The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/may26,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

WhenU responded Friday to reports by PC Pitstop and Ben Edelman that are very critical of the company. In comments filed with the Federal Trade Commission, WhenU denies statements by Ben Edelman that WhenU is in violation of its own privacy policy.

Edelman published the results of an investigation of WhenU using a packet logger and other tools. The investigation shows that WhenU's software transmits the URL of web sites a user currently is visiting when a WhenU pop-up ad is triggered. WhenU's former privacy policy, which was updated just before they filed their comment, stated that "URLS visited by the user (i.e. the user's "clickstream data") are NOT transmitted to WhenU.com servers.".

The new, updated policy states that "clickstream" data is not transmitted. However, the new policy also states that "the software may send WhenU a communication that includes information about the webpage you were viewing when you saw or clicked on a particular ad" and that "When ads are requested and/or displayed by the software, impressions and click-throughs, including the factor (e.g., such as the URL, the keyword, or the search term, or some combination thereof) that caused the ad to be displayed are reported to WhenU.".

To put that in plain language, WhenU's software, by WhenU's own admission, will send the URL of the web page you are viewing to their servers, if a keyword on the page triggers their software to display an advertisement. This is not a change in the software. This is something the software has done all along, despite the fact that the previous privacy statement claimed this did not happen.

Following this to its logical conclusion suggests that WhenU has breached a contract with 100 million users. Netscape, Amazon.com, Alexa.com and Real Networks all faced class-action lawsuits when it was discovered they did the same thing.

WhenU attempts to discredit Edelman's research by questioning his motives, pointing out several times throughout the document that he has been a paid witness or counsel to parties engaged in litigation with WhenU. Edelman himself has disclosed this fact repeatedly. Edelman has responded by saying that his investigation and subsequent FTC filing were done on his own initiative and not at the urging of any other party.

WhenU also attacked a survey performed by PC Pitstop recently which shows that 87% of people with WhenU software on the computers weren't even aware it was installed. WhenU calls the survey "biased and unscientific". However, during the April 19th workshop on spyware held by the FTC, WhenU's own CEO admitted that 80 million of 100 million total users have removed their software after it was installed.

WhenU goes on to say that PC Pitstop is "the publisher of a website devoted heavily to the promotion of its commerical [sic] partner's "Pest Patrol" software. PC Pitstop's livelihood and the market for its partner's Pest Patrol program depend on creating a perception among consumers that contextual and advertising programs pose threats to their privacy interests and to the stability of their computers systems that justify the purchase of a $39.95 "spyware protection" program."

WhenU's software, named either Save! or SaveNow depending on how it was installed, is bundled with other software, as a sponsor. While the software does present a license agreement, somehow that license has escaped the notice of 87% of people who have it installed if PC Pitstop is correct. Perhaps the fact that WhenU's very lengthy license agreement is wrapped in a tiny box that cannot be resized has something to do with that. In fact, to view WhenU's entire agreement while installing the popular Bearshare file sharing program the user must scroll an amazing 44 times!

Once installed, the software occasionally will pop up an advertisement window if it detects certain keywords inside a browser window. This practice, considered to be theft by many web site owners, has drawn several lawsuits and has even been outlawed in the state of Utah.

WhenU is answering statements - statements backed up by documented research - with personal attacks. They make a token effort to dispute the facts but their rebuttals are unconvincing. In other words, this new filing looks to me to be nothing but good old fashioned mudslinging.

Well, this *is* an election year.

Permalink | Top

Program: X-Cleaner
Author: X-Block
Platform: Windows 9x, ME, NT 4.0, 2K, XP
License: $39.95 [20% off for SpywareInfo visitors until June 2, 2004]
Coupon code: SPY-43F8-INFO

X-Cleaner Spyware Remover is an award winning spyware detector that finds and removes commercial spyware programs. X-Cleaner also features a unique mobile active-x spy scanning utility so you can login through their member's center and use it from public terminals.

No installation required - simply download and use or you may install if you choose. X-Cleaner provides courteous support via e-mail for registered users. Software is delivered instantly via digital download and you can download new versions as often as you like the first year.

You can even put this on a floppy disk and carry it to work in an envelope or in your shirt pocket. Insert floppy, scan and zap the keylogger or delete your surfing traces.

X-Cleaner was recommended by Kim Komando in her article for MSN, Danger, danger: 5 tips for using a public PC.

This is a brand new version of X-Cleaner and they have cut the price to the bone for us this week. Here are some of the new features according to X-Block:

1) New expanded detection and removal database.

2) General Interface Improvement- Users can now resize the program window to fit into their screen anyway they like, especially useful for the encyclopedia where they had to scroll right.

3) Bypass *hardware* keyloggers using onscreen keyboard for input- This is under the Expert tab for Deluxe Users only and makes use of the built-in based keyboard in Windows so that users can key in information without using physical keystrokes. This is very useful for sending sensitive material since hardware keyloggers (a growing threat we are working on) evade anti-spyware which normally targets software loggers only. Given X-Cleaner's mobility in terms of file size, this is a useful little addition to have since you can go to an Internet Cafe- sweep for keyloggers (or use the full active-x scanner in the members area) and then use the software based keypad to evade hardware logging.

