Related Links • Security At Home Discussion Group • Lavasoft support forums • AumHa forums • SpywareInfo

 
When we first started supporting users on the Internet back in mid 90's it was a very different world to what we see now. Back then, We spent virtually all of our time helping users resolve instability inherent to Internet Explorer & Netscape Navigator, invariably caused by video driver problems, or a corrupt cache. Sadly, times have changed.

Nowadays, people are searching for help with home page hijackings, search engine hijackings, unwanted pop-up windows and other nasties. The types of software that cause these problems are numerous and varied.

The hardest thing about describing them has been deciding what definition to use – the most popular definitions used to describe the bad stuff are "adware," "spyware," "malware," and "foistware." These descriptions are used interchangeably, often misused and often misunderstood.

Top of page

Definitions

A regular point of contention between anti-spyware commentators and those who distribute or write the software (and a point of confusion for the home user) is whether a particular piece of software should be labeled "adware" or "spyware." Debates can become quite heated, and lawsuits have even been triggered. We want to keep things as simple as possible so we will use the catch-all term "malware." The following are the most common definitions as we understand them.

Adware is software that generates advertisements such as pop-up windows or hotlinks on Web pages that are not part of a page's code. Adware may add links to your favorites and your desktop. It will often change your home page and your search engine to sites that earn income from various advertisers. This income is dependent on, for example, how many people visit the adware site, or how many people click on the links or advertisements at the site. Ads are not bad by themselves but they become a problem when they are unauthorized. Unfortunately, many adware programs do not give users enough notice or control.

Spyware is software that collects and transmits user specific behavior and information, with or without permission. Sometimes, permission to collect and transmit is assumed to have been given simply by the act of installing software or loading a Web page. In reality, few people read EULAs (End User License Agreement) or Terms of Use/Service/Installation that are displayed during installation.

Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example, software that transmits user specific information for the legitimate purpose of confirming eligibility for updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their software is not being pirated, and that the users of pirated software are not receiving the same benefits as legitimate users.

Malware is software that damages your system, causes instability, or exhibits antisocial behavior such as changing settings or interfering with a computer's registry and security settings. Typical examples include computer viruses or worms.

Bundled Software (sometimes called Foistware) is software (often adware and/or spyware) that is included with a particular product, and without which the product will not operate, or which is compulsory according to a product's EULA.

Signs of Infection:

If your computer starts to behave strangely or displays any of the symptoms listed below, you may have spyware or other unwanted software (malware) installed on your computer.

