A little over a year ago, I evaluated five antivirus programs and decided to switch from Norton AntiVirus to Trend Micro’s PC-cillin. Since then I’ve been happy with its performance. It updates itself regularly, identifies and quarantines those virus-infected attachments that make it past my e-mail gateway, and is generally unobtrusive.
The latest version of the software, PC-cillin Internet Security 2005, includes a firewall, a spam-blocking module, and newly added detection capabilities for spyware and adware. Based on my experiences today, the program’s developers need to go back to the drawing board.
I clicked the Scan for Spyware button to see what would turn up. I know this system is completely clean, so imagine my surprise when it informed me that it had found “3 potential threat(s).”
My goodness, how could I have missed these horrible programs? How did they sneak past my defenses and infiltrate my computer? What are these threats, anyway? I selected the first item in the list and clicked the More Information button, which took me to Trend Micro’s Web site. There I read about ADW_IEHELPER.A:
This adware is usually dropped and installed by a Trojan as BHO.DLL. Trend Micro detects the said Trojan as TROJ_LINST.A.
Once installed, it waits for the user to browse the Internet, specifically using Internet Explorer. This adware then scans the Web pages accessed by the user and highlights certain words, usually commercial items. When the mouse runs over one of these highlighted words, it displays a link to an advertising Web page that sells the said highlighted item.
Unfortunately, nothing in the Trend Micro interface actually told me which file it had detected or where it was located. That’s especially troublesome given that the removal instructions required me to manually unregister the DLL by entering its full path. The Web page also listed 13 registry keys where this evil program would insinuate itself. Only one of those keys was actually on my computer – a reference to Bho.dll. That file wasn’t on my computer, but a file called SnagItBHO.dll was. It’s a perfectly legitimate add-in for the SnagIt screen-capture program (which I used to capture the screens in this article and have used for every book I’ve written in the last seven years). SnagIt added that registry key and then created values that pointed to its add-in file. Had I followed Trend Micro’s instructions to remove this file, it would have disabled a key feature of my screen-capture program.
What about the next item on the list? The Web page for ADW_BADBITOR.A included no description, only a list of aliases and a long list of IE Favorites, program files, and Registry keys associated with it. The list of aliases made it pretty clear that Trend Micro thought I had installed a version of the ugly Lop parasite or Ezula adware. Once again, most of the files and registry keys ostensibly associated with this threat were simply not on my system. The only ones that matched turned out to be perfectly legitimate components of the BitTorrent program. Presumably, Trend Micro would have zapped BitTorrent had I allowed it to remove this threat.
The final item on the list was easy to identify. I have installed the password-revealing program Snadboy’s Revelation on this system. Fortunately, I know what that program does and also know that I installed it. Unfortunately, the More Information link led to a non-existent page at Trend Micro’s Web site.
OK, now let’s imagine that I’m not a computer professional but instead I’m a concerned Windows user. How am I supposed to react to this report? If I simply trust the software and let it remove these supposed threats, I’ve disabled three perfectly legitimate programs. When they stop working, will I connect the dots? Or will I think that the spyware I removed from my system had done even more damage than I thought?
Everyone wants an all-in-one Windows security solution – a single shrink-wrapped magic software bullet that can snuff out viruses, spyware, adware, Trojan horses, and every other conceivable form of malware. Unfortunately, my experience with Trend Micro’s software provides at least one data point to suggest that there’s no such animal yet.
By coincidence, I ran across two recent reviews of Trend Micro’s software online, both by way of the Security Mentor blog. PC World has a review of Internet security suites that gave Trend Micro top marks for its spyware scanning. The reviews are cursory at best, and Trend Micro earned its ranking because “in our tests only Trend Micro’s suite spotted spyware infections in the Registry.” Well, on my system those scans bore no relation to the actual presence of spyware, so I can’t give the same thumbs-up. This comparative review of antivirus software in Information Security from last October doesn’t mention spyware at all, but it does provide some interesting real-world experiences on how leading security software companies deal with customers.
I’ll continue using and recommending Trend Micro’s software as an antivirus tool. But for preventing and removing adware and spyware, don’t count on it.
Ed Bott 
Great piece. For BHO detection and opinions on the safety of each BHO program, let me suggest the free BHODemon program from Definitive Solutions at http://www.definitivesolutions.com
Ed, I am really looking forward to getting your new Windows Security book when it comes out.
Regarding your post, I also have Trend Micro 2005, but I use it solely for the standalone virus program (I didn’t install the firewall, antispam, etc.). Although this program includes a limited antispyware capability, I don’t use it. Instead, I use the Microsoft beta program, which I first learned about here several months ago. Of all the “real time scanning” antispyware programs I’ve tried, it is the only one I like. To date, I haven’t yet had a single false positive or other problem using the MS program.
