I find myself once again forced to warn everyone that using Lavasoft's Ad-aware spyware remover might be dangerous. The last time I sent out a warning against using Ad-aware, it was because Lavasoft had abandoned the existing version (5.83) of their product to work on the new version, and was not going to update it to deal with one of its targets that had mutated dangerously.

Well here we are two months later and the new Ad-aware 6 is still having more or less the same problem as the old. This time the problem effects not one, but three different targets, NewDotNet, CommonName Toolbar, and Webhancer. These three programs install themselves as Layered Service Providers and alter winsock settings. To put it simply, removing any of these three programs improperly means you can kiss your connection to the internet goodbye. The original release of Ad-aware 6 does indeed remove all three of these programs improperly and does break internet access in the process. Lavasoft has released a new build which hopefully fixes this.

If you are running Ad-aware 5.x, remove it. It is obsolete. If you are running Ad-aware 6, check that you have build 162 and not build 160. You can see which build you have by clicking the information button along the upper right of the main screen (screenshot). The new build 162 reportedly fixes this problem as far as NewDotNet is concerned, however I don't know if it corrects the problems related to Webhancer or CommonName. If you need to update your version, you can download it from Lavasoft's download page at http://www.lavasoft.de/support/download/

At this point, I would urge everyone to not remove these three programs with any version of Ad-aware until this is sorted out. If you have Webhancer or CommonName, Spybot removes them perfectly. http://security.kolla.de/.

Update Lavasoft has assured me that all three programs are removed without issue by the new build and referencefile. For now, I still don't recommend removing any of these three programs with Ad-aware, but Lavasoft says that the problem was only with the old build 160 and is fixed in the new build 162.

If you find NewDotNet on your system and want to remove it, these are the "official" removal instructions, directly from the company that makes the software. These instructions work perfectly, so don't use any third party software to remove it. These instructions will also help if your connection has already been damaged, so you may want to highlight this section and print it out.

Republished with permission from NewDotNet:

There are multiple procedures to removing our software and each procedure should be followed as outlined to ensure proper removal.

PROCEDURE 1 (Add/Remove Programs):

1. Click on Start.
2. Click on Settings.
3. Click on Control Panel.
4. From the Control Panel, double-click on Add/Remove Programs.
5. Click on the Install/Uninstall tab in the Add/Remove Programs Properties window.
6. Locate either New.net Application or New.net Domains and select it.
7. Click on the Add/Remove button.
8. After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
9. If this does not fully remove our software, please proceed to PROCEDURE 2.

PROCEDURE 2 (Uninstall from Hard Drive):

1. Double-click on My Computer.
2. Double-click on the C: drive.
3. Double-click on the Program Files folder.
4. Locate and double-click on the NewDotNet folder. If there is no folder, please proceed to PROCEDURE 3.
5. Locate and double-click on the uninstall executable; it will be labeled uninstallX_XX.exe. ("X" represents the version number of the uninstaller)
6. After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
7. If this does not fully remove our software, please proceed to PROCEDURE 3.

PROCEDURE 3 (Locate Backup Copy of Uninstaller and Uninstall from Hard Drive):

1. Double-click on My Computer.
2. Double-click on the C: drive.
3. Double-click on the Windows or Winnt folder.
4. Locate and double-click on the uninstall executable; it will be labeled NDNuninstallX_XX.exe. ("X" represents the version number of the uninstaller)
5. After removal of our software, you may be prompted to reboot. Please reboot after removing our software.
6. If this does not fully remove our software, please proceed to PROCEDURE 4.

PROCEDURE 4 (Download Uninstall from New.net):

1. From a computer that has Internet access, click on the following link: http://www.new.net/support/uninstall4_80.exe
2. Download and save uninstall4_80.exe to a 3-½ floppy disk.
3. Insert the floppy disk into the floppy drive of the computer that needs to have our software uninstalled from.
4. Click on Start.
5. Click on Run.
6. In the Open window type, A:\uninstall4_80.exe.
7. Click on the OK button.
8. After removal of our software, you may be prompted to reboot. Please reboot after removing our software.

