Sign up to win at iWon.com and get pesky spyware installed on your PC that won't go away.

 

IWon.com offers prize money to Web surfers who visit the site and make it their homepage. But the installation of its iWonPlus subscriber package installs a malicious, hidden Trojan program that sends data to the iWon servers long after you've followed directions to uninstall the program. Especially disturbing is that iWon is a TRUSTe company, meaning it promises to publish a privacy policy and live by its tenets. Nowhere in the iWon privacy policy does it state that the spyware program will hide itself and continue transmission after you attempt to remove it.

 

The offending malware

 

A tech article tipped me to the fact that the extra software needed to participate in many of the iWon.com programs installs a nasty piece of spyware called aornum.exe. Aornum tracks user Web browsing habits and sends that data back to iWon.com. This practice is clearly noted in the iWon privacy policy: "iWon Software Products automatically communicate over the Internet with iWon's servers and, in order to provide you with information or services, may convey to iWon certain information regarding your activities, including, for example, the URL of sites you visit."

 

IWon says it collects user data and shares it with third-party marketing organizations unless users have opted out of such information sharing. IWon says it also uses the personal data to send "targeted email" (aka spam) to users.

 

How aornum works

 

Many who find the aornum spyware program opt to remove the entire iWon package to prevent the data leakage. The instructions at iWon's site advise using the add/remove programs function in Windows for a full uninstall. But after performing an add/remove and rebooting one of my machines, a spyware scan still found traces of the aornum program. Aornum renamed some of its files "ornum" and hid the aornum program deeper on the computer. Within minutes the program was attempting to send data. my firewall logged the series of requests, noting aornum.exe as the offending mailware.

 

IWon.com has not returned email in response to questions regarding the spyware.

 

Deleting Is No Easy Task

     

To see if the aornum software is as insidious as the article reported, I set up a test machine.

 

I took a newly imaged Win98SE hard drive, installed two free spyware-detection programs, Ad-aware and Spybot, and then scanned the machine with both programs. Neither one detected any spyware associated with aornum or iWon.

 

I installed the free consumer version of the Zone Alarm firewall and set it to detect and alert us to all outgoing traffic. I then visited the iWon site and signed up for its services. I discovered that playing online bingo doesn't install the spyware but can become habit forming.

 

I rescanned the computer with the two-spyware detectors and still found no alerts for aornum.

 

I then downloaded the iWon chat program to qualify for "more winning opportunities" and began browsing the Internet and playing the iWon slot machine games (also habit forming). It was then that my firewall gave its first warning. Aornum was attempting to send data.

 

A scan with Ad-aware didn't detect aornum, but Spybot picked up multiple entries.

 

I followed the iWon removal instructions to rid my PC of aornum and discovered that my only recourse was to uninstall all of the iWon software using the add/remove function in the control panel. Once removed, all of the previous iWon gaming, chat, and prize functionality was gone.

 

After a reboot I scanned the computer with Spybot and found aornum entries. There were fewer of them and their locations and registry modifications had changed. I began accessing the Internet and again my firewall popped up, alerting me that aornum was attempting to send an outgoing data transmission.

 

The iWon removal instructions left the spyware on my computer. That means aornum is a Trojan horse, or malicious hidden program. Aornum is not just spyware.

 

To truly rid our PC of the spyware/Trojan, I used the "search and destroy" function in Spybot, rebooted the computer in safe mode, searched the entire computer for "aornum," deleted all references to the Trojan, emptied the Recycle Bin, and rebooted the machine normally. A subsequent Spybot scan gave the computer a clean bill of health. So far there have been no additional alerts from the firewall.

 

This is the best removal advice I can offer. It keeps you from having to do a registry edit and you can do it for free.

 

The insidious nature of this Trojan/spyware is alarming given that it comes from a website that puts out the appearance of legitimacy and professes its honesty using the TRUSTe seal of approval.