SpyBot / Adaware Users (heads up)

[SkyBum]

StGermain, click on the link in RealityChuck’s post above. It has excellent info on spyware, malware, scumware, and parasites etc.

In this case what you don’t know can hurt you.

Adaware is a great free app (they have a paid version as well) that will help you to rid your PC of these pests. SpyBot Search and Destroy is also free and makes a great companion to Adaware. They both overlap a bit but each can find things that the other can’t. Running these two apps in combination will go a long way toward keeping your information from being used by others.

Zone Alarm is a great free firewall (they also have a paid version which adds a few bells and whistles). I would HIGHLY recommend that you choose a good firewall package and install it.

There are many programs out there some are really good, some are nearly worthless. The above 3 are all highly rated and respected. If you are not running a virus scanner you should probably look into one of those as well. That means as many as 4 programs to install and learn to use but they are all fairly straightforward and simple to use.

You can’t be too careful these days.

[asterion]

If you know enough about what you want to allow and disallow and have Windows XP and admin priviliges, you can activate the built-in WinXP firewall. I don’t remember exactly how off the top of my head, but Microsoft has a good article on how to do it placed pretty prominently in their support section.

[Salem]

I got the “Netscape is too secure” response as well. And then I got out of Dodge. It thought I should open up the site using IE. I thought not.

[Musicat]

originally posted by astro
There are numerous scam sites that claim to be able to diagnose your system over the net and find spyware on your PC. This is nonsense, and they are in fact seeking to spread spyware. Do not DL any of these programs or install them. They are the spyware.

Quite true, but this particular site doesn’t seem to fall squarely in that category. It doesn’t have anything to sell, it has copious quantities of what I would consider good advice about spyware, and doesn’t have anything at that link for anyone to download. I seriously doubt if they are trying to infect anyone, but I have come to the conclusion that their scan is of no use, either.

StGermain, Spyware is a general term used for programs that collect personal information and send it somewhere without the user’s knowledge. These programs, often called parasitic, typically get installed invisibly as part of something else downloaded by an unsuspecting user. Although theoretically harmess, and the developers often claim the demographic info is not traced back to the source, many people dislike the invasion of privacy and the dishonestly of not revealing what’s happening to their computer. They also steal system resources and CPU use, may conflict with other programs, and are typically hard to defeat or remove.

Some of the worst will redirect searches, send you to different sites than you expected, generate frequent advertising popups, redonfigure web page displays on the fly, and disable or alter functions in your computer, all without your knowledge.

AdAware and Spybot are the major defenses. I highly recommend their use, and they have very good free versions. Personally I prefer AdAware, as it seems to be friendlier with my system resources while running in the background, but each have their proponents.

Hauky, your analysis of the script confirms what I had suspected – I hadn’t looked at the source code, but the script’s performance suggested a canned routine. Maybe this link wasn’t intended to be publicly released; Skybum may have found it by accident.

So far, the thread I started at the AdAaware Forum has produced one reply, but not from a mod or developer, and nothing useful.

Salem, if your defenses are in order, just looking at a site using IE can’t harm you. If you feel otherwise, how could you ever click on ANY web link?

From Microsoft: How to enable or disable XP firewall

[SkyBum]

I just recieved a reply from the owner of the site referenced in my OP. It explains a lot what we have been discussing here. Musicat, would you mind posting this to your thread over at the Adaware forum to help clear up the issue?

Hi, thanks for writing, the link that you reference is an older version of the of the parasite scan than the one that is now embedded in my pages and might cause “false” positives. I thought I had removed all references to it and I am glad that you wrote so that I can remove it.

Both of the scripts were developed by programmer named Andrew Clover of http://doxdesk.com/ . The script can NOT scan a computer’s hard drive, it can only scan a visitors browser for spyware “parasites”. Unfortunately, it does not work as well scanning Netscape or other browsers.

It works by searching out identified programming strings that get embedded into the IE browser when the spyware plug-in/modules get installed on a users computer. Andrew has done remarkable work by identifying well over 100 different programming strings. We wish we could identify more and sadly new and different versions are being developed daily. But it is a start, and if a user finds one, my hope is that they will then run a more extensive check and find others.

I am glad to hear that you found my site useful because I developed it to educate people about the problem as much as possible.

Keep running Spybot, I have tremendous respect for him & his software and I highly recommend it. His work is fantastic! Adware is great too, and I recommend that users run both because what one might miss the other might catch.
Debbie

Amazing how much confusion one errant link can cause eh?

[Musicat]

Great, one more of life’s mysteries cleared up. You went straight to the source – I was reluctant to do so cause I didn’t trust the site at first.

