The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/july20,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

1. Microsoft Going Soft On Adware
2. Feature - Spyware Doctor
3. Frustrated Victims Throwing Away Spyware-Infested PCs
4. Donate to SpywareInfo
5. Are Cookies Spyware?
6. Congress Moves To Restrict Data Brokers
7. More Web Site Strangeness

Permalink | Top

First there were the rumors that Microsoft is considering buying Claria, the company responsible for creating and distributing Gator adware. Shortly thereafter, it was discovered that Microsoft's antispyware program has been altered by a program update to ignore all adware automatically.

This seems almost like a repeat of the situation with Yahoo's antispyware toolbar last year. Yahoo and Claria have significant financial dealings through Overture, which is owned by Yahoo. Claria makes the bulk of its income through Overture. Not long after Yahoo included an antispyware scanner into their Internet Explorer toolbar, it was discovered that they had altered it to ignore adware.

Yahoo's toolbar uses spyware detection code licensed from PestPatrol (now owned by Computer Associates). PestPatrol's own antispyware program did not have the ability to ignore all adware, only individual products if the user chose to ignore them. After experiencing a massive run of bad publicity, Yahoo changed their toolbar so that it would detect adware by default.

Microsoft's first response to questions about their antispyware program ignoring Claria was to refuse to comment. Their second response was to flatly deny that Claria is receiving any special favors. They claim now that the change was made in order to be "fair and consistent" with how Microsoft AntiSpy handles adware from companies similar to Claria. As it turns out, several adware products have been placed on AntiSpy's ignore list.

Whatever the reason, this means that Gator, Dashbar and other adware could install on a computer supposedly protected by Microsoft AntiSpy, without warnings popping up. Since Microsoft altered their users' settings without informing them, those users may not realize that they have to change their ignore list in order to detect these adware programs. If a user runs a scan of their hard drive, those adware programs will not show up in the results because they are on the ignore list.

The question that needs to be asked now is: "Can Microsoft's AntiSpy program be trusted?". It is bad enough that they decided to move all adware products to the ignore list by default. However loudly the adware industry screams that their software is not malicious, the fact remains that very few people want it on their computer. People use antispyware scanners because they expect them to find adware as well as the truly malicious stuff.

The problem is that Microsoft used an update to the program to alter their users' settings, without informing them. They may think that adware should be on the ignore list but I seriously doubt that their users would agree. Their users expected that the program would alert them to the presence of adware. Since as far back as late March, these users have been unprotected by a program they were told they could trust. Well, that trust has been broken. Can this program ever be trusted again?

Update After I wrote this but, thankfully, before sending it out, more rumors have surfaced about the Microsoft/Claria acquisition talks. According to an article on ClickZ News, Microsoft has abandoned the idea of purchasing Claria. It would seem that the bad press they received over the rumor caused them to abandon the idea. I believe that odd sound you hear is the entire internet breathing a sigh of relief.

Permalink | Top

Program: Spyware Doctor
Author: PC Tools
Platform: Windows XP, Me, 98, 95 and 2000
License: $29.95 [$10.00 off for SpywareInfo readers (Expires July 28, 2005)]
Coupon code: SPYWAREINFO (Expires July 28, 2005)

I am usually wary of trying out new antispyware programs. Many of them turn out to be rip-offs of existing antispyware programs, licensed clones or just plain rogues. Usually, I won't even look at a program until I've seen people who I consider to be experts say good things about it.

For a few months now, I've been hearing some very good things about Spyware Doctor from people whose opinions I trust. My partner bullied me into testing it out recently, so I downloaded a copy and set it loose on my virtual test computer. After playing with it for awhile, I consider Spyware Doctor to be a very good program. On a scale from 1 to 10, I would give this program a 9 1/2.

Spyware Doctor is a very nice and very polished antispyware protection program. The interface is uncluttered and easy to navigate. A system scan is initiated with the click of a single button. The same goes for updating the program. You could give a copy of this program to your grandmother for her first computer and she would have no trouble running it with the default settings.