NOTE: THIS FILE IS NOT TO BE DISTRIBUTED, MIRRORED, OR LINKED WITHOUT THE EXPRESSED WRITTEN CONSENT OF NEW.NET. [Which SpywareInfo dutifully obtained before publishing.]

If the above 4 procedures do not fully remove our software, please contact New.net Customer Support at (626) 405-2000 or at support@new.net.

(c) 2001-2003 New.net, Inc. All rights reserved.

Customer Support
New.net, Inc
(626) 405-2000
support@new.net

Permlink | Top

Note: To avoid confusion, everywhere I say "New.net", I am referring either to the company or its web site. Everywhere I say "NewDotNet", I am referring to the software plug-in.

Since I'm already on the topic of NewDotNet, I guess it is time to discuss why it is considered by some to be spyware. NewDotNet is a plug-in for your computer which allows you to access unofficial top level domains, such as .shop and .xxx. What New.net does is sell a sub domain of the new.net site. For example, the domain http://www.book.shop actually resolves to http://www.book.shop.new.net if you are a NewDotNet user. These domains are unofficial and won't resolve without the plug-in unless you receive your internet access from an ISP which has modified its customer's name servers to use new.net domains. There is a list of these ISP's at http://www.new.net/about_us_partners.tp#ISP. New.net estimates that they have 178,386,226 users worldwide as of this writing.

One thing which gives New.net a bad name is the fact that their software is bundled with "partner" software. Nearly all of these programs have bad reputations because they also bundle adware and spyware. For instance, NewDotNet is bundled with Radlight Media Player, which also installs WhenU.com's SaveNow.

These are two particularly disgusting companies. Radlight once included instructions in its installer that would secretly remove Lavasoft's Ad-aware. After a massive public outcry (and a particularly nasty case of the /. effect), CNet and Simtel briefly pulled the software from their archives until Radlight produced a new build which doesn't tamper with Ad-aware.

WhenU's SaveNow is even worse, for not only does it spam you with pop up ads, those ads are based on the context of the web site you are currently visiting or the words you just searched for. For instance, if you are on the Chevrolet web site, SaveNow might pop up an ad for a competing Ford vehicle. Or perhaps you search for the term "automobile" at Google and Ford has purchased advertising on Google for that keyword. SaveNow may pop up an ad for Daimler-Chrysler. In effect, it is sending you ads on web sites for which WhenU has no relationship (and reporting this fact to WhenU servers). Most webmasters consider this activity to be theft and many of them include detection scripts on their sites which will alert a visitor that it is installed and redirect them to a page with instructions on how to remove it.

Another issue that people have with NewDotNet is the automatic update component. The plug-in will automatically contact New.net servers to check for an updated version. There is no prompting for this and it cannot be disabled. It also downloads a GUID (Globally Unique Identification Number) on its first update so that New.net can keep track of how many people are using their service.

All of that in combination leads many people to avoid it and to suspect it of being spyware. Certainly it is unsavory. Nothing on my computer is permitted to check for updates unless I've gone out of my way to tell it to do so. For that matter, nothing on my computer is permitted to connect to the internet unless I've decided to allow it to do so (Mailwasher, my ISP's satellite connection software, Trillian, etc). Any software which attempts to connect to the internet, whether to check for updates or for any other reason, without giving me an option to disallow it quickly gets uninstalled and deleted off of my hard drive.

One issue which I have debated with David Hernand, CEO of New.net, is the way NewDotNet loads at startup. Rather than loading an application named "NewDotNet" or similar, the application loads by calling the Windows system file "Rundll32.exe", which means that you don't see it when you look in the Windows task manager. I argued that it made it look suspicious. If there is nothing to hide, why hide?

The answer I got back was that it was done this way to keep people from looking for all files named "newdotnet" and deleting them and endangering their network. That's sounds logical, but some people are going to stubbornly ignore add/remove and use the delete key anyway. When doing this breaks their network, they have no one to blame but themselves. I don't believe that this is reason enough to hide the running process. This is nothing bad by itself, but it does nothing to improve NewDotNet's image.

