Beginners Guide: Spyware Protection and Removal

I spy with my little eye... IP 206.34.256.70 reading this page right now, so learn how to
protect, and remove software that keeps tabs on you.

Dealing with the subject of "Spyware". If you've installed a peer-to-peer sharing program such as
'Kazaa Media Desktop' or 'Morpheus', or accidentally said yes to a 'Gator' pop-up, or gone on an
excursion to some of the darker corners of the Internet, chances are your PC has developed an
internet life of its own through one or more spyware applications.

What is Spyware?

While the actual definition of what constitutes Spyware is somewhat vague, there are a few
distinguishing points that are generally agreed on. The most common definition of Spyware is a
program that sends information from your computer to another destination on the Internet without
your knowledge and without your explicit consent. The information can potentially include just
about anything stored on, or accessible by your computer. In reality, most spyware programs limit
themselves to sending specific types of demographic information, such as the URLs you visit on the
Internet, IP and email addresses, or even something as mundane as a cookie.

The potential of these kinds of programs is rather frightening though. On a modern Windows XP
based computer, any program installed by a system administrator (that is, any of the users created
during the install process, as well as the built in administrator account) has access to all files on
the system. This allows all sorts of mischief to be committed with your implied permission.

Permission really is at the heart of the issue when it comes to spyware, since to separate
themselves from the makers of viruses and 'trojan horse' programs, creators of spyware need your
okay to install their products on your system. Of course, standard operating procedure is to make
this request as obscure as possible, so as to insure a large installed base of users.

Some software uses a cerificate window request to attempt to gain your permission, as seen most
famously with the Gator Corporation, whose ubiquitous ads are launched by any number of
sponsored web-sites and software installation packages. If you click "ok" to the request, the Gator
software will be installed on your computer.

Others, as is commonly seen with spyware packages included along with common file sharing
applications like Kazaa Media Desktop, use passages in the End User Licensing Agreement (EULA)
to gain your acceptance.

Since these legal agreements are rarely read by computer users and can be torturously worded,
they are an easy vector for spyware to be installed as a component of a popular freeware
programs.

Once installed, spyware software can easily send any required information out to the Internet using
the system's current connection. Such transactions occur in the background and are difficult to

 
 

notice or trace, since most firewall hardware and software, including Windows XP's built in firewall,
does not interfere with information going out of the protected computer or network.

Transmitting Information

The umbrella definition of spyware also includes other types of programs, such as software that will download
specific advertising content constantly to your browser, regardless of where you happen to be on the Internet,
software that hijacks your homepage to one of its own choosing, etc. The constant with all these forms of
spyware is the element of consent.

Legally, the manufacturers have obtained your consent to install their software on your computer and transmit
information from it, and thus will claim (since most internet users have at least heard of the term spyware
used negatively) that their product is not spyware. Their software was only installed after getting permission
from the user, but it is unlikely that the majority of computer users hosting so-called spyware programs on
their computer expect, approve, or are even aware that their computer may be transmitting information back
to the manufacturer for its own use.

Whether or not this lack of awareness should make a users' information fair game is not up to us to decide,
but since entire businesses have been founded to exploit the tendencies of the average internet user, why not
provide information that will help the idividual decide if they want to be surveyed or not?

What's the point of Spyware?

The major concern that keeps cropping up when spyware is discussed is privacy, certainly the number one
issue with spyware as it is generally characterized in the media. While there are varieties of spyware (see our
partial list of definitions below) that send little or no information out from your computer, the majority of
spyware was created for customer demographic purposes, and as such, wants to know who you are, where
you are going on the web, and what you like to buy when you go there.

This information can then be sold or more likely just used to target you with customized advertising from the
spyware creator's list of clients. As you have generally agreed to allow your information to be used this way
when you allowed the program to install (and most likely bypassed the EULA, the End User License
Agreement, as about 99% of computer users habitually do) you have no legal recourse to stop this data
mining from taking place outside of uninstalling the offending program.

It is doubtful that the majority of spyware users realize that their information is being gathered in this way, or
even realize that the programs are installed at all in many cases. Indeed, the profits of manufacturers such as
Gator corporation seem to be dependent on the unfortunate fact that the average computer user is not going
to be aware of what these programs are intended to do, even when the information is presented to them
(albeit in a confusing way).

A secondary issue is the added difficulty some forms of spyware give to the already difficult task of introducing
your children safely to the Internet. Granted, many school age kids are already more computer literate than
their parents, but take for example the idea of a spyware 'browser hijacking' program installed on your
computer due to an accidental click or incorrect security settings on your browser. Having Internet explorer

 
 

default to a pornographic "home page" each time it is opened, with no apparent way to change it back is most
parents' idea of a nightmare. There are programs and websites out there that can make this happen. Also,
varieties of spyware can degrade your Internet performance, connect to the Internet independently, and may
even destabilize the computer.

Spyware Vs. Ad-supported software

As a society, we expect advertising. We are used to the idea that advertising provides a source of revenue for
businesses that would otherwise find it difficult to charge for their service or content, keeping television, radio
and the Internet available and mostly affordable for the average citizen.

