Our security forum regulars are irritated that the latest version of the AOL Instant Messenger Software installs software they don't need and didn't ask for, which AdAware and Spybot identify as data mining spyware. As part of a new effort to support on-line gaming, the software now installs Wild Tangent, a game content delivery service.

Developers who write Wild Tangent content stop by this thread in our security forum, claiming the software is being unnecessarily labeled as an "evil application". While there's some debate over classifying Wild Tangent as spyware, users are increasingly irritated with companies who insist on installing additional software (particularly if it mines data or consumes resources) without their permission. The debate over AOL's inclusion of Wild Tangent has been ongoing in our forums for quite some time.

Many larger companies haven't been willing to stand up to spyware, out of fear of alienating marketers, creating new support headaches, or because of legal concerns. Some ISP's are now offering technology that identifies, but won't remove, the pesky applications. Both AOL and Earthlink have announced they're planning to increasingly integrate anti-spyware technology. But how effective can companies and ISP's be if they're afraid of the marketing industry?

"This is the biggest undiagnosed problem on the Internet," says EarthLink spokesman Jerry Grasso to the Washington Post. AOL says they'll be incorporating software that will run once a week to eliminate and remove nosy applications, and Earthlink has been offering their own protection since October. Earthlink now plans to expand those offerings with "Spyware Audit", a new anti-spyware application that should be available via the company website within weeks.

Oddly, according to the Post, Earthlink's Audit software will only inform you that you've got spyware on your system. It won't actually remove it for you. For that, users will need to turn to more common anti-spyware applications such as Spybot-Search and Destroy or Lavasoft's Ad-aware. Earthlink is likely concerned of potential software problems caused by removing spyware, or perhaps of running afoul of the increasingly defensive spyware/adware industry.

Gator corporation recently filed a libel suit against the PCPitstop website simply for calling their Gator wallet software 'spyware'. The gator software is bundled with numerous applications, and pitched as a useful service (a fairly feeble claim). In reality its primary purpose is to track users shopping habits, provide them with customized advertisements for products, then kick back fees to the Gator corp. when purchased.

The suit was eventually settled, and PCPitstop relaunched a more comprehensive "Gator Information Center". The new website now offers more information on the application than before; it simply avoids the "spyware" label. Still, companies are hesitant to cross the line against these "legit" marketers, fearing legal retribution. They're also concerned that by "fixing" many of the problems, they'll be responsible for repairing applications that may have depended on the spyware to operate - resulting in a technical support nightmare.

That's part of the reason Dell recently announced their support technicians would not support the removal of spyware from an infected system, nor direct users to the proper applications to do so; even if it was obvious that spyware was responsible for system instability. The decision was well discussed in our Security forum, and many members of the security and anti-spyware industry sent a letter criticizing Dell for the decision.

Dell's response to the criticism (posted to their support forum) was to eventually begin selling an anti-spyware application known as Pest Patrol. Their support technicians were told to refer all inquiries about spyware to the user's ISP (check out this blog halfway down). With ISP's and other companies afraid of retribution from the marketing industries, are we destined for half-hearted solutions to increasingly irritating problems? Should it be their responsibility to resolve these issues to begin with?

Fresh from settling a libel lawsuit by pulling anti-Gator pages from its site, PC Pitstop this week plans to launch a new, expanded site critical of the controversial software.

The legal game of cat and mouse between the two companies began when Gator, now named Claria though its software is still called Gator, launched a broad legal offensive to stop various companies from referring to its product as "spyware."

As part of a settlement signed Sept. 30, PC Pitstop--which scans computers for hostile and otherwise undesirable code--removed pages from its Spyware Information Center with such titles as "Is Gator Spyware?" and the "Gator Boycott List."

Gator had alleged trade libel, false advertising and tortious interference, among other charges, and in public comments raised particular objection to use of the term "spyware."

Spyware, according to both companies, describes software installed on a computer without the user's knowledge. Adware--Claria's preferred term for its product--is downloaded knowingly. The dispute over Claria's software, which often accompanies other software applications such as the file-sharing program Kazaa, appears to hinge on whether its download notifications are obvious or obscured by long license agreements and multiple download windows.

But both kinds of software alarm some privacy advocates because they monitor activity on a computer to serve targeted advertisements.

To replace the material it removed in September, PC Pitstop on Thursday plans to launch its Gator Information Center--which in many respects appears no less critical than its predecessor.

Users in our Security forum discuss Dell's decision to no longer support the removal of spyware. Fear of liability seems to be the major motivating factor. According to this blog entry (scroll down to Dude, you're getting the runaround), users who call Dell with problems caused by spy or adware, will now be told there's nothing Dell can do; they'll need to call their ISP for support. Unfortunately your ISP will likely direct you to your OS manufacturer, who'll then tell you to call your system vendor - Dell. Since it's not very much trouble to tell users to download Adaware and Spybot Search and Destroy, it's obviously Dell's way of protecting themselves from the wrath of software vendors who include spyware and a complicated EULA. According to the support tech, Dell tech can't mention spyware, mention removal products, or tell users how to resolve common spyware problems like hijacked home-pages.