Two years ago, Lavasoft added NewDotNet as a spyware target to Ad-aware. New.net objected to its software being labeled spyware and invited open testing of its software to look for any privacy violations. When none were found, Lavasoft removed them as a target (and got flamed mercilessly for it at their support forums). One of the original members of "Team Lavasoft" who helped test the software was Craig Rashad. Mr. Rashad is no longer associated with Lavasoft and now hosts the Net-Integration message boards which is also the home of Spybot S&D's support forums.

With the introduction of Ad-aware 6, Lavasoft has once again started targeting NewDotNet. No one knows why and even Lavasoft can't seem to decide what the reason for that is, as there have been contradictory statements made at their own support forums about it. Heated arguments have been popping up on message boards everywhere between people who say NewDotNet is spyware and those who say that it is not.

Rashad decided to load several test computers with New.net's software to see whether or not it was collecting and uploading personal information about its users. After extensive testing, Mr. Rashad concluded that no, NewDotNet is not spying on its users in any way. No personal information leaves the machine, period. He has posted his opinion of New.net's software at his message boards here: http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?act=ST;f=8;t=1634

While I haven't personally tested the software, I'll take Rashad's conclusions at face value. He's been doing this for a lot longer than I have. If he says that NewDotNet is not spyware, then it is not spyware. NewDotNet is not even adware, much less spyware. The worst that it can be called is "foistware", a term defined by CounterExploitation as "Unwanted application programs that come along, trojan-style, with completely unrelated software."

Rashad's final conclusion is that NewDotNet does not warrant targeting by Ad-aware, Spybot, or any of the other spyware removers. That took courage, because there seems to be something magical about NewDotNet. As soon as anyone dares to disagree that it is complete and utter scum, people begin to revert to the mental equivalent of school children. It is truly fascinating to watch so many grown adults lower themselves to below the mental age of their own children rather than simply stating their disagreement. It never, ever fails to happen when the issue is NewDotNet. Rashad has already receive dozens of hate mails, insults, and outright threats.

Here is my 2 cents on the subject.

I don't like the GUID and personally will not ever run this program for that reason alone. Many others agree with me on the issue of software which uses a GUID, especially when it is passed back to the vendor's servers as part of a "head count" of users. However, NewDotNet is not the only program which uses a GUID, and there is a legitimate reason for having it.

I don't like that it reaches out to the internet without asking, and then also downloads and installs updates without asking. That is extremely rude behavior and very questionable. When asked why they don't make the auto updater a manual updater, their unsatisfactory answer is that it would raise the size of the download. As rude as this is, there is nothing malicious about it and no personal information other than the GUID is sent to New.net in the process.

Neither of these issues, nor any of the other issues mentioned earlier warrants New.net's software being targeted by spyware/adware removal tools. NewDotNet is not spyware. NewDotNet is not adware. NewDotNet does not install using drive-by activex scripts the way Xupiter and others do. Every known third party installer discloses NewDotNet's presence and has boxes which the user can uncheck if they don't want NewDotNet to install. If it is already installed, then the uninstaller provided with each copy works perfectly.

NewDotNet is not worth targeting in my opinion.

P.S.
Do not email me with links to web pages that discuss NewDotNet. I have seen every single page in existence that discusses it. Thank you in advance.

Permlink | Top

X-Cleaner Anti-spyware

As I mentioned weeks ago, we've been working with X-Block to help test a new ActiveX applet which uses the scanning engine of the freeware version of Xblock's X-Cleaner Anti-Spyware. X-Cleaner removes traces of documents opened and pictures viewed, detects and removes surveillance and advertising spyware, finds and removes forgotten pictures on your machine, and permanently erases files using its "industrial shredder".