I only have two concerns about this program. When the first scan is run, immediately after it is installed, it does not suggest using the update feature first. Antispyware and antivirus programs always should be updated before a scan is performed. The second concern is that it was not immediately obvious how to put an item onto the ignore list, although I did figure it out after a minute.

You may remember my marathon spyware killing experiment from last month. I still have a copy of that infected virtual machine. On my "infected" test system, Spyware Doctor found a staggering 2,400+ infection items, kicked several processes out of memory and blocked 19 malicious start up entries. Every item found was organized by the name of the malware and included a short description, as well as a detailed listing of every file and registry entry it believed to be associated with it. Every item is labeled with a "threat level", showing how serious PC Tools considers that particular piece of software to be.

While removing malicious items, it unloaded Explorer.exe (the Windows desktop environment) several times in order to delete files. It informed me that there still were files it could not remove and automatically set itself up to run a scan after a restart. It then asked permission to reboot the machine. When the machine restarted, Spyware Doctor suppressed Explorer while it ran another full system scan and removed everything it couldn't delete the first time around.

There is one other good thing about the program that I feel is worth mentioning. It did not report a single false positive. Not one. This is the first time I have ever tested an antispyware or antivirus program that did not have at least one false positive. It did find one file which I could have sworn was installed by VMWare but, as it turns out, I was wrong and the program was right. False positives are the bane of malware scanning programs and it was good finally to test a program that didn't have one.

Of course, it did not detect and remove every single piece of malware on the infected machine. Sadly, I know of no single program capable of removing all of the toughest malware out there. It did, however, clobber roughly 98% of the malware and disabled all of the rest. The pop-up ads stopped. The highly annoying "alerts" from Virtual Bouncer ceased. All of the weird toolbars attached to Internet Explorer disappeared. The computer stopped crashing randomly and stopped taking 10 minutes to reboot. The CPU was no longer pegged at 100% and the memory usage dropped to less than half of what it was using while infected. Although it didn't remove everything, it certainly stopped the hijacks and disabled the ability of everything left to do any harm or to cause any annoyance. In short, my machine was back to normal.

During installation, it asks if you want to load protection when Windows starts. After installation, it runs a full system scan, then asks if you want to activate the "OnGuard" real-time protection.

In the settings, it offers "Quick Scan", "Full System Scan" and "Custom Scan". "Quick Scan" will search those areas most likely to reveal an infection, while "Full Scan" will search the entire system. "Custom Scan" lets you decide which parts of the registry it will scan, whether or not it scans the HOSTS file, memory and other locations. It also lets you decide which drives and folders will be searched.

OnGuard, the real-time protection module, protects against several methods used by browser hijackers and other malware. All of these components optionally will pop up an alert if something is detected. Note: Internet Explorer is the only web browser installed on my test machine, so I don't know if any of these protections apply to other browsers.

1) Startup Guard
Watches for malware being set to load when Windows starts up. Also monitors the Windows task scheduler.

2) Browser Guard
Watches for changes made to Internet Explorer's home page and for new Browser Helper Objects (BHOs). Also it keeps an eye on other browser extensions, such as buttons and toolbars.

3) Immunizer
Sets a registry "kill bit" for certain CLSID identifiers known to be used by malicious ActiveX programs. This prevents those ActiveX programs from being loaded by Internet Explorer.

4) Keylogger Guard
Watches for running programs which seem to be logging keystrokes and blocks them.

5) Network Guard
Detects changes made to the HOSTS file, restricts the Messenger service exploited by spammers and detects changes made to the LSP settings (a Windows networking component altered by many malwares).

6) Popup Blocker
Blocks pop-ups from being opened in Internet Explorer. It includes a whitelist and lets you decide whether it shows an alert, plays a sound or does nothing at all when a pop-up is blocked.

7) Process Guard
Watches for known malware being loaded and forcibly removes them from memory if one is loaded.

8) Scheduler
Allows you to set up automated scans, both full and quick scans, as well as automatic program updates.

9) Site Guard
This blocks access to certain web sites which are known to cause trouble. The options are to block suspected phishing web sites, block downloads from suspicious sites and to block access to suspected spyware web sites.

This is a good program and well worth the discounted price for Spywareinfo readers. Spyware Doctor has our recommendation - it is that good.