RapidBlaster is an advertising parasite whose very nature demonstrates all that is wrong with online advertising today. It is installed using activex driveby methods from affiliate web sites or silently by a browser hijacker called ISTbar. It sets itself to run hidden in the background when Windows starts, then pops up pornographic ads.

As with several other advertising parasites loose on the internet today, RapidBlaster actively works to evade removal by antispyware software. Other parasites mutate their filenames and CLSID identifiers randomly as they are installed, but this is not how RapidBlaster evades removal.

The software connects to a server at 209.47.15.73 to download a list of words. Then it creates a folder and a file with names based on those words, loads the new file, and exits. It then watches to see if anyone tampers with its registry settings. As soon as you use HijackThis or another tool to remove any part of the software or its settings, it takes a word from that list to create another anonymous version of itself, and then it disappears from view. That makes it extremely difficult to remove the bugger, because its authors designed it to watch for that and to defend itself.

I mentioned in a private security forum that we need to kill it from memory before attempting removal, and Javacool Software came to the rescue with a small program that specifically targets RapidBlaster. RBKiller will identify all known variants of RapidBlaster and remove it from memory, then delete the associated startup entry from the registry. It doesn't delete the actual file or folder currently, but most likely it soon will.

Those of you helping people out with HijackThis log files on message boards and newsgroups, you are looking for an entry similar to this:

O4 - HKLM..Run: [explorer lptt01] "c:program filesexplorerexplorer.exe"

Notice the part in bold. Current versions of RapidBlaster include that in all startup entries, although I can't imagine why considering how that makes it stand out. A future version will probably remove that to make it harder to find. If you spot that in someone's log, it is a clear sign of a RapidBlaster infection. Have them download and run RBKiller and that will solve their problem.

http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe

Many of you may have heard of a program called Patchou's "Messenger Plus". I used it myself once, before I discovered Trillian. Similar to the many front end programs for Internet Explorer (Avant browser, MyIE2, etc), Messenger Plus adds a user interface to Microsoft's MSN Messenger that contains extra features.

Patchou has brought in C2Media as a sponsor and is now bundling their lop.com software into Messenger Plus. For those of you who have never heard of it, lop.com software is classified as a trojan by antivirus vendors and as a browser hijacker by antispyware vendors. You can find plenty of information about it by doing a Google search for lop.com. Just be warned - some of the language used by lop victims will melt your monitor.

No single parasite has caused as many support threads at our message boards as lop.com (although Xupiter comes close). Ad-aware, Spybot, and all other spyware removal programs target several older variants of lop.com. It now comes in a version that is nearly impossible to detect automatically. It uses randomly named files, randomly generated CLSID identifiers, and uses activex installation methods that let them update all of their installers at once.

Before this change, the number of lop.com complaints actually had gone down because it was so easy to remove and could even be blocked beforehand. Since C2Media introduced these new versions that mutate randomly, the number of infections has become larger than ever. The only sure way to be rid of it is to ask for help at the SWI support forums.

Patchou, the developer of Messenger Plus, has issued a statement regarding the complaints he's been receiving due to his new "sponsor". To all of the people who are saying that they won't use his program because of lop.com, he has this to say, "I don't want to be rude but if you boycot version 2.10.36, you're an idiot."

[sarcasm]
Rude? Well gee, what could possibly be "rude" about being called an "idiot" for refusing to install software that sets off trojan alarms in antivirus programs?
[/sarcasm]

Whether it makes you an idiot or not, I strongly recommend that everyone stay as far away from Patchou's Messenger Plus as possible. If you have installed it already and now have lop.com's software all over your system, uninstalling Messenger Plus supposedly will also remove lop. If that doesn't work, then please read this FAQ and follow the instructions. We are very experienced at removing this thing and can easily walk you through it.

Like many of you, I've been avidly following the DRM dust-up between Intuit and unhappy TurboTax customers. And because I edit ExtremeTech, I've had a professional as well as a personal interest in the outcome. While I shared the outrage of ExtremeTech members, I knew it was important that we do a thorough and impartial job of separating fact from fiction.

But along with my technical interest in how Intuit did (or did not) implement Macrovision's SafeCast, I've had a more personal stake. For the last seven years I've been a faithful user of Intuit's Quicken and TurboTax products. I live my financial life mostly through Quicken, and then every year I feed my tax data right to TurboTax – it makes filling out those IRS forms a breeze. But as the story developed, I wasn't so sure about this year – could I have turbo-ed my last tax return?

Before my recommendations on what you should do, it's probably worthwhile to review how we got where we are today – with hours and hours of exhaustive lab testing, thousands of angry messages from users, and finally, significant changes from Intuit in how TurboTax is protected and used.

Turn the page for an in-depth time-line of how the TurboTax / SafeCast problems first surfaced, and what Intuit has done so far to address the problems. If you just want to know whether to use TurboTax or not, head right to our What Should I Do section.