The new ActiveX applet loads in Internet Explorer and will scan your system for the presence of spyware and adware. If it finds anything you should be worried about, it will give you a warning and offer to remove it, as shown below. One of our expert members at the forums discovered she had unknowingly installed Cydoor adware, which was detected by the XCleaner applet. It also successfully detected several keyloggers which were installed on various testers machines, as well as several adware programs. I'd like to thank everyone who participated in the testing for their input.

There were really only two problems found, one of which is really a problem with Windows. If you have your computer set to use "large fonts", then you will not be able to see the "scan" button. Resetting it to "small fonts" fixes this problem (not to mention several other display problems). You can find this setting at Control Panel > Display properties > Settings > Advanced > General.

The other problem is an odd glitch with the display of the applet. If you scroll downwards and hide the applet, when you scroll back up, it is distorted. If you refresh or scroll upwards (hiding the appet again), it will fix it. Xblock is working on an improved interface for the applet, which hopefully will be available soon.

You can check the scanner out at http://www.spywareinfoforum.info/xscan.php. It is a very *fast* scan, but don't let the speed fool you. If you have a spyware or adware program in its database, it will find it. Once I get off my lazy butt, I'll redesign the page and make it part of a two-part online scanning service alongside the existing parasite detector (courtesy of doxdesk.com).

X-Cleaner Deluxe, the full, unlimited version of the X-Cleaner, is available to SpywareInfo visitors for 10% off the normal price. Click here for features and purchase information

There is also a shareware version available if you'd like to try it out before buying it. Several functions are locked in the free version, which can be unlocked by registering it. Just remember that you have to register it using my link in order to receive the discount.

We're still looking for software to offer at a discount in this spot each issue. If there is a certain piece of privacy software you'd love to get your hands on, but the price is rich for your blood, let us know and we'll try to negotiate a good discount for it and feature it here. Contact Catherine with your suggestions.

Permlink | Top

From the Anti-TCPA FAQ at http://www.againsttcpa.com/tcpa-faq-en.html

What are TCPA and Palladium?

TCPA stands for the Trusted Computing Platform Alliance, an initiative led by Intel. Their stated goal is a new computing platform for the next century that will provide for improved trust in the PC platform. Palladium is software that Microsoft says it plans to incorporate in future versions of Windows; it will build on the TCPA hardware, and will add some extra features.

How can TCPA be abused?

One of the worries is censorship. TCPA was designed from the start to support the centralised revocation of pirate bits. Pirate software will be spotted and disabled by Fritz when you try to load it, but what about pirated songs or videos? And how could you transfer a song or video that you own from one PC to another, unless you can revoke it on the first machine? The proposed solution is that an application enabled for TCPA, such as a media player or word processor, will have its security policy administered remotely by a server, which will maintain a hot list of bad files. This will be downloaded from time to time and used to screen all files that the application opens. Files can be revoked by content, by the serial number of the application that created them, and by a number of other criteria. The proposed use for this is that if everyone in China uses the same copy of Office, you do not just stop this copy running on any machine that is TCPA-compliant; that would just motivate the Chinese to use normal PCs instead of TCPA PCs in order to escape revocation. So you also cause every TCPA-compliant PC in the world to refuse to read files that have been created using this pirate program.

This is bad enough, but the potential for abuse extends far beyond commercial bullying and economic warfare into political censorship. I expect that it will proceed a step at a time. First, some well-intentioned police force will get an order against a pornographic picture of a child, or a manual on how to sabotage railroad signals. All TCPA-compliant PCs will delete, or perhaps report, these bad documents. Then a litigant in a libel or copyright case will get a civil court order against an offending document; perhaps the Scientologists will seek to blacklist the famous Fishman Affidavit. Once lawyers and government censors realise the potential, the trickle will become a flood.