I posted a link to SkyBum’s post over at the AdAware Forum.

One thing puzzles me. It looks like the scan script looks for specific strings imbedded in IE, and assumes that if they are present, the user’s browser is infected. So why were they found in some people’s browsers if they are NOT infected according to AdAware? Could it be that they were infected once upon a time, then cleaned, but the strings remain in the browser, albeit inactive?

If my theory is correct, that would explain why the scan found nothing in my IE browser. I am pretty sure I have never been infected by those particular spyware programs.

[SkyBum]

*Originally posted by Musicat *
why were they found in some people’s browsers if they are NOT infected according to AdAware?

She mentioned in her email that the scan in question was replaced with a different version because it had been returning false positives.

The direct link I posted (top link) had been overlooked when she was removing all references to the faulty scan from her website and should not have even been accesible. The new scan (Bottom link) is the one embedded in her front page that happens automatically. Thats why I came up clean at the home page, yet when I stumbled across the second scan and posted it, some of the people in this thread followed it and got to the same (old version) of the scan and got the same faulty results.

Or wait…did some people get false positives on the other scan too?

Geez, I’m having a hard time with this post. I gotta get some sleep that’s all there is to it.

[SkyBum]

*Originally posted by RealityChuck *
**Try going to this site. It should tell you if you really are infected, and I’d trust him more than the one you went to. **

Heh. I just noticed some delicious irony here. The link you posted is the same guy that wrote the script we’ve been talking about.

*From the founder of Unwanted Links *
**Both of the scripts were developed by a programmer named Andrew Clover of http://doxdesk.com/ . **

It really is a small world when you get the internet involved…

[Debbie36]

Hi, I am the owner of unwantedlinks.com, the site in question on this tread. I just wanted to clear the air. My site is devoted to information about spyware and adware concerns. I developed it to alert people about the problems of spyware that can get installed on their computers without their knowledge. I have worked very hard to provide factual information on my site to educate people about this problem. My only purpose in developing my site is to provide up to date information about spyware.

There is no malicious code on my site. Yes, I have a scan on my site which can detect SOME of the many spyware programs that are out there. Yes, it is the same test scan developed by DoxDesk.com and I have been including versions of his spyware tests for almost two years. In fact he helped me to adapt the first one I ever used on my site and he is well respected in the field.

The Parasite test scan in question can only check for spyware plug ins that might be hidden within Internet Explorer. Apparently there was a link to an older version of the scan which apparently was generating false positives, which I have now disabled.

The test scan is a helpful tool to alert viewers that they might have spyware installed on their computers, however I highly recommend that everyone scan their computers with BOTH AdAware & Spybot to make sure that their computers are truly clean since no one test is fool proof.

I hope no one will be afraid to visit my site because of this confusion because I have a lot of relevant information to provide.

I hope that this clears up the confusion.

Thanks Debbieunwantedlinks.com

[Musicat]

Thanks for coming forward, Debbie36, and a hearty welcome to SDMB! I hope you visit us often; we have some of the world’s smartest people (just ignore the few dipsticks).

Your site is indeed a good resource. The link/test that started this thread made me suspicious at first, but it was out of line with the rest of the content, and I could see you weren’t trying to push a purchase of a worthless product. Forgive my paranoia, but, as Dr. Johnny Fever once said, paranoia is just good thinking when they’re all out to get you.

Could you confirm one thing for me? My theory of why some people using that script got back a list of infections, but others (like me) got back a blank list. Yet all of us test free from spyware using AdAware or Spybot. Is the reason for the false positives just a bad piece of code, or is the script detecting leftover malware signatures that are still present, but no longer active?

Or to put that another way, what is the reason for the false positives? It’s just the programmer in me that is curious.

Again, thanks for your contibution to this thread and SDMB.

[Tranquilis]

Classy, Debbie36. Thanks for joining us! I guess all the visits from the SDMB must’ve raised your eyebrows a bit, eh?

[Trygve]

Best fix… get a Mac. None of this happens over here.

[Debbie36]

I am not 100% sure of why that version of the testing script was generating false positives, maybe I made a mistake when I was “tweaking the code” or maybe there was a fault in the original script. But I realized something was amiss because I was getting a higher number of hits on the information pages that it sends the viewers to when something is found and when I checked Andrew’s site he had changed the script.

I don’t blame you guys for being suspicious, believe it or not after doing all my research I too have developed a slight touch of paranoia too! lol

But I am glad to see others taking this problem seriously at last, too many people don’t, I just wish I could get more people recognize that it is a problem, especially within the legal community. I was very disappointed with Gator’s recent legal victories with the courts upholding Gator’s “right” to switch ads on web sites because of their “supposed” terms of use! I just wish that Judge knew the truth about how Gator can get installed!