In part one, we laid out some of the reasons why we suspected problems with Intuit's implementation of digital rights management with its Turbo Tax problem, and explored some of the issues that surfaced during installation. Now let's look closely at what happens when you actually try to use the product.

After installing TurboTax, we allowed the program to update itself across the Internet, and then prepared a simple TurboTax return for a Ms. Nona Yerbizness, from New Yawk, NY. We connected to the laser printer on the local network and printed the tax return to ensure that the entire process, from creation to printing, worked as expected.

As it turns out, I'm a graduate of H&R; Block's tax preparation courses, and so I gave the return a quick once over – it looked just fine. We then shut down TurboTax and began our "post mortem" investigation of the machine's state.

In Part 1, we described the various software products we installed to instrument the PC to determine and changes or problems. One of those, InCtrl5, is designed to detect any system changes that occur during software installation or any other process.

The program's inventory of changes to the system during our brief test was huge -- more than 280K when output as a plain text file. If you really want to look at that file, you can access it here.

Nearly all of the registry and file system changes identified were made by TurboTax and C-Dilla/SafeCast. Note that InCtrl5 also recorded the screen shots we'd saved and the drivers and registry entries added when we installed our Lexmark Optra network printer.

It wasn't hard to recognize the files that were added by the SafeCast/C-Dilla software, since most had file names beginning with the characters "CD". On our XP test machines, SafeCast was installed as a Windows "service," or privileged background task. Whether or not TurboTax was running, this task was always present, and -- according to the system -- taking up 1.4 MB of memory, along with other resources, including CPU cycles, hard disk space and bandwidth, and other system resources allocated on behalf of the background task, or "daemon".

Windows 98 Installation: On a Windows 98SE box we used later in our tests, the software didn't stay resident but instead loaded itself as a VXD (a "virtual device driver") when TurboTax was started. Because we had allowed TurboTax to fetch Intuit's latest updates during the installation, the uninstaller for the "SafeCast Shared Components" was available to us through the Control Panel's "Add/Remove Programs" applet. However, if you activate the product by phone, you won't get the uninstaller unless you later connect to the Internet for an update (a good idea, since the update contains fixes that might affect the accuracy of your return) or download the uninstaller separately from Intuit's website.

Macrovision Responds: We wondered why the DRM remains task-resident full-time on XP, rather than simply loading and unloading like with Windows 98SE. According to Macrovision, SafeCast "wakes up" every so often and increments counters in some of the product files. If those counters are out of synch, the software assumes that part of the product has been copied from one disk to another, and refuses to grant you access.

This technique won't work, however, if you copy both the license files and the program files at the same time – so the software also uses other measures to try to detect when this happens.

Macrovision further states that the software runs as a "daemon" under XP, so that it can perform operations that require administrator privileges. This happens even if the user running TurboTax lacks privileged access to the system.

When we asked Macrovision why the resident SafeCast task took up so much room, Macrovision's Michael Glass told us that it's because the SafeCast code is "treated to several layers of obfuscation and internal scrambling, to keep it from being reverse engineered."

"As you've seen," said Glass, "this bloats it considerably. But the process wouldn't do much good if it could easily be hacked."

We're a bit uncomfortable with this explanation, since it implies that SafeCast relies on "security by obscurity" (which, ultimately, is not good security at all). We're also skeptical that the relatively simple constraints imposed by the TurboTax software – even with the obfuscation -- would take up so much room.

Could something more nefarious than the simple restraints we encountered be lurking inside the code? We uncovered no evidence to imply that, but still, we're suspicious. So we decided to continue with our tests and check for such behavior later.

A college student was indicted on Thursday on charges he placed software on dozens of computers that allowed him to secretly monitor what people were typing, and then stole around $2,000 using information he gleaned.

In what may serve as a cautionary tale for people who use computers in public areas, Douglas Boudreau allegedly installed keystroke-monitoring software on more than 100 computers at Boston College and then watched as thousands of people sent e-mail, downloaded files and banked online.

According to an indictment by a Middlesex County grand jury, Boudreau compiled a database of personal information on about 4,800 faculty, staff and students at Boston College.

He also stole about $2,000 using the computer information he gathered, according to the office of Massachusetts Attorney General Tom Reilly.

Richard Smith, a Massachusetts-based Internet security consultant, said the software in question is typically used by jealous husbands or wives to spy on their spouses -- or by employers who want to snoop on their workers. The software is not new but poses a "sinister" threat to unwitting computer users, Smith said, noting that Boudreau could have used it with far more devastating consequences.

"With the amount of information he gathered from so many different people, there could have been a lot of things he could have done," Smith said. "I'm surprised this kind of thing hasn't been done more often."

Boudreau, who faces up to 20 years in prison if convicted on all charges, was not immediately available for comment.

Boston College said it suspended Boudreau, 21, last year once it learned of his scheme.

"While we are grateful to the attorney general's office for their assistance in this case, it's important to state that Mr. Boudreau gathered personal identification numbers on students but never misused them in any way," said Jack Dunn, a spokesman for the college.