1. My computer seems sluggish. Spyware and other unwanted software is not designed to be efficient. The resources these programs use to track your activities and deliver advertisements can slow down your computer and errors in the software can make your computer crash. If you notice a sudden increase in the number of times a certain program crashes, or if your computer is slower than normal at performing routine tasks, you may have spyware or other unwanted software on your machine.     2. Home page and search engine hijacking. When a user's preferred home page or search engine is changed to an unknown site an unwary victim may be exposed to an increased risk of further malware or spyware infection. It is not unusual for malware sites to direct hijacked computers to other Web sites that download and install even more malware. There may also be an increased risk of exposure to unwanted or unsavory content such as gambling or adult links via advertisements or sponsored links.     3. I have tool bars that appear out of nowhere. Often such toolbars are search engine based. Sometimes they cannot be turned off permanently and reappear on reboot, and sometimes they cannot be turned off at all. Sometimes, as part of their installation, they will disable other toolbars that may already be installed – for example, if a reputable toolbar such as GoogleBar, AltaVista's toolbar or Earthlink's toolbar is installed the hijacker will turn off those toolbars to remove competition. Search results from hijacking toolbars may be restricted to only sites that pay for positioning, otherwise known as "sponsored" results. It is important to understand the difference between sponsored results and standard search results. Standard search results are most often created by "spidering."  Spidered pages earn a high ranking over time. Community popularity plays a big part when search engines determine the ranking of sites that appear in standard search results. Things such as number of hits to a site, or the number of other sites that link to the page, affect ranking. Sponsored links, on the other hand, are there simply because they have paid for the privilege.     4. My settings have changed and I can't change them back. Some unwanted software have the ability to change your home page or search page settings. This means that the page that opens first when you start your Internet browser or the page that appears when you select "search" may be pages that you do not recognize. Even if you know how to adjust these settings, you may find that they revert back every time you restart your computer.     5. I see pop-up advertisements all the time. Pop-up advertisements can be very intrusive. Sometimes they interfere with Web browsing by taking over the entire computer screen. They can be difficult or impossible to close. In bad cases, many windows will appear in rapid succession, making the computer virtually unusable. Sometimes adware pop-ups are deliberately deceptive. Examples where the "no" or "cancel" buttons are actually "yes" or "install" buttons. Also pop-up windows with fake Close buttons that when clicked trigger malware installations, much to the shock of their victims. Some unwanted software will bombard you with pop-up ads that aren't related to a particular Web site you're visiting. These ads are often for adult or other Web sites you may find objectionable. If you see pop-up ads as soon as you turn on your computer or when you're not even browsing the Web, you probably have spyware or other unwanted software on your computer. Pop-up windows can sometimes be explicit and family-unfriendly. They can also advertise what is commonly known as "BetrayWare" (a term coined, and encouraged, by MVP Jim Eshelman at his Web page). One example that we saw on one of our own computers (while we were testing a sponsor program bundled with free software) was an advertisement that trumpeted a warning that our computer was infected with spyware. We can reassure you that it was, not infected! Sadly, far too many people are fooled by such BetrayWare advertisements.     Do not believe everything you read – the computer was NOT infected   Note: Don't be fooled, there aren't any benevolent (good hearted) programs roaming the Internet looking for spyware, or at least that we know of. If you see pop-ups, that look like one above, you can be assured they are not a Microsoft Windows based messages if it has any offer to download a program. That is not the way Microsoft Operates. Never trust pop-ups that do not apply to the application (program) that you are currently using.

Additional Symptoms of Infection • When you start your computer, or when your computer has been idle for many minutes, your Internet browser opens to display Web site advertisements. • When you use your browser to view Web sites, other browsers simultaneously open to display advertisements. • Your Web browser's home page unexpectedly changes. • Web pages are unexpectedly added to your Favorites folder. • New toolbars are unexpectedly added to your Web browser. • You cannot start certain programs. • When you click a link in a program, the link does not work. • Your Web browser suddenly closes or stops responding. • It takes a much longer time to start or to resume your computer. • Components of Windows or other programs no longer work.

Top of page

How Times Have Changed

When Adware first appeared on our computers it was very simple, dare we say harmless, stuff. Often it would involve only a few files which could be deleted or disabled at will, with no ill-effect. Early Adware even appeared in Control Panel under Add or Remove Programs.

As Adware has matured it has become smarter. Historically, as fast as the clean-up experts have worked out how to fight malware, those behind it have fought back with new tricks.

Over time malware started polluting and changing our computers' registries, and using random file names that were harder to identify and remove.

Adware began exhibiting spyware and malware characteristics. Even if victims were able to remove hijackers, they were sometimes unable to change hijacked home pages or other settings to what they wanted because the relevant buttons had been grayed out (made unavailable). Entire sections sometimes disappeared completely from Internet Options when the hijackers began to take advantage of the pre-existing ability to lock down Internet Explorer.

Malware writers began to design their programs so that they would reinstall automatically if removed, sometimes using different file names. The malware started monitoring itself and even the computer registry for detrimental changes. Other antisocial behavior that has appeared includes: using super hidden files, registering malware processes as a Microsoft Windows Service, and changing a victim's security rights so that they are unable to remove the malware.

The Bad Side of Adware

Adware is now big business and there is a lot of money to be made. It must be said that advertising is not unique to the internet. After all, advertising has been around forever and provides an important community service if used appropriately and responsibly. But there are dangers inherent to Adware that we must all be aware of.

From a technical viewpoint, the most obvious problem caused by unauthorized programs is computer instability. Badly infected systems may operate very slowly, crash constantly, and sometimes will not start at all. To add insult to injury, the owners of such badly infected machines may face serious problems when trying to clean up their machines. Their attempts to use popular anti-spyware software may fail if the number of items that require removal is so great that the software cannot cope with the load. Sometimes when the hijacking software is removed the computer's ability to connect to the internet may be damaged.

