilla Leftovers
www.oit.duke.edu/ats/support/spyware/gozillaleftovers.htm

History of Affiliate Marketing
www.clickz.com/aff_mkt/aff_mkt/article.php/832131

Hotwired Archives
hotwired.lycos.com/archive/

How to Disable Internet Filtering Programs
www.cexx.org/censware.htm

How to Kill PopUp Ads on Any Server
www.cexx.org/diepop.htm

Information on Adware Vendors and Providers
www.softwaremarketingresource.com/adware.html

Internet Advertising
www.ciadvertising.org/studies/student/00_summer/rashed/bbstrategy/internetadv.html

Internet Advertising History
www.ec2.edu/dccenter/archives/ia/history.html

Internet Affiliate Marketing Association (organization advocating honest Web marketing practices)
iafma.org/

Is There An Effective Way To Kill Banner Ads?
slashdot.org/askslashdot/00/09/05/1720217.shtml
Lots of good alternative methods to killing banner ads, including methods to modify the HOSTS file to block specific adbar sites.

John Marshall Law School’s Internet Fraud Seminar Reading Assignments
www.enteract.com/~wern/reading.html

Judge Clamps Down on Gator
story.news.yahoo.com/news?tmpl=story&u=/zd/20020713/tc_zd/943547

The KaZaA Battlefield
antivirus.about.com/library/weekly/aa082302a.htm

KaZaA Sneakware Stirs Inside PCs
www.cnn.com/2002/TECH/internet/05/07/kazaa.software.idg/index.html

Keith Lynch’s Timeline of Net-Related Terms and Concepts
keithlynch.net/timeline.html

Kowbot Worm Targets Kazaa Network
www.vnunet.com/News/1133129

Kuro5hin.org — Technology and Culture from the Trenches
www.kuro5hin.org/story/2002/6/21/171321/675

LangaList Newsletter, March 2, 2000
www.langa.com/newsletters/2000/mar-02-00.htm#4

LangaList Newsletter, Jan. 28, 2002
www.langa.com/newsletters/2002/2002-01-28.htm

Langa List Newsletter, May 13, 2002
www.langa.com/newsletters/2002/2002-05-13.htm#4

Langa List Newsletter, August 8, 2002
www.langa.com/newsletters/2002/2002-08-08.htm

Latest Online Ad Gimmick: Hyperlinks
www.pcworld.com/news/article/0,aid,57064,00.asp

LinkOff: Resources to Help Website Owners Regain Control
linkoff.com/html/resources.htm

Malware.org (not yet up and running completely)
www.malware.org/

McAfee – AVERT
vil.nai.com/vil/content/v_99457.htm

Microsoft Knowledge Base Article – Q302463: Error Message: Iexplore Caused an Invalid Page Fault in Module Unknown with SaveNow or New.net Installed
support.microsoft.com/default.aspx?scid=KB;EN-US;q302463&

Mystery links: New Web advertising tool gets results, draws criticism
www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2001/07/30/BU231339.DTL

Network Advertising Initiative (go here to sign up for opting out of multiple info-collecting advertisers — how reliable this is, I don’t know. Includes DoubleClick, 24/7, and L90)
www.networkadvertising.org/optout_nonppii.asp

Neutering Adware/Spyware (general tips on dealing with adware and spyware programs, including how to block advertisers without special software)
www.cexx.org/neuter.htm

OptOut: GRC’s Privacy FAQ
grc.com/faq-privacy.htm

PCHell: Comet Cursor Removal Instructions
www.pchell.com/support/cometcursor.shtml

PCHell: GoHip Removal Instructions
www.pchell.com/support/gohip.shtml

Pest Removal (adware removers)
www.cexx.org/noadware.htm

The Pop-Up Ad Campaign From Hell
www.salon.com/tech/feature/2002/05/07/malware/

Port Detective User Reviews
download.com.com/3302-2172-4587790.html

Privacy (Richard Smith)
www.computerbytesman.com/privacy/index.htm

Protect Yourself from Unwanted, Unethical Advertisers
www.unwantedlinks.org/

Resist the Lure of Simplified History
www.business2.com/articles/mag/0,,13945,FF.html

ScuzWare Beware
www.sgtsearch.com/blacklist/ttext.html

Sen. Edwards Intro’s "Spyware Control Act"
www.computeruser.com/news/00/10/11/news4.html

Senator John Edwards Introduces ‘Spyware Control Act’
grc.com/spywarelegislation.htm

SitePoint Tribune #161
www.sitepoint.com/tribune161.html

SpyBot Search & Destroy 1.0 Review
www.net-integration.net/reviews/spybot1.html

Spychecker — Database of Spyware (offers an instant check of software programs to see if they contain objectionable -ware)
www.spychecker.com/index.html

