Slashdot Mirror

Some idiot tried to trademark the word "Spybot", bought up spybot.com, then tried to strong arm the guy that makes Spybot S&D antispyware. We announced a boycott of the company involved, had a bunch of web sites pull ads, thousands of angry emails/letters were sent to the people involved, etc.

They tried to feed me a line of crap and tried to fool me into backing off. So I turned the heat up a little hotter with a new announcement and the guy gave it up the next day.

Those guys were not the sharpest sporks in the box, believe me.

Today I cleaned a friend's computer from something which I haven't seen before (btw, it is already mentioned in four other comments here).

His IE always showed "here4search.com" as starting page which always reappeared after manually resetting it. Having seen similiar things before I tried AdWare and checked for some unsual things in Autostart. But after rebooting... it was there again!

This here4search.com-thing is part of the CoolWebSearch trojan and can be detected by Hijack This! and (which is even better) can be removed easely with CWShredder.
Nasty thing, but it was gone afterwards.

I surely do not need to mention that you should install some tools like a decent spyware killer (like AdAware), a decent virus killer, a small personal firewall and some other browser/mailclient than the duo infernale IE/Outlook, if you insist on running Windows.

Today I cleaned a friend's computer from something which I haven't seen before (btw, it is already mentioned in four other comments here).

His IE always showed "here4search.com" as starting page which always reappeared after manually resetting it. Having seen similiar things before I tried AdWare and checked for some unsual things in Autostart. But after rebooting... it was there again!

This here4search.com-thing is part of the CoolWebSearch trojan and can be detected by Hijack This! and (which is even better) can be removed easely with CWShredder.
Nasty thing, but it was gone afterwards.

I surely do not need to mention that you should install some tools like a decent spyware killer (like AdAware), a decent virus killer, a small personal firewall and some other browser/mailclient than the duo infernale IE/Outlook, if you insist on running Windows.

This would be the c2.lop spyware from C2Media. It took my a while but I finally removed the bugger from my mom's laptop. The thing sets itself up such that certain parts of it just can't be deleted as they're always resident and running, so even if you remove the rest of the spyware, it keeps re-adding itself. You have to get down to safe mode or whatnot and clean it manually.

See The CoolWebSearch Chronicles The story of a thousand hijacks.
Quote:
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains. End Quote.
15 variants so far....

The CoolWebSearch Chronicles
The story of a thousand hijacks

This is an article which details the variants of the browser hijacker known as CoolWebSearch (CWS). In the last few weeks, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop.

The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.

The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online. However, even though the evil programmers of CWS have released over half a dozen versions of their hijacker on the advertising market in such a short time, it should be mentioned that it is very hard to catch a live installer...........

Adware can be spyware, but then I wouldn't call it adware either, because these terms should be kept separate. There is no reason why people who rely on ads served without compromising your security or privacy should suffer because of overly broad definitions.

But just like "racism" to many is no longer about race, but also about culture, and can therefore be used effectively to shut someone up in a debate, it can be easy to label something "spyware" because one does not understand what it really does, or perhaps because one benefits from paranoia (such as running an "anti-spyware" site which one makes money from).

One example is Spywareinfo.com, which is a site run by a guy who claims that a program can be spyware even though it doesn't actually spy on the user (follow the comment thread, and also parent and grandparent). This is ridiculous, and only contributes to confusing the issue and making it harder to spot the real spyware.

Another example is Google Watch, which is a site set up to spread lies about Google because another site belonging to the Google Watch owner was too obscure and unpopular to get a good PageRank.

Since I have already talked about the lies and deception of Google Watch in another lengthy post, I shall not repeat myself too much here, but the deceptive site lies about the Google bar and calls it spyware, which is an outright lie, since it is impossible to miss the text saying that for the PageRank indicator to work, it must send URLs back to Google.

So as you can see, it is not only important that we watch for software vendors that want to compromise our privacy. We must also watch the watchers to make sure that they cannot cash in on other people's fear by exaggerating, lying and deceiving. Therefore, the definitions must be strict, and we cannot allow people like Mike at spywareinfo.com or David at google-watch.com to fill our heads with lies until we believe them and let them cash in on our problems.