If you have any problems with the ordering page or with the coupon code (SPYWAREINFO), please email Catherine http://www.spywareinfoforum.info/email2.php.

Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

I have seen a few stories in the last few days about people throwing out their computers and replacing them with new ones, rather than trying to remove the spyware infecting them. I had heard a few stories of that happening in the past but I didn't realize so many people were doing it.

I think I can understand the feeling. A brand new computer using last year's hardware is surprisingly cheap and will perform nearly as well as a high-end machine in most things. When faced with dozens of unwanted programs all competing with each other to install toolbars and pop up ads and resisting all efforts to remove them, some people just throw their hands in the air and decide to start over fresh.

I can understand the feeling but I don't share it. This is my philosophy regarding unwanted software. I bought every piece of hardware for this computer. I pay for the internet connection. I pay for the electricity that powers it. This is my private property. As far as this machine is concerned, I am God and my word is Holy Law.

If I want a piece of software to be gone, it will be gone. Attempting to resist my efforts to remove it will just guarantee that I make sure every trace is deleted. I am perfectly willing to spend as much time as it takes to hunt down and kill an uninvited software parasite.

Of course, I know how to do that. I know most of the tricks used to install these parasites and I know all of the tricks needed to remove them. Few people know how to do that. Even if a person installs multiple antispyware programs, some parasites are too tough to be killed automatically. It takes the guidance of a malware expert to remove these highly resistant parasites and some people just don't have the patience for that.

If your computer is thoroughly infested with garbage, buying a new computer is not the answer to your problem. The new computer will become just as infected within one or two months. Buying a new computer should not be considered as an option.

The most extreme doomsday option I will give to someone is to format their hard drive, which I refer to as "nuke and pave". I can remove any piece of malware that can be installed, but it takes time and a fair amount of cooperation from the victim. Sometimes the victim doesn't have the time, skill or patience to go through the steps needed to track down and fix their problem.

If they are not willing to spend the time needed to correct their problem, then a "nuke and pave" is a simple way to remove all malicious programs. It means that everything not installed by the computer maker will be removed. Any personal documents, music files, pictures, movies and whatever else will be gone. But at least the computer will be back to normal afterward, just as if it were brand new.

A hard drive format is the final doomsday option that is always available but hopefully one that I will never have to use. As far as I can remember, I've never had to recommend this to anyone. Simply tossing out the computer and replacing it just to be rid of spyware is not an option. What are you going to do when the new computer becomes just as infected? That is an expensive way to remove unwanted programs.

If you know someone who is considering throwing out their computer just because it is infected with spyware, please, try to talk them out of it. Send them to my message board. If they are unwilling or unable to spend the time needed to fix their computer, at least ask them to pop in their "recovery disc" or whatever their computer maker calls it and tell them to select the option to "format and reinstall". They will lose their documents but they will lose them anyway, if they simply toss out the machine.

Remember, once you have a clean computer, you should take steps to prevent this from happening again. One of the most widely read articles on SpywareInfo is the one that explains how to prevent a browser hijacking. It is found here: http://www.spywareinfoforum.info/articles/hijacked/prevent.php. Read it and send that link to your friend. It might save that person hundreds of dollars.

Permalink | Top

I hate asking for money - it embarrasses me - so I will keep this brief.

Between fighting DDoS attacks, fending off legal threats from various parasite makers and monthly hosting bills, the cost to maintain SpywareInfo continues to grow. At the moment, I have two dedicated web servers running the site and a third running software to protect them both from DDoS attack. I don't know if it is going to cost extra to replace the server that died last month, but it is a possibility.

I am asking for donations to help me keep the bills paid. If you can afford to help out, it would be very greatly appreciated.

Paypal donations can be sent to paypal@spywareinfoforum.info. Or click here. Checks or money orders (don't send cash) can be sent to:
James Healan
PO Box 2378
Reidsville, GA USA 30453

SpywareInfo also has a Cafepress storefront to sell various merchandise, such as t-shirts and coffee mugs. You can find that at http://www.cafepress.com/spywareinfo. Just be aware that all but a few dollars of what is spent on that merchandise goes to Cafepress, not to me.