Spyware
www.wilders.org/spyware.htm

Spyware: Do You Know Who’s Watching You?
www.unwantedlinks.com/spyingonyou.html

Spyware at Webtechgeek.com (includes comprehensive list of programs and utilities containing spyware)
www.webtechgeek.com/center_Frame_Spyware.htm

Spyware Definition
www.wikipedia.com/wiki/Spyware/

The Spyware Infested Software List
www.fcenter.ru/Software/Miscellaneous/Spyware/spywarelist.txt

‘Spyware’ piggybacks on Napster rivals
news.com.com/2100-1023-257592.html?tag=rn

Spyware vs. anti-spyware (an interview with Ad-aware founder Nicholas Stark)
www.salon.com/tech/feature/2002/04/26/anti_spyware/

Spyware Watch
www.spyware.co.uk/

Task List Programs
www.answersthatwork.com/Tasklist_pages/tasklist.htm

ThiefWare — Unethical Use of Ezula TopText and Other Internet Technology and Software (documents the activities of, at this writing, three "thiefware" providers: eZula’s TopText, WhenU, and Flyswat (now NBCi’s QuickClick). Also provides software and scripts to disable these products on your Web site and remove them from your computer, and a list of advertisers who use TopText on their sites)
www.thiefware.com/

TomCat Spyware List
www.tom-cat.com/spybase/spylist.html

The Unofficial Cookie FAQ
www.cookiecentral.com/faq/

User Alert: NewNET Problem
support.airstreamcomm.net/newNET.htm

Web Ad Explosion
www.pcworld.com/news/article/0,aid,101916,00.asp

What is Lop.com?
www.spywareinfo.com/lop.html

What is Spyware?
www.pcnineoneone.com/howto/spyware1.html

Where Are These Pop-Ups Coming From?
www.poenews.com/inhouse/vx2.htm

Why Internet Advertising?
www.iab.net/advertise/content/adcontent.html

Worm Infects Kazaa Network
www.vnunet.com/News/1131898

l’ class=”sublink” href=”http://www.cexx.org/apps.htm”>www.cexx.org/apps.htm
List of useful free- and shareware programs for keeping your PC ad- and spyware-free.

Foistware: eZula Top Text
www.cexx.org/toptext.htm

Foistware / Spyware – Gator, OfferCompanion, Trickler, GAIN (Gator Advertising Information Network)
www.cexx.org/gator.htm

Gator, See Ya Later
www.dslreports.com/shownews/15862

Gator’s Own Claims, From "One Last Chance To Snare a Customer"
www.business2.com/articles/mag/0,,14601,FF.html

Go!Zilla Leftovers
www.oit.duke.edu/ats/support/spyware/gozillaleftovers.htm

History of Affiliate Marketing
www.clickz.com/aff_mkt/aff_mkt/article.php/832131

Hotwired Archives
hotwired.lycos.com/archive/

How to Disable Internet Filtering Programs
www.cexx.org/censware.htm

How to Kill PopUp Ads on Any Server
www.cexx.org/diepop.htm

Information on Adware Vendors and Providers
www.softwaremarketingresource.com/adware.html

Internet Advertising
www.ciadvertising.org/studies/student/00_summer/rashed/bbstrategy/internetadv.html

Internet Advertising History
www.ec2.edu/dccenter/archives/ia/history.html

Internet Affiliate Marketing Association (organization advocating honest Web marketing practices)
iafma.org/

Is There An Effective Way To Kill Banner Ads?
slashdot.org/askslashdot/00/09/05/1720217.shtml
Lots of good alternative methods to killing banner ads, including methods to modify the HOSTS file to block specific adbar sites.

John Marshall Law School’s Internet Fraud Seminar Reading Assignments
www.enteract.com/~wern/reading.html

Judge Clamps Down on Gator
story.news.yahoo.com/news?tmpl=story&u=/zd/20020713/tc_zd/943547

The KaZaA Battlefield
antivirus.about.com/library/weekly/aa082302a.htm

KaZaA Sneakware Stirs Inside PCs
www.cnn.com/2002/TECH/internet/05/07/kazaa.software.idg/index.html

Keith Lynch’s Timeline of Net-Related Terms and Concepts
keithlynch.net/timeline.html

Kowbot Worm Targets Kazaa Network
www.vnunet.com/News/1133129

Kuro5hin.org — Technology and Culture from the Trenches
www.kuro5hin.org/story/2002/6/21/171321/675

LangaList Newsletter, March 2, 2000
www.langa.com/newsletters/2000/mar-02-00.htm#4

LangaList Newsletter, Jan. 28, 2002
www.langa.com/newsletters/2002/2002-01-28.htm