There is also a privacy and security risk. Adware may exhibit spyware tendencies, reporting where you go on the internet, when and how often, what you enter into search engines, and what advertisements you respond to.

During a malware installation, the security settings in Internet Explorer may be changed to register untrustworthy sites as Trusted sites. The Trusted sites zone is reserved for Web sites that you trust not to damage your computer or data. Obviously, we do not want malware sites to be added in our Trusted sites zone, because they should not be trusted. Sites should not add themselves to any security zone without permission or interaction from us.

Adware may add itself to the pop-up blocker exception list in Windows XP Service Pack 2, or to the Windows Firewall exceptions. There are also reports of some malware using Trojan Horses such as HackerDefender to hide themselves from popular anti-spyware software.

As many of us are parents of teenage children, our concern goes deeper than the technical and security problems caused by adware and spyware. For example, a certain young teenage girl who is a big Delta Goodrem fan. Using her parent's computer, and a search engine, she went searching for the lyrics to her favorite song. You would think that such an innocent activity would be safe, but alas no. The computer ended up badly infected with adware and some very unsavory, family unfriendly pop-ups started appearing to which no teenage girl should be exposed. The malware was extremely difficult to remove – in fact, in the end she had no choice but to reformat the infected computer – wipe everything out and install afresh.

Tip: An excellent site that discusses 'BetrayWare', also known as 'rogue' or 'suspect' anti-spyware products, in far more detail than is possible here, is Rogue/Suspect Anti-Spyware Products & Web Sites.

Ok, the Computer is Infected. Now What?

Thankfully we are not alone when we have been ensnared by the bad guys. Vibrant communities have appeared that are dedicated to helping users rid their machines of adware, spyware, malware, and foistware and what is even better, much of this expert support is free.

Newsgroups

Newsgroups are a collection of ongoing discussions ("threads") that cover a particular topic and are available to anyone who has access to a news server and a news reader program or even just a Web browser. It is a lot like sending an e-mail message, except for the fact that anybody with access to the server can read your message.

They are great forums for sharing your own knowledge and experience, as well as seeing what others have to say. When using a newsgroup, you can either post a message in response to an ongoing conversation thread, or pose your own questions.

When you post a question, many thousands of people may read about your problem, and you are generally assured of getting an answer quickly. Where else can you ask a question at 3:00 A.M. and know that somebody somewhere will be reading of your dilemma in what is the middle of their day? But always remember, the regular advisers are volunteers who help out in the newsgroups in the spare time left to them after work and family commitments. Sometimes you may have to wait a day or so, especially during business hours, or at busy times such as after the release of a new program, upgrade or beta, or during holidays. Find out how to get news from newsgroups.

An excellent first port of call for adware or spyware problems is the Microsoft newsgroup 'microsoft.public.security' that is found on the server msnews.microsoft.com. You can access this newsgroup using Outlook Express or any other NNTP capable news reader, or you can access the newsgroup via Microsoft's Web-based Community interface or services such as Google.

Tip: A comprehensive list of Web-enabled Security newsgroups is available at IT Pro Community, Security Newsgroups.

Another favorite is AumHa Forums. It is run by MVP Jim Eshelman and frequented by several well-known, highly skilled anti-spyware specialists.

Another excellent forum is SpywareInfo. Lavasoft, the makers of one of the first anti-spyware programs AdAware also have a support forum.

Conclusion

It can be very frightening for the new user when they are faced with the task of removing spyware or adware. Sadly it can be difficult, even for experts, to get rid of some of the worst offenders.

Don't be fooled into downloading or purchasing BetrayWare. Ask an expert first. There are many trustworthy helpers out there who go above and beyond the call of duty to help the victims of computer hijackings.

Also, remember that Windows XP SP2 makes it much harder for the unsavory end of town to sneak software on to our machines. Everybody who has automatic update enabled on their XP machines should have been updated by now. If your system has not been updated to XP SP2 yet, We strongly recommend that you take steps to install this very important upgrade as soon as possible.