4) Direct link to online assistance integrated into software- as always X-Cleaner technicians are dedicated to providing prompt and professional e-mail support for even hard to remove cases of the spyware plague. We will go to great lengths to provide custom support for registered customers.

Permalink | Top

There are many, many programs for cleaning out temporary files and other junk that Windows lets build up on the hard drive. Sometimes though, you just want to do things like this yourself. It seems simple enough to open the temp folder and delete everything in it, until you actually go to do it. For whatever reason, Windows throws up a roadblock to people who want to delete their cookies and temporary internet files (also called browser cache).

Windows keeps a file called index.dat in memory the entire time it is running. Index.dat is located inside a hidden subdirectory of the Temporary Internet Files folder. You can delete every single file and folder around and underneath that file, but Windows refuses to allow you to delete index.dat itself. This is why most cleaner programs want you to reboot when you tell them to clean out the internet files. Those programs insert a start up entry that deletes the file before you log into your account.

In the past, people running Windows 95, 98 or ME could simply boot to MS-DOS and delete the file at the command line. Unfortunately, for Windows 2000 and XP, this is not an option. So how do you purge this stubborn file if Windows won't let you touch it and there is no MS-DOS to boot into? There is a very simple way to do this that does not involve installing third party software or writing scripts to run at start up.

Basically, you have to create a new administrator account, then log into it. Since your normal account is not active, Windows is not able to lock you out of the index.dat file and everything can be deleted normally.

In Windows 2000, right-click the "My Computer" icon on the desktop. Highlight "manage" and click. The "Computer Management" console should pop up. Under "System Tools", double-click the item called "Local Users and Groups", then right-click on "Users". Highlight "New User" and click. Set up a new user and click "Ok".

After you've created the user, find the icon for them in the list and double-click it. Click the "Member Of" tab. Select "Administrators" in the list, then press "OK". You've just given your new user administrative privileges, so make sure you gave it a password!

In XP, this is much simpler (although you can follow the same directions as for 2000 if you want). Open the Control Panel (usually listed on the Start Menu) and open the "User Accounts" applet. Click "Create User" and create your new account. Make sure to choose "Computer Administrator".

Now, log out of your normal user account and log into the new account you just created. Find the Temporary Internet Files folder (c:\Documents and Settings\<your user name>\Local Settings), open it, press CTRL + A and then delete everything there. Don't worry, Windows will recreate what it needs the next time you log in. This also works for the index.dat file located in the cookies folder.

Log out of the new account and back into your normal account. Windows will create a new, empty index.dat file that will be much smaller than the old one.

Permalink | Top

Title: How to remove any Spyware / Adware Toolbar
by Dennis Faas, editor
http://www.infopackets.com

Gazette Reader 'SweetImage' writes:

" Dennis is there any way to get rid of the Mirar toolbar once and for all? I have searched sites where I have found loads of people having the same problem. I have used at least 8 different Adware-blocking programs to remove the toolbar from my system, but none of them can get rid of this rotten thing! Mirar support has not answered my emails and I am going absolutely crazy trying to remove it from my system. I cannot use the Windows System Restore because it won't allow me to roll back (except for today's date) -- and furthermore, Dell can't help me. Am I stuck with this toolbar? I don't even know where it came from! Thank you very much if you can help! "

My response:

According to kephyr.com, the Mirar toolbar is an Internet Explorer [Browser Helper Object] that causes ads to be displayed. Moreover, kephyr.com reports that Mirar Toolbar does not offer an uninstaller -- so once it's installed, it's very difficult to remove. As of today (5/25/2004), I did not see removal instructions on getmirar.com (the site which hosts the Mirar toolbar).

Although Mirar toolbar removal instructions are available on the kephyr.com web site, I would like to suggest a systematic approach to removing *any* BHO from a system since I am frequently asked how to remove similar Adware / Spyware toolbars.

How to remove *any* Browser Helper Object from your Computer

What I am about to suggest may not be the most correct method to remove a BHO from your system. In fact, there is no guarantee that instructions below will resolve your issue. What I can tell you, however, is that I have used the following methods to safely remove and restore many systems that have been infected with scumware / Spyware / Adware toolbars.

Before proceeding, please make a backup of your most critical files.

1. Attempt to disable the BHO.

A little while back, I came across a program called BHODemon which can disable BHO's from launching when Internet Explorer starts. BHODemon can also be used to identify the main 'plugin' file associated with the BHO (typically a .DLL or .OCX file located in the Windows System folder). A full explanation of BHODemon (and the link to download the freeware program) is available in a recent Gazette issue.