Langa List Newsletter, May 13, 2002
www.langa.com/newsletters/2002/2002-05-13.htm#4

Langa List Newsletter, August 8, 2002
www.langa.com/newsletters/2002/2002-08-08.htm

Latest Online Ad Gimmick: Hyperlinks
www.pcworld.com/news/article/0,aid,57064,00.asp

LinkOff: Resources to Help Website Owners Regain Control
linkoff.com/html/resources.htm

Malware.org (not yet up and running completely)
www.malware.org/

McAfee – AVERT
vil.nai.com/vil/content/v_99457.htm

Microsoft Knowledge Base Article – Q302463: Error Message: Iexplore Caused an Invalid Page Fault in Module Unknown with SaveNow or New.net Installed
support.microsoft.com/default.aspx?scid=KB;EN-US;q302463&

Mystery links: New Web advertising tool gets results, draws criticism
www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2001/07/30/BU231339.DTL

Network Advertising Initiative (go here to sign up for opting out of multiple info-collecting advertisers — how reliable this is, I don’t know. Includes DoubleClick, 24/7, and L90)
www.networkadvertising.org/optout_nonppii.asp

Neutering Adware/Spyware (general tips on dealing with adware and spyware programs, including how to block advertisers without special software)
www.cexx.org/neuter.htm

OptOut: GRC’s Privacy FAQ
grc.com/faq-privacy.htm

PCHell: Comet Cursor Removal Instructions
www.pchell.com/support/cometcursor.shtml

PCHell: GoHip Removal Instructions
www.pchell.com/support/gohip.shtml

Pest Removal (adware removers)
www.cexx.org/noadware.htm

The Pop-Up Ad Campaign From Hell
www.salon.com/tech/feature/2002/05/07/malware/

Port Detective User Reviews
download.com.com/3302-2172-4587790.html

Privacy (Richard Smith)
www.computerbytesman.com/privacy/index.htm

Protect Yourself from Unwanted, Unethical Advertisers
www.unwantedlinks.org/

Resist the Lure of Simplified History
www.business2.com/articles/mag/0,,13945,FF.html

ScuzWare Beware
www.sgtsearch.com/blacklist/ttext.html

Sen. Edwards Intro’s "Spyware Control Act"
www.computeruser.com/news/00/10/11/news4.html

Senator John Edwards Introduces ‘Spyware Control Act’
grc.com/spywarelegislation.htm

SitePoint Tribune #161
www.sitepoint.com/tribune161.html

SpyBot Search & Destroy 1.0 Review
www.net-integration.net/reviews/spybot1.html

Spychecker — Database of Spyware (offers an instant check of software programs to see if they contain objectionable -ware)
www.spychecker.com/index.html

Spyware
www.wilders.org/spyware.htm

Spyware: Do You Know Who’s Watching You?
www.unwantedlinks.com/spyingonyou.html

Spyware at Webtechgeek.com (includes comprehensive list of programs and utilities containing spyware)
www.webtechgeek.com/center_Frame_Spyware.htm

Spyware Definition
www.wikipedia.com/wiki/Spyware/

The Spyware Infested Software List
www.fcenter.ru/Software/Miscellaneous/Spyware/spywarelist.txt

‘Spyware’ piggybacks on Napster rivals
news.com.com/2100-1023-257592.html?tag=rn

Spyware vs. anti-spyware (an interview with Ad-aware founder Nicholas Stark)
www.salon.com/tech/feature/2002/04/26/anti_spyware/

Spyware Watch
www.spyware.co.uk/

Task List Programs
www.answersthatwork.com/Tasklist_pages/tasklist.htm

ThiefWare — Unethical Use of Ezula TopText and Other Internet Technology and Software (documents the activities of, at this writing, three "thiefware" providers: eZula’s TopText, WhenU, and Flyswat (now NBCi’s QuickClick). Also provides software and scripts to disable these products on your Web site and remove them from your computer, and a list of advertisers who use TopText on their sites)
www.thiefware.com/

TomCat Spyware List
www.tom-cat.com/spybase/spylist.html

The Unofficial Cookie FAQ
www.cookiecentral.com/faq/

User Alert: NewNET Problem
support.airstreamcomm.net/newNET.htm

Web Ad Explosion
www.pcworld.com/news/article/0,aid,101916,00.asp

What is Lop.com?
www.spywareinfo.com/lop.html

What is Spyware?
www.pcnineoneone.com/howto/spyware1.html

Where Are These Pop-Ups Coming From?
www.poenews.com/inhouse/vx2.htm

Why Internet Advertising?
www.iab.net/advertise/content/adcontent.html

Worm Infects Kazaa Network
www.vnunet.com/News/1131898

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

No Reader comments

Comments on this post are closed.