If you are curious as to what "DLTBW" means, it goes back to when SpywareInfo nearly was destroyed by a massive denial of service attack in 2004. It basically was a fundraising idea to help pay for the vastly increased cost of running the site during the attacks. It stands for "Don't Let The Badguys Win". Actually, the "B" stands for something else, but I do have to slip this past spam filters ;) .

To clear up a common source of confusion, I am both "James" and "Mike" Healan. People write all the time wondering if James is my brother or something. James is my first name and that is how I sign my name. This is why I ask that any checks be made out to James. Mike is my middle name and is what I answer to. If you called me James on the street, I wouldn't know you were talking to me. Sorry for the confusion there.

If you can make a donation, I thank you very much. You are helping what I consider to be a very great site and service to remain totally free.

Permalink | Top

Ask ten spyware experts if they consider cookies to be spyware and you'll get ten greatly different responses. People have been arguing about tracking cookies for years. To some people, they are nothing but text files and you shouldn't worry about them. To some people, they are a serious privacy threat and should be blocked whenever possible. Even antispyware vendors disagree about tracking cookies. Some products ignore all cookies, some target cookies only from specific companies and a few products list all cookies found on the hard drive.

This debate has been going on for years, although recently it has heated up again as the US Congress debates legislation restricting spyware. The Daily Herald has an interesting editorial on the subject.

Let me explain what I mean by "tracking cookies". I am not talking about the cookie that records your password so you can log into your Yahoo email account. I am not talking about the cookie that lets Amazon recognize you when you go their web site. A tracking cookie is not set by the web site you see. They are set by a completely different web server which is displaying ads or serving web bugs.

Normal cookies are useful. They remember your password and preferences on web sites so you don't have to keep doing that yourself. Tracking cookies are not useful to a web surfer in any way. Their entire purpose is to keep track of your browsing habits.

I'll use DoubleClick as an example. DoubleClick runs advertisements on countless web sites. Each of those ads will try to set a cookie on your hard drive. When you leave site A and go to site B, which also is running DoubleClick advertisements, somewhere a great big computer records the fact that a visitor to site B also visited site A. Later on, they will notice you on site C and cross reference the fact that you also visited sites A and B.

No doubt you are asking, "So?". While it is true that the cookie can identify you only as a number and not by name, the company using the cookie has the potential to identify you in other ways. DoubleClick once bought a data collection company named Abacus. It was their intention to use the massive amount of data collected by Abacus to identify, by name and address, the anonymous web surfers with DoubleClick cookies on their machines. It was only after very public complaints and the threats of lawsuits by the attorneys-general of several states that they held off attempting to do this. Still think cookies are harmless?

My own opinion is that tracking cookies are not themselves spyware but that they are a tool used by others for the purpose of spying on browsing behavior. For that reason, they should be blocked and removed. Any product billing itself as an antispyware tool is doing its users a disservice if it ignores cookies from companies that are known to use them for tracking purposes. Detection of tracking cookies should at least be an option.

Cookies are blocked easily. These third party tracking cookies are even easier to block. Refer to my guide for doing that.

More proof that the companies who use tracking cookies have no regard for a person's privacy is the fact that they have started circumventing people's efforts to block their cookies. By using a flash program, they can save the information in their tracking cookies and replace those cookies if they have been deleted. For information about that and instructions to disable this program, see this previous newsletter.

Permalink | Top

I never thought I would hear myself say this, but God Bless California! Their state legislature passed a law a while back which forces companies to disclose incidents where confidential information about average citizens has been lost or stolen. Ever since that law went into effect, it seems as if every week there is a news report about some company losing extremely detailed information about massive numbers of people.

You want to know why identity theft is such a big problem? Well, there you go. Countless companies compile huge dossiers on millions of people, completely without their knowledge or consent, then sell that information to whoever has the money to buy it. Then they fail to protect that data, and it ends up being stolen and sold on the black market.

Now that these companies can no longer hide the fact that the data they've collected have been lost or stolen, people now realize how serious a problem these companies are. The US Senate now is creating a bill that hopefully will help with the problem. Called the Identity Theft Protection Act, the proposed bill puts some serious restrictions on these data collection companies.