(For the record, Mike does a lot of good things, but he clearly needs to be corrected, as his overly broad definitions do nothing but making the fight against spyware more difficult, simply because we are not just fighting real spyware anymore apparently, but also lots of other programs that do not fit the real definition at all.)

And finally, it is my firm belief that Gator is indeed spyware, in case my stance on this issue was unclear. The way Gator tries to sneak its way into our systems, it cannot be defined as anything but spyware.

What are parasites?

'Parasite' is a shorthand term for "unsolicited commercial software" -- that is, a program that gets installed on your computer which you never asked for, and which does something you probably don't want it to, for someone else's profit.

Mozilla/Konquerer on Linux:

Trying to view the image link results in a popup window (in addition to the advertising one) containing this:


Unsupported Configuration

We're sorry, but you're using either an unsupported browser or operating system. Please review our system requirements.

You may still download the player, but must install and use it with a supported system configuration.

Instructions

1) Download the Viewpoint Media Player Installer for Macintosh or Windows.
2) When the download is complete quit all running applications and launch the installer.
3) After installation is complete launch your browser and return to the page that contains Viewpoint content.

Oh, really? Install your proprietary image viewer to look at *pictures* on your website? "Quit all running applications"? Sounds suspiciously like spyware to me...hmm. Google...first link....Yup.

permlink

Yeah, I know, it says "A CUID is never connected to a user's name, email address, or other personal contact information. "

I don't care. There is no reason in the Seven Hells that I should have to install a third party viewer to look at pictures from anyone's website. It's not paranoia; why should I have to interrupt my browsing experience, even once, to install more unnecessary clutter on a system?

Space.com didn't used to be this bad. One more website I won't bother to go to anymore.

Sigh. /end rant

(I couldn't see the image at all in Mozilla, where I had popup off; so I tried in Konq and saw the popup; this note just to head off the people trying to tell me about the anti-popup feature in Moz)

SB

So many IE web users have some sort of spyware/parasite installed (about 10%, based on my web logs)

And you know this based on which part of your logs? I have yet to see a log that told me a visitor has Cydoor adware or eBlaster spyware.

Neverminding that you have posted affiliate links from which you stand to make commissions, BPS Spyware Remover is a rip off of two free products, Ad-aware and Spybot S&D.

Aluria is a good product, as is Webroot SpySweeper and X-Block's X-Cleaner.

At the risk of slashdotting my own site.....

If you are having trouble accessing Google and other major search engines, there is a NASTY browser hijacker going around using a bad HOSTS file to redirect the IP. We finally have the bugger figured out and here are instructions on dealing with the problem:

http://forums.spywareinfo.com/index.php?showtopic= 12127

Look for your HOSTS file and open it in a text editor. There is no extension on this file. It is only HOSTS.

Win 9x/ME: C:\windows\HOSTS
Win NT/2000: C:\winnt\system32\drivers\etc\HOSTS
Win XP: C:\windows\system32\drivers\etc\HOSTS

Note that on some systems the hijacker has hacked the registry to point to a bad HOSTS file at C:\Windows\help\HOSTS. Look in this location as well as those above.

If any line is found that mentions google or other search engines, delete the entire file. That should fix the hijack. To prevent it from happening again, apply all relevent security patches.

For 100% protection from this sort of attack, lock Internet Explorer behind a firewall and use a real browser. Mozilla Opera

The CPCC levy isn't the only reason why private copying via P2P networks is not a legal problem in Canada. There are privacy laws (about which the US has already complained are a hinderance to their terrorist investigations) that prevent the RIAA from issuing subpoenas to Canadian ISPs demanding their logs and subscribers.

This doesn't mean that your file-sharing information is not inaccessible. If you're sharing music, you'll be fine--you're not in violation of Canadian law and practice. If you're sharing kiddy porn or hate literature, the Canadian police can get the data because you're involved in another crime.

The CBC has a brief article and opinion about this.

If the RIAA was to follow the lead of Canadian direct broadcast satellite providers, they'd make an appeal to morality to address their problem, since the laws here won't help them.

Do they require a measurable IQ before you're allowed to be a judge in the US Federal Court system?

U.S. District Judge Gerald Bruce Lee also placed some of the responsibility for those ads on computer users, saying they voluntarily agree to them, even if they do so unwittingly.