Now the modern age only started when Gutenberg invented movable type printing in Europe, which enabled information to be preserved and disseminated even if princes and bishops wanted to ban it. For example, when Wycliffe translated the Bible into English in 1380-1, the Lollard movement he started was suppressed easily; but when Tyndale translated the New Testament in 1524-5, he was able to print over 50,000 copies before they caught him and burned him at the stake. The old order in Europe collapsed, and the modern age began. Societies that tried to control information became uncompetitive, and with the collapse of the Soviet Union it seemed that democratic liberal capitalism had won. But now, TCPA and Palladium have placed at risk the priceless inheritance that Gutenberg left us. Electronic books, once published, will be vulnerable; the courts can order them to be unpublished and the TCPA infrastructure will do the dirty work.

So after the Soviet Union's attempts to register and control all typewriters and fax machines, TCPA attempts to register and control all computers. The implications for liberty, democracy and justice are worrying.

I am now officially a member of this Anti-TCPA movement. I urge everyone reading this to read that FAQ slowly and completely. "Trusted Computing" may sound like a good concept, until you realize that it is based on the assumption that the user is inherently untrusted. Thus, TCPA is hostile to the user in that it treats him as a criminal on probation who must be prevented from doing something "unauthorized".

Whatever its intentions, this Trusted Computing technology will lead to the abuse of Human rights and freedoms. If anyone anywhere (Microsoft, Intel, the CIA, the Ministry of Propaganda, etc) has the ability to reach across cyberspace and just simply delete something they dislike from a person's computer, then we have lost our freedom to criticize those in power. If we cannot criticize those in power, we have gone back to the dark ages of tyranny and oppression where the lords and barons control the citizens.

A true democratic government is a servant of the people. Tyranny occurs when the government forgets that and decides that the people are the servants. One of the first acts of any new tyrannical government is to seize control of the distribution of information. I see TCPA as the first step towards that control.

I personally will not be using one of those PCs which require TCPA or its ilk to function. I will use a Macintosh or even linux. Eventually I will probably have no choice but to purchase a Mac. To the best of my knowledge, no Mac computer is planned that will incorporate this sort of technology.

Unbelievably, even that may not be an option for much longer. In the USA there is a bill, the so-called CBDPTA (Consumer Broadband and Digital Television Promotion Act). First it was named SSSCA (Security Systems Standards and Certification Act). The new name sounds so much more harmless. Presumably the original name made it too easy to discover the purpose of this bill.

This bill plans to legally force secure (TCPA-compliant) systems. So in the USA it would then be illegal to buy or sell systems that are not TCPA-compliant. Violating this law would be punishable with up to 5 years in prison and maximum fine of $500,000. The law also effect development of "open" software. Open means that it would work on systems that are not TCPA-compliant.

Even if this bill was only valid in the USA, it would have catastrophic effects worldwide. Because US companies are not allowed to develop and sell "unsecure" software, others would have to jump onto the TCP bandwagon, so they would give total control over themselves to the TCPA (USA?), or they would have to live completely without software and hardware from US-companies. No Windows, Solaris, MacOS, Photoshop, Winamp or to say it short: The largest part of all software that's used on this planet would not be usable.

If Senator Fritz "Hollywood" Hollings and/or any of the other paid employees of Hollywood in congress make it illegal to use a computer without this technology, then I guess I and many others will become outlaws. The government is my servant, not my master, and I will never allow this to change. Hollywood Hollings and anyone else who thinks that I'll give up control of my computer can kiss my ass. (_)_)

Linking/Quoting Guidelines

I don't mind people quoting these newsletters on message boards, personal blogs, and newsgroups. However, I ask that anyone doing so link to the online version of whatever they're quoting. At the top of each section is a link to the permanent location of the newsletter with an anchor tag that brings the browser right to that section. Please link either to the page or to the specific anchor. If quoting the lead section, link to the page itself.

If you want to publish something from SpywareInfo on your web site, please contact me for permission first. Emailed permission is required before any material from SpywareInfo can be republished elsewhere (message boards, personal blogs, newsgroups are excluded from this requirement).

Subscription Management

There really is no management. If you want off this list, click on the link all the way at the bottom of this newsletter. That will remove your address. If you want to change your subscribed address, unsubscribe the current address, then subscribe the new one.