Dunn said the college was obligated by law to report the scheme to state prosecutors once it learned of it. Dunn said the Warwick, Rhode Island, student had cooperated with police during their investigation.

ArcSoft officials said they "would look into" choosing another DRM technology after viewing ExtremeTech reader threads decrying the Macrovision SafeCast/C-Dilla software. ExtremeTech reader and forum member "trukablegod" noticed that a free trial demo version of ArcSoft's PhotoStudio photo editing application installed the Macrovision SafeCast/C-Dilla software. The software allegedly slowed down "trukablegod"'s PC, but also remained resident until he personally hunted down most of the C-Dilla files. "Trukablegod" noted that the software's uninstaller also worked pretty well. "Unfortunately, C-dilla lives on embedded in System.dat and Classes.dat (the references in User.dat are inconsequential) tasked with the job of displaying a permanent time/frame reference of when I originally installed the PhotoStudio trial program...just like many other trialware programs do," he wrote. According to Macrovision, the SafeCast technology scatters files around a user's hard drive, both to prevent users from disabling the content-protection features as well as to allow a fragmented or corrupted hard drive to retain a record of the software's activation status. Multiple threads have sprung up in the ExtremeTech forums complaining about the software, most involving Intuit's use of the technology in the latest version of Intuit's TurboTax tax-preparation software. According to ArcSoft, a German e-commerce provider named Element5 "wraps" ArcSoft's trial software in a DRM package using the Macrovision technology, including ArcSoft's 3D Text Factory Trial, PhotoPrinter 2.0 LE, PhotoStudio 2000 Trial, and PhotoStudio 2.0 SE.

"All our demo versions include Macrovision as part of their wrapping process. Our online ecommerce provider is actually setting up these (try-before-you-buys),and is using Macrovision to wrap the system," a company spokeswoman said in an email.

"Our demo versions are full-featured, time-limited, try before you buy versions, where the user has the possibility to purchase the product during or after the trial period," the ArcSoft spokeswoman added. "(The) user then receives an unlocking key and can benefit from the product without any other restriction."

The ArcSoft representative said that they originally used the Macrovision SafeCast technology because users essentially download a full-featured trial version, which expires after approximately 15 days. The technology stays resident on a user's PC, she said, "because if you don't like it, why should you download it and try it again?"

After viewing some of the reader response on the ExtremeTech forums, however, the ArcSoft representative said the company may reconsider.

"I'm going to pass this along to the ecommerce provider and see what the possibility is to have this uninstalled," she said in a followup interview. "We'll check that and see how we can improve that," she said.

At Element5, an ecommerce provider based in Germany, officials said they could not disclose the names of their clients and therefore other customers who might be using the SafeCast technology. Through a spokeswoman, Element5 chief executive Gerrit Schumann said the company uses several e-commerce technologies of which customers may choose.

"Of course this issue concerns us as well, if there is concern on the consumer side," Schumann said. "If that is the public view and concern, that is something that needs to be addressed, and I am sure it will be addressed by Macrovision, as I know them to be a reliable and trustworthy company and partner.

"Will we use SafeCast technology in the future? Our clients have a choice between different options and technologies, so there are always alternatives available," Schumann added. "We leave that choice up to our clients. I am sure Macrovision will be able to address the existing concerns, and we will closely monitor the development of the discussion. So, at this point it is a bit too early to make that decision. If the market does not support the technology, then our clients will most likely choose not to use it. So in our case, the market will regulate that itself to a high degree.

"Personally, the outrage surprises me a bit, as most uninstallers I have used, always left something on the PC that they had previously installed," such as directories, setup files, and other electronic remnants, Schumann concluded. "The SafeCast license manager does not really do anything -- and definitely does not transmit any information -- so it is non-critical, in my opinion."

What could the most evil thing on the Internet and the Dalai Lama possibly have in common?

Both are being used to promote websites owned by two of the Internet's most notorious businessmen.

The Xupiter toolbar that is plaguing so many Internet users is the work of the father and son team of Saeid and Daniel Yomtobian. Both men are experienced in devising innovative ways to use the Internet to force their businesses down people's throats.

According to domain-name registration records, Xupiter.com is owned by a Hungarian company, but sources say that Xupiter's real owners are the Yomtobians, who reside in Sherman Oaks, California.

The Yomtobians are well known spammers who have been accused of hijacking other peoples' mail servers to pump out solicitations for porn sites.

The pair is also skilled in setting up stealth websites and has spent much time in court for deliberately constructing URLs in a way that encourages people to arrive at one of their websites accidentally.

Users typically stumble on this scam when they enter a URL that's slightly incorrect and are whisked off to a gambling or sexually explicit site rather than the well-known domain they had intended to visit.

Court records indicate The New York Times and the Los Angeles Times have both had their URLs co-opted by the Yomtobians. Saeid Yomtobian owned 78,472 Internet domains when he threatened to sue VeriSign in July 2001, claiming that VeriSign software had deleted as many as 2,000 of the domain names that Yomtobian had registered. He sought $6.5 million in damages. The case seems to have been dropped, but Yomtobian now offers his own domain name registration service.