Ads have become an essential part of the Internet economy, and will likely stay that way for the foreseeable
future. As such, it is important, at least for the health of some sections of the software industry, to make the
distinction between spyware and ad-supported software.

Again, as stated in the section above, there are no official or legal definitions of these types of software, but
as a generally accepted guideline, ad-supported software can be defined as a freely available product that is
funded by advertising.

Of course, this means the entire Internet is essentially ad-supported software, but I digress… ad-supported
software products will inform you prior to installation that advertising is part of the provided package, and that
information may be transmitted from your computer to aid in targeting these adverts, allowing you to make
an informed choice.

Ad-supported software is a major source of revenue for many smaller software companies, and can provide
consumers with economical alternatives to costly software. A good example of ad-supported software is the
'sponsored mode' of the popular Eudora mail client. Note the presence of advertising is clearly stated.

Ad-supported software can be an excellent way for small companies to market their products provided they
are upfront with their methods. The point at which spyware branches off from ad-supported software is when
the software does not clearly state its intended purpose.

Varieties of spyware

Spyware is a blanket term that covers all kinds of generally unhelpful software, from tools that enable
companies to deliver ads to you based on your surfing habits, to programs that attempt to hijack your
browser settings, all the way to software designed to steal ad-revenue from legitimate online businesses by
covering or replacing their adds. Here's a brief guide to some of the categories of nastiness that you may see.

Adware: The most common form of spyware, these are programs which will observe your surfing habits, then
report them to one or more servers on the Internet who will then tailor advertising content to your
preferences and deliver it to your computer through pop-ups or other methods. Adware is generally bundled in
with various freeware applications to help the producers defray the costs, or in some cases, bundled with
software produced by the same company, where the license to use the software hinges on the users'

 
 

acceptance of the adware working in the background. Examples of adware applications include Gator and
Doubleclick.

Almost all major peer-to-peer file-sharing programs, such as Kazaa Media Desktop, contain adware. There is a
fine line between adware and ad-supported software, and it's generally at the point where you decide the loss
of privacy is worth the value of the product you are being offered. In many cases, the products are being
marketed towards novice computer users, under the obvious assumption that they will not realize the
functionality of the software can be found in other products without unnecessary adware bundled in. This
possible exploitation of the unwary, and the idea that some companies involved do not necessarily reveal the
extent of the information they are harvesting or the uses to which they intend to put it, tilts the scales.

Be aware that using some of the methods detailed later on to block or remove adware can violate the license
agreement of the programs it was included with. This is true in the case of the Gator Corporation's software
such as Ewallet and Weatherscope, and also with Kazaa Media Desktop.

Varieties of spyware

"Browser hijackers": A very noticeable and annoying type of program that changes your browser homepage
setting to one of its choosing, and generally includes a small executable file that will run on start up, ensuring
that it keeps coming back. Technically this is not spyware, since it does not generally send any information
out, but can be included under the same umbrella term. Browser Hijackers are typically Activex controls
triggered by visiting a specific URL. Some notable hijackers from recent history are xupiter.com and lop.com
(and no, we don't recommend you try those links out).

"Scumware/thiefware": Another vague category, (named originally by affected webmasters, see

www.scumware.com and www.thiefware.com ) containing the occasional forays made by adware providers
into the more potentially lucrative territory of attempting to divert advertising revenue from other websites to
themselves, using 'contextual advertising' among other methods.

It hit a peak in 2001-2002, with webmasters decrying the existence of spyware bundled with popular
applications like Kazaa, Limewire and Morpheus that could alter the ID tags attached to advertising on a
website, redirecting and effectively stealing the commission. Widespread protest soon curbed this practice, as
it did the Gator Corporation's attempt to redirect advertising revenue by placing its own popup adds directly
over the banner ads on websites.

Gator soon reverted to using non-strategically placed ads, and the major Peer to peer file-sharing companies
removed or altered the offending software from their products. The current focus of webmasters' ire is
companies who market client side 'contextual advertising' software. The idea of this is that the software, once
installed, will superimpose its own hyperlinks on top of the text of any website you might be visiting, or place
pop-up ad windows overlaying the site window, triggered by the content of the text or the URL you are
visiting.

The targets of these links or pop-ups will be companies that advertise through the makers of the software, of
course. Essentially, the software is parasitically attaching its own advertising to websites and diluting the

 
 

advertising revenues they receive. Companies producing contextual advertising software include eZula Inc.
(www.ezula.com), WhenU (www.whenu.com) and the Gator corporation (www.gator.com)

What can you do about spyware?

As you have probably realized by now, there are many different ways in which spyware can manifest itself on
your computer. In many cases, it may not be at all obvious that your system and your privacy are being
compromised. To safeguard yourself against unwanted software, first and foremost read the fine print. The
majority of spyware applications attempt to install themselves either from security permission windows such
as this one,

or as 'opt-out' components of the installation process of other software. 'Opt-out' meaning that the software
will be installed by default, and you must specifically request during the install process that it not be added.
Both can be easily avoided if you are diligent about reading screens and licenses before you click 'ok'.