I read somewhere that Symantec is soon coming out with its own antispyware program. Eventually I suspect that all the third party antivirus programs and security suites will include comprehensive antispyware scanning as part of their basic package. Unfortunately, we can expect these programs, when they appear, to be similarly over-aggressive (as Trend Micro was in your example). The reason is that a key to successfully marketing such software is convincing consumers, rightly or (often) wrongly, that they have a problem to begin with — which only the third party software can solve.
This is one area where — leaving aside the antitrust implications — I would prefer Microsoft software over third party software. My XP has always run best when run the way it was originally designed to run, not when modified by third party utility and security suites.
Ken
Ed, thanks for your article, it puts my at ease a little. I also found ADW_BADBITOR after i installed shareaza and ran PC-Cillin 2005 but now it is looking more like a false positive.
Thanks for that article i too have had the same problem with ADW_BADBITOR but i am also running microsoft antispyware which did not detect anything so this has helped put my mind at rest
Thank you so much for this report. I have just installed the new pc-cillin and it detected ADW_BADBITOR.A.
I had no idea what to do about it and Trend was no help at all.
Luckily, a quick Google brought up your report.
My computer and I thank you .
Thanks for this concise explanation of the ADW_BADBITOR.A thing. When I first ran the Trend product, it found this, and even though spybot and adaware hadn’t found anything, I let Trend do the voodoo it does to delete the files associated with the name.
Later, I clicked on a torrent link from Blizzard’s updater and my system had no idea what to do with a torrent file, and I had to reassociate my torrent program with the file extension, which concerned me, because I couldn’t figure out how I was losing file type associations.
Then this morning, I ran the Trend scan again, and low and behold, it found ADW_BADBITOR.A again. Before allowing it to delete anything this time, I googled to see what this might be and came across your site.
Thanks so much for you help and clear explanation!
I encountered Virtual Bouncer which had my computer down for two weeks. I THOUGHT I knew computers, but this really set my ego back a bit. I ran Trend’s online scan, Norton’s scan (I have Norton 2005 security that was supposedly auto protecting my computer.) I also ran Spybot, and AVG. I also ran Hijack This! The hard part was just figuring out WHAT IT WAS on my computer. It was compounded that files that were supposed to be on my computer because of malware weren’t on my computer – even in the registry. Virtual Bouncer also deleted my Google and Yahoo tool bars that I had loaded. Since that attack about a month ago, my computer (that was new in September) has never been the same.
I ended up abandoning IE and using Mozilla. I’m having security issues with my IP email claiming I’m not a valid subscriber, except that I can send from the website. When I abandoned IE, I had random links in the browser window which lead to an adult site which I cannot get rid of, so I switched away from IE. I checked today, and the links are still there.
I don’t know what to do next.
Hi i too have used Trend Micro, Housecall and it always tells me i have AWD_BADBITOR:A, also my computer is almost new and its a disaster, my internet would not work well kept crashing, and my computer kept getting popups and acting strange, i never felt in control.
I have used many Antispy programs now and i think im winning?. The latest which seemed to do something and found a lot of stuff was Spyware Nuker.
Anyway I think the Internet and Computers are Doomed, its all going to Crash Soon, its a House of Cards!
Good Luck to you all. P.S. TRUST NO ONE!
Looks like Trend Micro wants to give us an impression that its software is superior by reporting bogus threats. I ran the scan and cleaned up my pc several times and every time ADW_BADBITOR.A was found. They are clearly trying to deceive their users.
Thank you so much. ADW_BADBITOR.A showed up when i did the Trend Micro Housecall at approximately 11:30 at night and i’ve spent the last 9 hours trying to figure out the problem. I ran microsoft spyware, norton antivirus, and a different Trend Micro product all with the same result of no ADW_BADBITOR.A present. Needless to say, I was freaking out. I decided to try and google a solution to my problem and your report was the answer to my prayers. Thank you so much.
From what I can tell, PC-Cillin / Trend Micro seems to think a component of most bit torrent progs is the ADW_BADBITOR.A adware program.
As with all the above – it wouldnt show with any other anti-virus/adware removal software except PC-Cillin, and I was getting worried about it.
This website has confirmed my suspicions.
Have you had a chance to try out Trend’s new Stand Alone Anti-Spyware software?
So everyone has had problems with this spy ware or many others, what are we to do to eliminate these things? I am so
fed up with all the Idiots out there that insist on ruining my computer enjoyment. I’d kill everyone of them, because they are viscous and malicious. They are equal to a Child Molester.
Can someone outwit these nitwits?
PC-cillin is a fraud.
The default configuration options do not provide good protection. Three requests to tech support were ignored totally. And so much more. See http://www.computergripes.com/pc.cillin.html
You hit it right on the dot. TrendMicro offers excellent antivirus protection but sucks big time when it comes spyware detection. TrendMicro lags behind when it comes spyware detection that’s why they acquired InterMute in the first place. They repackaged its SpySubstract product into what we know as Trend Anti-Spyware component. Fortunately, there’s Lavasoft Ad-Aware SE Personal which is a free anti spyware application I use to accurately mark the persistent spywares that managed to creep into my system.