Yomtobian filed the case under his business, Yomtobian Enterprises. A search for Yomtobian Enterprises brings up yet another cavalcade of legal notices.

Content on the Yomtobian sites varies, covering topics ranging from sexual success training, interspecies romance, Internet advertising firms and even Tibetan children demanding the return of the Dalai Lama. Virtually all have one thing in common: On arrival, users are presented with an option to download the Xupiter toolbar.

Many people insist that Xupiter mugged their computers, installing itself without permission.

Some security experts say it's impossible for Xupiter to install itself sans users approval on a computer, while others point to known flaws in older versions of Internet Explorer that allow malicious code on a website to be downloaded and executed automatically.

Users of the most recent versions of IE, and those who have patched older versions, should be safe from Xupiter auto-installs. But even the most up-to-date software may not be enough to save users from Xupiter's wrath.

Technical support representatives at Microsoft's help center said Xupiter is "breaking" some installed versions of Windows XP. "It can actually break the entire system, making it impossible for you to open My Computer or other directories on the computer," claimed one rep, who requested anonymity. "It's worse than a minor inconvenience; it causes major issues with the system. We're getting a lot of requests for help with this."

The Yomtobians did not immediately reply to requests for comment.

There is no legal requirement for those who register a domain to give correct address or other contact information. Some take advantage of this loophole to hide their identities or to register dicey businesses in countries that do not have laws prohibiting activities that might attract legal attention elsewhere.

Hungarian legal experts said under current laws there wouldn't have been much that they could do about Xupiter. Residents of Hungary who read about Xupiter and offered to scout the company's location said they were unable to find the business at the address given in the domain registration information.

Lawyers say it's difficult to determine whether Xupiter is illegal in the United States.

"It's using existing problems in software, not creating them, so they could plead they didn't know the software could install itself," said criminal attorney Morris Felder. "But viruses use existing holes, too, and distributing them is illegal. You'd have to prove these Xupiter guys acted with malice."

Many taxpayers throughout the United States have been upset to discover that Intuit has added digital rights management (DRM) -- AKA copy protection -- to TurboTax, its bestselling income tax preparation software. So we put the software to the test - in our labs -- to determine exactly what was going on. In this article, we'll give you the skinny -- the good and the bad -- on what we've found out about this thorny issue.

Why Consumers are Worried

Many readers in ExtremeTech's forums have indicated that they resist purchasing any copy-protected software -- including Microsoft's Windows XP and recent versions of Microsoft Office -- on principle. They're not thieves, but they're simply not comfortable with the prospect of asking "Mother, may I?" to run software for which they've already plunked down their hard-earned cash.

Other posters have expressed worries that the software which enforces the copy protection will interfere with the correct operation of their machines, consume excessive resources, refuse to work if they change computers or replace components, or spy on them as they work. One user claimed -- though we were not able to reproduce the problem in our tests -- that TurboTax's copy protection interfered with his ability to burn CD-Rs.

When confronted with DRM, many users have, historically, voted with their feet. Several ExtremeTech readers who run alternative operating systems, such as Linux and BSD, have said that the "product activation" in Windows XP and Microsoft Office caused them to make the jump from Windows. Others have told us that they've only tolerated Microsoft's scheme because of the company's entrenched monopoly or because the vendors from whom they bought their computers offered no other options.

DRM is an even greater concern for users of tax software. They worry -- justifiably as we found out -- that they might be cut off from their tax data if they change computers or hard disks, perhaps at a crucial time such as just before a deadline or during an audit. And they want ironclad assurances that they'll be able to access their data at any time in the future -- for example, decades from now when computing capital gains on a home or other asset that's about to be sold. Will the software work if the company that sold it goes under, is acquired, or discontinues the product? Users want to be sure.

Financial software and services company Intuit has pledged to make controversial product activation technology less obtrusive in future versions of its TurboTax software.

Intuit spokesman Scott Gulbransen said the company is working with software maker Macrovision, which supplies the antipiracy technology used in TurboTax, to address customer complaints about the technology. Intuit has also beefed up its customer support, he said, including the formation of an "executive response team" to respond specifically to product activation complaints.

The Mountain View, Calif.-based company has been stung by widespread criticism in online forums and elsewhere over the introduction of product activation in TurboTax, its market-leading tax preparation software. Product activation is a controversial antipiracy approach that locks a piece of software to a specific PC.

Intuit's version relies on SafeCast, software from Macrovision that runs in the background on the PC and checks for a unique activation number generated when TurboTax is activated and stored on the PC's hard drive. The technology is intended to prevent customers from printing or filing returns from any PC other than the original machine the software was activated from.

Customers have complained the technology makes it difficult to continue using TurboTax if they acquire a new PC or hard drive. Many have also complained about the fact that SafeCast continually runs in the background, even when TurboTax isn't being used, monopolizing a small chunk of the PC's memory.