Setting Activex Controls

Assuming you are using Windows XP and Internet Explorer, there are some browser settings that can be
configured to ensure a safer surfing experience, primarily dealing with how activex controls are handled by
your browser. Activex controls are essentially programs that can be run by Windows operating systems
straight from a web page. These can include many things such as web forms, sound and graphics, but what
we are primarily concerned about is installation programs.

Many vendors, such as Gator Corporation, use Activex controls to enable the installation of their software from
participating websites. By default, all Windows operating systems will prompt users for permission to install
such applications, but it is possible to set your browser to bypass user permission and automatically run
Activex controls. To avoid this:

 
 

From Internet Explorer, click 'tools' then 'internet options' and select the 'security' tab.

Select the 'custom level' button.

To begin with, ensure that 'download unsigned Active-X controls' and 'initialize and script Active-X controls not
marked as safe' are disabled.

 
 

Spyware removal utilities

For increased security, set all other Active-X referencing options on this page to 'prompt' or even 'disable.' I
would recommend 'prompt' to give you the maximum choice as you are surfing, though you may find the
constant Active-X prompts annoying. Disabling them is unlikely to significantly affect your web experience.

The most common vector for unwanted installation of spyware programs (besides clicking the 'ok' button
without looking) is using low security or incorrect settings of these Active-X control buttons. If your internet
security is set to the 'low' setting, or you have manually enabled 'download signed active-x controls,' spyware
can be installed on your computer without any further prompt for permission.

By enabling signed active-x controls to run, you have given consent for any software using a valid security
certificate purchased from Verisign or obtained from another location, to run on your system.

Always ensure that the signed active-x controls option is set to 'prompt'. Software like Gator is positively
friendly next to some software that can end up installed due to this loophole. Another method of protecting
your computer is to use the Windows update feature frequently, since Microsoft generally patches security
holes quickly after they are exposed.

Spyware removal utilities

If you suspect that your computer has been infested with one or more varieties of spyware, the best thing to
do first is to install and run one of the freely available spyware detection and removal tools. Since manual
removal tends to be rather complicated and differs for each program, and there is no real centralized body of
information for dealing with spyware as there is for Trojan horse and virus programs (www.sarc.com ), using
the removal software is certainly the first option.

Lavasoft's Ad-Aware is the most well known of these spyware removal tools. Now up to version 6, it works
essentially like a virus checker, scanning locations on your computer for the signature files, registry entries
and cookies (tracking files) of well-known spyware programs and websites/vendors. It is available both in a
free personal edition and as a commercial package for businesses.

 
 

It is extremely easy to use, as it employs the familiar one-button scan, one button update mechanism seen in
most popular anti-virus packages, and as such will feel familiar to most users. Ad-Aware will categorize files it
finds during a scan, and recommend their removal. Ad-Aware is available here.

More removal utilities

Another excellent free tool for finding and removing spyware programs is "Spybot Search and Destroy" by
PepiMK Software. Though slightly less user friendly than Ad-Aware, it scans for a greater range of possible
threats by default (including some Windows security exploits) and also contains an 'immunization' feature.

The immunization feature attempts to pre-block certain known spyware active-X installation routines from
running in IE, and locks the HOSTS file and Internet Explorer settings to prevent them from being changed.

Spybot S&D also provides a greater body of information about the threats that it locates on your computer
than Ad-Aware, helping you make the decision to remove them or not. It uses an online signature update
model similar to Ad-Aware, and is available here.

Ad-Aware and Spybot S&D complement each other well, and it is recommended that you use them both for
maximum peace of mind. Be sure to update them frequently through the built in update features. Either can
be set to schedule updates and spyware checks for specific times, so you can schedule a daily sweeping of
your system for unwanted spyware.

In addition to protecting yourself with spyware removal utilities, using a firewall that is capable of blocking
information going out from your computer to the Internet is also a good idea.

Various freely available software firewalls such as Zone Lab's Zonealarm are capable of this.

Other Resources to Turn to

 
 

To use Zonealarm as an example, the firewall monitors all attempts to access the Internet from inside the
computer, and pops up a request for permission to access the Internet for each application.

Once you ok it, that particular application will be allowed access permanently. This is a great tool for making
you aware of what is going on inside your computer. Zonealarm is available from www.zonealarm.com

More resources:

If you are having difficulties with some form of spyware but can't get it resolved through any of the suggested
methods, there are several sites and forums that contain helpful information to aid you in ridding yourself of
the pest.

• CEXX Spyware forum: http://boards.cexx.org Forum members can be extremely helpful in aiding
spyware victims.
• Spybot S&D support forum:
(http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=42f3dc20d9ddc66e94cee1c47b86325a;act=SC;c=7)
• www.Spywareguide.com
• www.cexx.org/adware.htm
• www.spywareinfo.com