To Trygve

I agree with you – Believe it or not the MAC is my computer of choice!!

[cmason32]

Ah. I remember when I was a windows user and I had to worry about spyware and adware. When I did, I always went to

www.grc.com/default.htm

At that site you can learn more about windows security than you ever hoped to. You can also check your ports and see if your firewall has a leak. I think I learned more about windows security from that site than anywhere else. I highly recommend it - you won’t regret it.

[SkyBum]

Once again, I would like to apologize to Debbie36 for causing all of this confusion in the first place by posting an outdated link here. Frankly, I am very impressed by her awareness and response to this discussion. I also note that the link in question has been redirected to the home page. She is definitely commited and actively participating in the administration of her site!

For any here who did not bother to read the entire thread, her site has an extensive collection of information regarding spyware etc. and also makes an excellent starting point for those who are new to the subject and might be scared off by the very technical nature of some of other sites out there. I recommend UnwantedLinks.com to all here who are interested in the fight against the spyware industry and especially to those who are becoming aware of this issue for the first time.

And last but not least, welcome to the Straight Dope Debbie36, I certainly hope your first visit won’t be your last.

[Lok]

Well, since the original problem seems to be handled, I will do a quick hijack. Does anyone know anything about Wild Tangent and their Web Driver software? I found it on my system and do not know where it came from. But kept trying to dial up my ISP and accessing my hard drive, even when I was not online. I didn’t like that, so it is uninstalled, despite it warning me I might not be able to update some programs properly.

I do know it was not showing up in either AdAware or Spybot.

[Debbie36]

Hmm, Spybot does have some information regarding Wild Tangent, however I have not heard of any information on Web Driver which sounds like a dialer.

Here is what Spybot says about Wild Tangent
Company: WildTangent, Inc.
Product: WildTangent Visualizers
Category: Spybots
Last information edit: 20021020
Threat: Unknown
Company URL: http://www.wildtangent.com/
Company Product URL: http://www.wildtangent.com/candy/visualizers.html
Company Privacy URL: http://www.wildtangent.com/candy/privacy.html
Functionality
Visualization for Media Players
Description
Configuration information is transmitted on a regular basis.
Privacy
If you download our Web Driver software it will gather and store information about your computer that is specifically related to the functioning of the Web Driver software, such as processor type or the presence or absence of graphics accelerators and the related software drivers. The Web Driver software will not gather information from your computer about you, such as general application software you have installed or personal data that you store on your computer. The Web Driver software will report this configuration information to us on a regular basis. We use this information to identify your system’s capability and to optimize the delivery of content to the Web Driver.

[Debbie36]

I did a bit more detective work.

From what I have uncovered, WildTangent & it’s associated Web Driver can get installed with some Shockwave games. It apparently does not get fully removed using the “Add/Remove Programs” utility and leaves behind a backup folder. From what I have read, Spybot should be able to recognize and remove it.

[Debbie36]

Ok guys, here is a bit of news that I would like to share based on some concerns that Skybum originally had which kind of triggered this tread as well as to caused me (and Andrew) to investigate further. (I have no hard feelings by the way - questoning things is what has brought us all togeather!)

Any way, we are all (hopefully) familiar with the treat of TopText and/or Surf+ to our web sites and many of us who have been keeping up to speed with the technology of spyware and contextual advertising programs have become trained to look for suspicious yellow or blue links as an indication that our computers might be infected.

Well there is now a new twist to the story.

It appears that there are a couple of companies providing contextual advertising to ** participating** web sites on an Opt-In basis. These advertisers provide context advertising which transforms words in to yellow or blue links which appear to be very similar to those generated by TopText and/or Surf+.

However here is the twist – the web site owners have opted in and have placed code on their sites to generate these contextual ads. I have uncovered two companies providing this service to web sites. One is called VibrantMedia, the other is BurstNet, but my guess is there might be others.

This is going to cause a lot of confusion since these ad links so closely resemble TopText & Surf+ and will make it very difficult to uncover if TopText picks up speed or if any other players start using client side plug-ins to insert contextual ads similar to those generated by TopText & eZula.

So to any and all of you who might see those dreaded yellow or blue links don’t panic – take a moment to search the source code of the site in question to see if either of these two companies are referenced in some JavaScript.

[Lok]

Thanks for the information Debbie36. Time to explore my directories and see if I can find that leftover backup folder.

Lok