Gulbransen said Intuit is working with Macrovision to develop a version of SafeCast that runs only when TurboTax is active, and that includes other changes designed to make the technology less obtrusive.

"We're working with Macrovision to get away from its current setup and get away from having a memory-resident application," he said. "Product activation is not going to go away--we're just looking at ways to make it work more in line with what our customers have said they expect."

Gulbransen said Intuit has also expanded its customer support team by adding representatives specifically trained to deal with product activation issues and questions.

"We want to respond to folks in a friendly and prompt way without affecting our other customers," he said.

The response was enough to convince at least one Intuit critic. Michael Block, a Fort Lauderdale, Fla., accountant, had started a Web site promoting a boycott of TurboTax products. He called off the boycott this week, after being satisfied with the company's response because of extensive conversations with Intuit executives.

"To me, this is Intuit's finest hour: Fast action to do right by customers," Block wrote on his Web site.

It's the most evil thing on the Internet, according to some of its victims. But it's not a virus, a scam or a raunchy porn site.

It's a browser toolbar that some swear is doing "drive-by downloads" -- installing itself without users' permission -- then taking over their systems and making it impossible to uninstall.

"When I find the bastards who programmed this thing I'd be happy to castrate them with a pair of dull pinking shears," fumed one of Xupiter's many unhappy victims in a newsgroup posting.

Xupiter is an Internet Explorer toolbar program. Once active in a system, it periodically changes users' designated homepages to xupiter.com, redirects all searches to Xupiter's site, and blocks any attempts to restore the original browser settings.

The program attempts to download updates each time an affected computer boots up, and has been blamed for causing system crashes. Several versions of Xupiter also appear to download other programs, such as gambling games, which later appear in pop-up windows.

Some said that Xupiter has taken over their browsers.

"Random words and characters now appear when I attempt to enter info on search sites or other forms. It's as if there's a ghost in my machine," New York resident Beth Vanesky said.

Xupiter.com is registered to a company called Tempo Internet, in Gyongyos, Hungary. Calls and e-mails to Tempo were not returned.

Xupiter offers an uninstall utility, but many said that it didn't work, and in some cases made things worse.

"I ran the Xupiter Uninstall, and now every time I try to launch Explorer I get error messages saying 'Xupiter is not installed properly, please reinstall,'" said Manny Abrams of Chicago.

Xupiter has spawned long message threads on some tech support sites, as users wrestle to reclaim their machines from the terrible toolbar.

"When Xupiter first appeared, we spent a week trying to figure it out," said Mike Healan, of SpywareInfo. "There's a monstrous thread with over 26,000 page views where a couple dozen of us tested it until we figured what it did and how to deal with it."

But Healan said that every time people sort out what Xupiter is doing, Xupiter's programmers tweak its code. It also appears that Xupiter may be selling its "service" to other websites.

"About once every month or two this software starts hijacking people to a new site," Healan said. "And every time a new version comes out, it adds a different startup entry, uses a different method to change the search function and is basically a bigger pain to remove."

Xupiter's site claims the toolbar isn't installed without express permission, but many insisted that they had not agreed to install the program.

"Xupiter is the worst thing I've ever personally encountered on the Internet," said Ed Olexa. "You only realize that is has been installed when you start your browser and see that Xupiter's search page is now your homepage."

Olexa had to manually edit his system registry to remove Xupiter.

"Xupiter seems to have the ability to reinstall itself if each and every component is not removed," Olexa said. "Computer novices might never really get rid of it."

Healan recommended Spybot Search & Destroy to eradicate the program.

Healan said some installations probably occurred when people clicked "OK" in a pop-up box without really knowing what they had agreed to, or when they meant to close the pop-up window.

Xupiter is also being bundled along with at least one peer-to-peer file sharing program. And the toolbar will install itself automatically when Internet Explorer's security settings aren't set to the highest level.

Intuit has added an uninstaller feature for those users who are worried about the long-term effects of the Macrovision SafeCast/C-Dilla DRM software on their systems. "As of today, we're going to give them an uninstaller," said Scott Gulbransen, director of corporate communications for the company. "We listened to that issue."

"The company is run based on the experiences of its customers," Gulbransen added. "If we have to move, we have to move."

Intuit's decision was prompted by a small, but vocal minority of customers which stridently objected to Intuit's inclusion of the MacroVision SafeCast technology in the TurboTax 2002 release, which Macrovision bought from C-Dilla, a U.K.-based developer.

The uninstaller, which will be pushed to customers through an automatic Web update at the time the program is run, will uninstall SafeCast/C-Dilla files and folders at a user's discretion. However, uninstalling SafeCast/C-Dilla will also prevent TurboTax from being run, Gulbransen said.

According to Intuit, the C-Dilla files were added to prevent unauthorized copying of the Intuit software, while still allowing customers some flexibility in doing their taxes. Intuit executives had wanted to add copy-protection software for some time, executives said.

"It's pretty simple," Gulbransen said. "We want to protect our IP."