For starters, any person can instruct the credit reporting agencies to put a freeze on their credit report. That means that unauthorized persons will not be able access their credit report. It also means that no one will be able to open a new credit account in that person's name, unless that person instructs the agencies to unfreeze the account. Once instructed to freeze a person's credit report, the reporting agency must freeze the report and inform all other reporting agencies that they must do the same within five days. An exemption is made for creditors to help them prescreen credit applicants.

Unfortunately, this freeze would not prevent credit card companies from issuing "pre-approved" credit card applications via junk mail. That is a mistake. Those credit card applications often are an identity thief's most useful tool.

The proposed bill forces companies dealing with confidential data to take strong measures to protect it from theft, technologically and physically. Specific methods are not outlined. That would be left up to the Federal Trade Commission.

Businesses will be forbidden to ask for a social security number unless knowing that number is absolutely required for them to serve the person. If they do need it, they will be forbidden to use the number for identification documents. Government agencies would be prohibited from having any sort of prison-labor program which would lead to a prisoner having access to social security numbers.

If everything fails and information falls into the wrong hands, the company that lost the information would have to notify consumers if there is a "reasonable risk" the information could be used for ID theft and to notify the FTC if the breach involves information belonging to more than 1,000 individuals. If the company fails to do this, they could be fined as much as $11,000 for every person affected, up to a maximum limit of $11 million.

One serious flaw in this section is that it leaves it up to the data broker to decide what constitutes a "reasonable risk" of identity theft. If an unauthorized biography of me, including my social security number, credit information and who knows what else, was stolen, I'd sure as hell expect to be told about it. I should be allowed to decide what is a "reasonable" risk and what isn't.

Despite its flaws, I am glad to hear about this bill. Although personally I would rather see them outlaw entirely the practice of compiling and selling information about people. I can understand the credit reporting agencies needing to know if I'm paying my bills on time. What I don't understand is why any other company should have access to information like that. If I am not doing business with them, why should they have information about me? What gives these companies the right to snoop into my private affairs, build a KGB-style dossier detailing my entire life and then sell MY information to anyone with enough money?

If you are or suspect that you are the victim of identity theft, there are some good tips for dealing with the aftermath in this New York Times article and also at the FTC web site. If the NYT site demands that you log in and you do not have an account, go find one at BugMeNot.

A very quick and simple thing you can do is simply to go to Google and search for your social security number, credit/debit card numbers, bank account numbers and anything else that you wouldn't want people to have. Stolen credit card numbers often turn up on illegal web sites and usually can be found just by searching for them. If you find any results for these numbers, you know you have a problem.

A final note. "Phishing" is where a con artist sends you an email claiming to be Paypal or Ebay or your bank and tricking you into providing them with your online passwords. Thousands, possibly millions, of people fall victim to this.

There is a very simple way to avoid becoming a phishing victim. If you receive an email from your bank that seems legitimate and says you need to log in to take care of some matter, don't use the links provided inside of the email to visit the site. Go directly to the bank's web site and log in from their front page. Or better yet, call them on the phone and ask if the email is legitimate. 99.999999% of the time, the email will be a fake.

Permalink | Top

In the last newsletter, I said that the message board server had died. I said that it was running again on a temporary server and urged you to go visit it. And as soon as I sent out that newsletter, all of my web sites promptly went off the air.

This time it wasn't a broken server causing the trouble. Someone way up the food chain of bandwidth providers dropped one internet pipeline company in favor of another. When they did this, routers all over the internet became "confused". Everyone at my web host, every web host at their data center and everyone on up the ladder disappeared right off the net until things were sorted out.

All of my web sites are working again now, although there does seem to be the occasional outage late at night. Running a web site can be such a headache sometimes.

If you are curious, these are all of the sites that either are mine or are administered by me.

SpywareInfo: http://www.spywareinfoforum.info and http://www.spywareinfoforum.info/newlsetter
Soapbox: http://www.mikehealan.com
DogReader: http://www.dogreader.com
Merijn: http://www.merijn.org
Malware: http://www.malware.us