I'm sorry, but what the fuck is that? It's either voluntary or it's unwitting. You can't have both.

However, the point the judge mangled here is irrelevent anyhow when it is applied to WhenU. People do not willingly or voluntarily run crapware like WhenU Savenow. RTFA again and note this sentence:

"Naider said users had the right to decide for themselves whether to see pop-up advertisements, noting that 70 percent of the 100 million who have downloaded SaveNow have uninstalled it."

The owner himself admits that 70 million people have discovered his crap on their machine and removed it. That sounds about right to me. The other 30 million probably haven't figured out what's causing all the fucking pop ups yet.

Again, people do not willingly install this shit. Either some affiliate distributor snuck it into the installer without disclosing it, they buried a disclosure on page 90 of the clickthrough agreement in that annoying little box that you can't resize, or people just didn't realize that Kazaa's "partner" is about to install a pop up factory.

Yeah, I know, "read the goddamn EULA". How long have click through EULAs been around? And most people still don't read the damned things. It is pretty obvious that people are intuitively going to ignore the EULA. They don't want to read that it doesn't come with a warranty and they don't want care about the distribution license. They want to install the damn thing and start using it. Spyware companies like WhenU know this and count on it.

People do not seek out and install Savenow, or Gator's Offer Companion, or Ezula Top Text, or Morpheus Wurld Media. They are parasites that are bundled along with whatever the user is installing, and they might or might be disclosed or optional depending on the ethics of the software developer bundling it. In some cases, this shit will install through activex loading from pop up ads. Xupiter and lop.com does shit like that.

I agree that the user has the right to run software that changes a web page in any fashion he/she chooses. Absolutely. Obviously. The judge got that right. However, he got it wrong that users wanted Savenow to run and do what it does.

The issue isn't about users deciding to run software that popped up ads with "relevant, competing offers". The issue is that Savenow is an unwanted parasite infecting a user's machine AND stealing revenue from web site owners by presenting advertisements based on the content of that web site.

That is why U Haul sued them. That is why UPS and the New York Times and others sued Gator.

For those of you among the 30 million infected with WhenU's shit and wondering where all the pop ups are coming from, go here and ask at that message board there. They'll find every single trace of spyware and show you how to clean all that shit off within half an hour.

On a different note...

"Alas, we computer users must endure pop-up advertising along with her ugly brother unsolicited bulk e-mail, spam, as a burden of using the Internet," he wrote.

What the hell? Has this person ever been on the internet? Must we also endure billboards dropped onto the highway in front our cars and strapped to the rear bumper? That's all pop ups and pop unders are as far as I'm concerned.

http://www.spywareinfo.com/articles/hijacked/

The newsletter is http://www.spywareinfo.net. The site itself is http://www.spywareinfo.com.

hmm they are all links to lop.com This is a known spyware intrusion program that alters DNS settings to its own. see this for more details try adaware to remove it

I know this is redundant, but it needs repeating since almost no one has paid attention. This really looks like spyware. Try going to http://www.p5115.tdko.com and see for yourself. I'm sure you recognize these sorts of sites. Notice that all links go to lop.com. A quick goolge search will reveal this info about lop.com.

It's no wonder nobody took him seriously. Sorry guy.

I have no sympathy for users who click "Yes" to install anything without first understanding what they are agreeing to.

You might want to read up on what drive-by-downloading is.

From Spyware Info:

In the case of an Internet Explorer browser with its security settings lowered to where ActiveX controls can be downloaded and installed with no prompting, software from a plethora of adware companies can find its way onto your computer. This questionable practice has been dubbed "drive-by downloading" by the online community.

http://www.spywareinfo.com/newsletter/archives/aug ust-2002/08282002.html

I personally see a lot of computers sold with low security settings, and the people buying them don't know they need to play with those settings, they are not dumb or ignorant, just new, they learn the hard way about spyware.

Ad-Aware is critically out of date, and therfore dangerous, according to SpyWareInfo. It's expected to be "out of commission" until February for the free version. He recommends Spybot in the meantime.

Some would say it's already dead. In any case, Spybot Search and Destroy is better for now.

Here's a page at spywareinfo.com with a number of utilities for cleaning up Browser Help Objects and other forms of spyware. I recommend it.