Macrovision did not return calls for comment by press time.

Intuit includes a CD key in its documentation, which users are required to enter to activate the software. TurboTax then transmits the key up to an Intuit server, which kicks back an acknowledgement that unlocks the software. At no time is any uniquely identifiable information exchanged between a user's PC and Intuit's servers, Gulbransen said.

Gulbransen characterized much of the furor over the C-Dilla software as misinformation, based upon years-old stories characterizing C-Dilla as "spyware". (The SafeCast software adds a "Cdilla" folder to a user's hard drive.)

Actually, TurboTax is the second Intuit product to contain the SafeCast/C-Dilla software; Intuit added the DRM software to its QuickTax software for the Canadian market last year. Gulbransen declined to comment when asked if SafeCast would be added to other Intuit products outside the tax group. DRM software has not been added to TurboTax For the Web, Intuit's online version of its tax preparation software.

According to Gulbransen, Intuit's TurboTax 2002 will only allow taxes to be filed or printed from a single machine. However, the software may be installed on numerous PCs, and files may be saved and copied from one machine to another. "What this means is that you can prepare your taxes on your laptop, for example, and then file them from your home computer," Gulbransen said.

Intuit also allows multiple filings from the same PC, allowing spouses to file separately.

Gulbransen said it was too early to say how sales had been affected by the controversy. "A lot of what happened out there has been misinformation," he said. "It gets out there, quoted from postings which aren't even accurate."

Part of the fault lies with Intuit, however. Gulbransen said a sales agent had mistakenly told at least one customer that the software could not be transferred from one machine to another, setting off the controversy. "But then there's certain people who are opposed to any kind of activation," he added.

• Protects against unauthorized consumer copying of PC software sold through retail, distributor and reseller channels.
• Thwarts use of CD-recordable drives, re-mastering by professional pirates, and unauthorized Internet downloads.
• Boosts revenues, discourages copying and opens new markets.
• Increases retailer purchases of copy-protected titles and reduces store returns.
• Creates additional selling opportunities and effective customer support via enforced user-registration information.
• Incorporates anti-hacking technology that is effective against piracy.
• Easy to implement, compatible with standard hardware configurations and transparent to the consumer.

Do you use TurboTax by Quicken? Then you need to be aware that it has possibly installed a spyware trojan on your computer. We've had a thread running at the forums for a week or two about a third party application called C Dilla that is installed by TurboTax.

According to an article at privacyandspying.com, C Dilla is a copy protection program that installs without disclosure with certain programs such as game demos. It disables your CD burner when copy protected software is on your computer, monitors what copy protected software you are using and how, disables "certain" internet downloads, and possibly sends user data off to a remote server without permission.

Quicken makes no mention of this software anywhere on their web site (that I could find), although possibly there is some disclosure in the click-through EULA. Considering that it is illegal in many places to provide customer financial data to third parties without the customer's consent, if you use TurboTax to do other people's taxes for a living, this third party software might actually be causing you to break the law. I'm sure the application doesn't send financial data back to .... wherever ... but since it isn't discussed anywhere on the Quicken web site, how can we be sure?

C Dilla is now a target of Spybot S&D.; At first the developer was worried that removing it might actually break one of these ridiculous copyright protection laws that Hollywood keeps buying in Washington D.C. I pointed out at Spybot's support forums that there is nothing illegal about a third party uninstallation program. Or that if there were, Microsoft was breaking the law itself with its add/remove control panel applet. I'd like to think that my argument helped persuade him to include this trojan as a removal target and I hope all the other spyware removal companies also add detection for it. Just be aware that removing C Dilla will most likely disable whatever installed it, as is the case with many programs that install spyware. Make sure your documents are backed up in a standard format and is accessible by whatever you replace it with.

Thank you for contacting Intuit Inc. regarding TurboTax® and C-Dilla.

Intuit has an ongoing commitment to protect your privacy. That is why privacy was a key consideration when implementing the product activation technology in federal TurboTax for Windows desktop products for tax year 2002.

The Macrovision SAFECAST® product activation technology used by Intuit installs files on your computer when you install TurboTax. These files serve as your product license; in addition, they also manage and protect that license. These files interact only with TurboTax and with each other. Macrovision SAFECAST does not gather any personally identifiable information. It does not examine, modify, or gather information about your computer, your computer's contents, or your activities or behavior, nor does it transmit any such information to Intuit, Macrovision, or any other party.

C-Dilla is a company that was acquired by Macrovision in 1999. Some of the Macrovision SAFECAST technology used in TurboTax is derived from earlier C-Dilla products.

If you have additional questions, please visit us at www.turbotaxsupport.com. We appreciate your interest and look forward to serving you in the future.

• The Program being installed and Macrovision/C-Dilla DO NOT INFORM THE USER that this software is being installed,
• That Macrovision/C-Dilla in any manner ATTEMPS TO HIDE THEIR INSTALL from install monitoring or registry tracking software,
• That Macrovision/C-Dilla DOES NOT UNINSTALL with the original software, when it is removed/uninstalled from the system. Because C-dilla requires a separate uninstall, which in all likely hood, the user never knew existed.