2. Identify other 'plugin' file(s) associated with the BHO.

Some BHO's are despicably stealthy and will reinstall themselves after your system is rebooted / restarted -- even after the BHO has been disabled. Obtaining the list of files associated with the BHO will require some research:

* Use BHODemon to identify the main .DLL or .OCX file (as seen in the picture above).
* Go to Google.com and type in the BHO filename followed by the word 'remove' (example: "NN_BAR.DLL remove"). 9 times out of 10, Google will provide a list of web sites that have manual removal instructions, along with the list of files associated with the offending BHO.
* Finally, write down the file names and folder locations of the BHO 'plugin' files (example: %SystemDir%\winnb40.dll).

3. Reboot into Safe Mode and remove the BHO files from your computer.

In order to permanently remove the BHO files from your computer, you must reboot into Safe Mode (or DOS mode) or your system will report a 'sharing violation' error when attempting to delete the file(s). To access Safe Mode:

* Click Start -> Shutdown (or Turn Off).
* Select 'Restart'.
* Once the computer restarts, press F8 repeatedly on the keyboard until a Boot Menu appears. This *must* be done before the Windows boot screen appears.
* Choose to boot Windows in Safe Mode.

Once you are in Safe Mode, use your notes detailing the file names and paths of the offending BHO's and rename (or remove) the files from your system. Renaming the .DLL / .OCX file will allow you to undo your changes -- whereas deleting a file is not easily undone.

Side note: A safe way to rename a file is to place a few harmless characters in front of the real file name (example: if the file is popups.dll, rename it to zz_popups.dll).

4. Remove the BHO references from your System Registry.

* Click Start -> Run -> type in "regedit" (no quotes, and press Enter).
* Once RegEdit appears, click File -> Export to make a backup of your registry. In case you make a mistake, you can import your old registry to reverse the proceeding changes.
* Now you're ready to remove the BHO references from your Registry. In the RegEdit window, press F3 to search. Next, type in the name of each BHO file you recorded in Step #2 -- minus the file extension (for example: search for 'popups' instead of 'popups.dll').
* When a match is found, look on the left side of the RegEdit Window. Left click the expanded folder which encapsulates the BHO entry. Press DEL on your keyboard to delete it.
* Press F3 and until no more matches are found; repeat this process for all BHO files you recorded in Step #2.

5. Remove any suspicious references from your Startup locations.

Download Startup_CPL.exe from Mike Lin's web site. This program will list multiple startup locations that launch programs when Windows is booted. If you see anything suspicious, disable it from launching in your startup. If you are unsure of whether or not a program entry is safe to disable, you can research it using Pac's Portal web site.

6. Reboot your computer.

The offending BHO should now be removed from your computer. If, however, you are unable to resolve your problem, you can:

* Attempt a System Restore (if applicable).
* Import your Registry backup and reboot your computer (if you think you may have accidentally deleted the wrong registry entry and have inadvertently caused your system to become unstable), or
* Backup your most critical files and reinstall Windows. I have a downloadable eBook and video guide which explains how to do this in great detail.

Good luck!

Note: This article appeared originally in the May 25th Infopackets Gazette

Permalink | Top

The SpywareInfo forums see a large number of people referred by ISP and PC tech support. To deal with these thousands of people, we have 4 administrators, 6 moderators, 20 experts, 70 or so trained helpers and 120 helper trainees. At any given moment, there are anywhere from 150 to 200 people surfing the message board. Sometimes so many people post for help that we are overwhelmed.

I'd like to ask some of the tech support people who send their infected customers our way to help out in their spare time. If you are interested, we have a "classroom" where we teach people how to look at a HijackThis log file and see exactly what needs to be fixed to remove a parasite. After you've been taught that and "graduate", your account is upgraded and you can start helping out infected victims in the public forum.

If you are interested, read this message board thread. Thanks to everyone who helps out.

Permalink | Top

http://www.komotv.com/stories/31305.htm :: Pop-up Ad Scams
http://zdnet.com.com/2100-1104_2-5215941.html :: Google defines good manners for adware
http://www.google.com/corporate/software_principles.html :: Feedback requested: A proposal to help fight deceptive Internet software
http://www.globetechnology.com/servlet/story/RTGAM.20040519.gtspymay19/BNStory/Technology/ :: California legislation aimed at spyware
http://www.theregister.co.uk/2004/05/19/overstock_utah_spyware/ :: Utah sees first spyware case
http://biz.yahoo.com/prnews/040519/law056_1.html :: Overstock.com First to Use Utah Spyware Control Law to Fight Predatory Marketers
http://www.clickz.com/news/article.php/3356441 :: Lawsuit Filed Under Utah's Challenged Anti-Spyware Act
http://www.mediapost.com/dtls_dsp_news.cfm?newsID=251985 :: Overstock Files First Suit Under Utah's Spyware Control Act
http://www.clickz.com/news/article.php/3356541 :: California Anti-Spyware Bills Progress
http://www.buffalonews.com/editorial/20040522/1049745.asp :: Internet spyware: Spam's creepy cousin