Antivirus software just cannot detect it.
That's because you gave permission to install it via some sneaky click-wrap license. You know, those ones you never read? AV companies have the technology, but they would probably get their pants sued off if they called another company's product malicious when it was merely annoying or nosy--and when the user supposedly consented to it being there.

The wintel world (win9x) needs something that can get Gator and friends out the door.
There are plenty of them already, like Pest Patrol, Spybot S&D, and Ad Aware.

There's a lot of good information on spyware at Doxdesk and Spyware Info.

Opera is infested with their own implementation of Cydoor tracking technologies, sure they claim it isnt spyware and is Adware and go to great lengths to say otherwise, but then they would wouldnt they ? then end result is the same the users privacy is at risk!, their info page does say , and i quote....

"Once the browser has connected, it receives a unique user code back from the registration server. This is a unique ID which will be used in all subsequent communication with these particular servers" (emphasis mine)

also

"Without being able to set a unique ID to your browser, it would not have been possible to sell ads in Opera"

hmm i wonder why ?

of note is the "Unique ID" that Cydoor assign to you, tie this to your IP and/or a cookie and they can basically monitor the adverts shown to you and your response specifically to your machine , sure they havent got my name but then they have the next best thing, a supercookie, and we all know how much power doubleclick have/had by just using a simple cookie, it doesnt take a rocket scientist to imagine the data mining possible by using unique id's and a relational database

Spychecker list it as Adware

Spywareinfo do not reccomend it either and have a forum thread here and here where again Opera try to dispell concerns about Cydoor saying "cydoor used to spy on their customers" things get a little heated as workers/advocates clammer to defend their business relationship with Cydoor, but the fact remains that Opera "sponsors" Cydoor for want of a better word in their business practices however un-ethical, by continuing to use them.

Opera should revise their business relationship with Cydoor if they don't want their name dragged through the mud, there are hundreds of ways of generating revenue without resorting to "unique id's" being used

fool me once shame on you, fool me twice shame on me

Opera is infested with their own implementation of Cydoor tracking technologies, sure they claim it isnt spyware and is Adware and go to great lengths to say otherwise, but then they would wouldnt they ? then end result is the same the users privacy is at risk!, their info page does say , and i quote....

"Once the browser has connected, it receives a unique user code back from the registration server. This is a unique ID which will be used in all subsequent communication with these particular servers" (emphasis mine)

also

"Without being able to set a unique ID to your browser, it would not have been possible to sell ads in Opera"

hmm i wonder why ?

of note is the "Unique ID" that Cydoor assign to you, tie this to your IP and/or a cookie and they can basically monitor the adverts shown to you and your response specifically to your machine , sure they havent got my name but then they have the next best thing, a supercookie, and we all know how much power doubleclick have/had by just using a simple cookie, it doesnt take a rocket scientist to imagine the data mining possible by using unique id's and a relational database

Spychecker list it as Adware

Spywareinfo do not reccomend it either and have a forum thread here and here where again Opera try to dispell concerns about Cydoor saying "cydoor used to spy on their customers" things get a little heated as workers/advocates clammer to defend their business relationship with Cydoor, but the fact remains that Opera "sponsors" Cydoor for want of a better word in their business practices however un-ethical, by continuing to use them.

Opera should revise their business relationship with Cydoor if they don't want their name dragged through the mud, there are hundreds of ways of generating revenue without resorting to "unique id's" being used

fool me once shame on you, fool me twice shame on me

I get the feeling this company has not seen Web marketers in the wild. There is no limit to what a failing dot.bomb will do to maintain its last few eyeballs. Have a look at the existing technologies (for example, IE with default settings) - a sleazy portal-potty can already hijack your homepage or add sites to your bookmarks. This is with *default* settings, which can even allow sites to install arbitrary code on your system.

How does a reasonable technology maker expect marketers to exercise restraint in the face of newer, more powerful, browser takeover technology?

There is a page at this site dedicated to browser hijackings, and how to remove them. There is also a good size thread on the forum. Hijackings are becoming more and more prevalent, with lop.com (don't go there! ;) ) being the latest up and comer. http://www.SpywareInfo.com/hijacked.html