IF YOU LIKE LISTENING to music CDs while working on your computer, New Scientist has some bad news: a company has found a way of preventing CDs being played on a computer's CD-ROM drive. The idea is not to increase productivity in the office, but to stop pirates copying CDs or sending CD-sourced music across the Internet. It is not yet clear, however, whether record companies will risk consumers' wrath by releasing discs they can't play on their PCs.

Software companies, including Micro- soft and IBM-owned Lotus, already use C-Dilla's SafeDisc system to stop people copying CD-ROM data discs. SafeDisc puts the program material in an encrypted "wrapper" which can only be unwrapped when a digital signature code pressed into the disc matches an authorisation code entered into the PC. While a ROM drive can read the authorisation code, a CD recorder cannot copy it, so copies of the CD-ROM will not run.

A CD-ROM disc stores data at three levels, and although a CD-ROM drive reads all three, it only passes the top level into a PC for copying. SafeDisc stores the key code signature at a lower level, so it can be read from the original CD-ROM disc but not copied onto a blank. Although a CD recorder can copy a protected disc, the copy will not run on a PC even when the correct authorisation code is entered.

The music industry has been dreaming of just such an anticopy system since it was claimed more than 30 years ago that the Beatles' vinyl album Sergeant Pepper could not be copied. In fact, as with the many systems that followed, the recording was as easy to copy as it was to play.

But now C-Dilla's founder Peter Newman, who invented SafeDisc, has found an answer for the CD generation. His Audio-Lok system takes advantage of the fact that the standard for the music CD format was set before the CD-ROM standard.

CD-ROM drives have a more powerful error-correction system than music CD players, which is activated by extra code on the CD-ROM discs. Newman's system adds false error codes to a music disc. An ordinary CD player doesn't notice the false codes, but a CD-ROM drive picks them up and ejects the disc as unplayable. This makes it impossible to copy the music onto a blank disc or "rip" it onto a computer so it can be compressed and sent over the Net.

A prototype AudioLok disc lent to New Scientist duly played on a CD music player but refused to play or copy on a PC. Newman says he is confident that his system will also stop consumer music CD recorders making a copy, because these devices are already designed not to copy CD-ROMs. He expects AudioLok to be ready for launch in a year.

TV and video companies already use a copy-protection system, developed by the American company Macrovision, to stop people pirating their programs and movies. Macrovision has bought C-Dilla for around $18 million so it can offer similar protection to the music industry.

But the breakthrough may have come at the wrong time. The music industry's Secure Digital Music Initiative group has just agreed with the electronics manufacturers to allow owners of CDs to make copies onto a PC, as there seemed to be no foolproof way to stop copying altogether.

So will music companies use AudioLok? "The recording industry welcomes people listening to CDs on computers," says Paul Jessop, director of technology at the International Federation of the Phonographic Industry, the music industry's world trade body. But he adds: "The ability to make discs that cannot be copied on computers may be of considerable interest to some record companies."

cdilla10.exe
cdilla64.exe
cdins16.dll
cdins32.dll

Since I installed MS Messenger 4.6 (4.6.0082) on my machine, my firewall is going wild: In addition to numerous Microsoft sites, Messenger is contacting the following sites each time I log in: expedia.com, xp.mcafee.com, carpoint.msn.com and port-64-1956779-zzt0prespect.devices.datareturn.net. No way to know what information MS Messenger is transmitting to these sites, I did not find any meaningful information on it on the Microsoft website.

"I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. "

Users of Lavasoft's Adaware and developers of anti-spyware software need to be made aware of a shocking new development. There is a software media player being distributed which searches for and removes Adaware if it is installed. Radlight media player has been tested by several testers and by the Adaware developer himself. Radlight, which bundles with the spyware application "Savenow" and with New.Net software, makes repeated searches for the installation of Adaware and removes it if found.

"This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the invalid use of this software. You are not allowed to use any third party program (e.g Ad-aware) to uninstall application bundled with RadLight. Such programs will be removed. If you want to uninstall them, you may do so via Add/Remove in Windows' Control Panel."

"The company on Tuesday said it has begun installing a Web browser add-on that sends some Morpheus users on an invisible Web detour aimed at capturing data about file swappers' surfing habits."

"StreamCast is working with a marketing company called Wurld Media. When the full marketing program launches in April, Griffin said the affiliate program that sends Morpheus users to participating shopping sites will provide them with some reward in return. He declined to give any further details, however."

"Affiliate relationships, such as those pursued by Amazon.com and others, often pay Web sites for referring traffic in their direction. By invisibly inserting the redirect into Web surfers' browsers, StreamCast can make it look like it is referring traffic to shopping Web sites without the shopper ever being aware that the Morpheus technology was involved."

"Ad-aware is a free multi spyware removal utility that scans your memory, registry and hard drives for known spyware and scumware components and lets you remove them safely."