The main spyware perpetrators


Alexa
We've received many requests as to whether Alexa is spyware or not. Well, the Alexa toolbar which is available for download contains spyware agents whereby information about your web surfing is gathered for statistics purposes. Whether or not the owner of Alexa does other things with this information is not known. If you wish to use some of the Alexa functions, it is best to go to http://info.alexa.com and get the information you want from the web site itself.

Aureate / Radiate
Their technology can be instantly embedded in any software product to give advertisers the ability to target software users while they are using the software. Registering Aureate embedded software does not ensure Aureate will be uninstalled or will stop transmitting information. The Aureate technology is not stopped by firewalls. Radiate can deliver precise audience targeting, rich media, advertisements can be viewed when users are not connected to the Internet, splash screens, dynamic messaging, customized demographic collection and real-time surveys. Aureate components include adimage.dll, advert.dll, amcis.dll, amcis2.dll, anadsc.ocx, anadscb.ocx, htmdeng.exe, ipcclient.dll, msipcsv.exe and tfde.dll. Other components may have been added.

Conducent Timesink
Their technology utilizes the Internet to dynamically deliver content to desktop software. Once the content is received it can be displayed at any time in the application. Content activity information such as advertising impressions and click through data is recorded and sent back to Conducent for daily reporting. Conducent does not provide users with an uninstall feature. Their software provides real-time ad targeting campaigns through the Timesink component TSadbot.exe. Conducent has formed strategic partnerships with most of the major Internet advertising networks. The following files are used: tsadbot.exe in C:\Program Files\TimeSink\AdGateway, tsad.dll, vcpdll.dll and FlexActv.dll in C:\Winnt or C:\Windows, Addon2VB.dll in C:\Winnt\System or C:\Windows\System. Right clicking on the filename, the Properties tab shows Conducent Technologies Inc. You can delete the TimeSink directory, the files, and the Registry entries. Look in Hkey_local_machine\Software, Hkey_current_user\Software. Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls.

Cydoor
This technology can be activated both in online and offline modes. The technology's architecture can be integrated into any software program. Cydoor can update or rotate banner ads not only when users are online, but also when they are offline. Upon installation of a software application integrated with our advertising technology, Cydoor Technologies sets a numerical identifier on your computer. The following files are used in C:\Windows\System: cd_clint.dll, cd_gif.dll, cd_swf.dll and cd_load.exe. You can delete the C:\Windows\System\Adcache directory. Then remove all instances from the Registry. Look in Hkey_local_machine\Software, Hkey_current_user\Software. Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls

Comet Cursor
a browser extension that gives web sites the power to change the cursor, substituting any image or animation instead of the arrow. Comet Systems receives web log information: cookies, referrer id's, IP addresses and other system information using a unique identifier system. Each time a user clicks on site content that information is stored anonymously. Comet uses this aggregated usage information to determine which cursor content is most popular as to improve the content selection and performance of the site. To prevent Comet Cursor from automatically installing itself in your MS Internet Explorer, make sure "Installation of Desktop Items" is disabled or set to Prompt in the Security settings for Internet and Restricted Zones, Download Signed Active X Controls should be set to Prompt (under Tools | Internet options). Netscape users should have Require Manual Confirmation of Each Install checked under Edit | Preferences | Advanced | Smart Update. If these settings do not stop automatic installs, check your 'trusted' applications under Edit | Preferences | Navigator | Applications.

eZula & KaZaa Toptext
Sells targeted traffic based on the content of everyone's web page without having to develop any content of their own. There is a new file sharing system launched in the wake of the MP3 war called KaZaa. When you install KaZaa you get a spyware virus installed on your computer. Toptext takes control of your browser and makes changes to everything you read on the Internet (like Flyswat), which qualifies it as a hacking program as well. It changes the way you'll browse forever.

NOTE: the latest version of this program also installs the following spyware agents: Cydoor, Webhancer and Newdotnet.

TopText operates with a browser to highlight words on every web page, inserting a yellow background behind keywords that have been purchased through their media sales company eZula, Inc. If a web user clicks on one of those yellow highlighted words on a web page, the user is sent to the site of the company paying the most that day for each click-through. If a user whose browser is infected with TopText visits your web site, they will be offered links to competitor's web sites for every keyword they find on your site for which they have a buyer.
This is not much different from the Smart Tags system that Microsoft announced for their Windows XP browser. Media and webmaster outrage caused Microsoft to cancel the release of that feature, for the time being that is. Several download web sites are actively helping this kind of virus to spread, as long as it pays, I guess. SimplytheBest.net does not. We don't like this invasion of privacy and will not in any way assist in spreading the use of this program. This spyware agent is very hard to get rid of so your best option is to never download it in the first place. Look for alternatives instead that offer the same functionality without the spyware agent.

You can remove EZula instances from the Registry:
HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1.
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\eZulaBootExe.EXE
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\ C:/WINDOWS/Downloaded Program Files/eZulaBoot.dll
And in HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU you'll find an entry for EZulaboot.
And from your harddisk:
C:\WINDOWS\Downloaded Program Files\InstallCtrl.class, which mentions two files it depends on ezulaboot.dll and ezulaboot.inf.
C:\WINDOWS\eZulains.exe
C:\WINDOWS\APPLOG\ezulains.lgc

You can use AD-aware to get rid of Toptext, but it will cause problems with your Internet connection and so forth. Best way to go is not to download and install ANY spyware. It's getting more difficult to get rid of them and even to find them. After using AD-aware you can double check the Registry by doing a Find for eZula.
You can also visit the WhirlyWiryWeb.com web site for more information on eZula and Toptext. They also feature a script which checks if you have Toptext installed and a complete Toptext removal guide.

Flashpoint / Flashtrack
Yet another spyware agent called FlashTrack has made its entrance into your PC and your web surfing experience. FlashTrack's website claims that the program monitors queries from 27 search engines in over 50 languages, and performed by users who have mistakenly downloaded it, and pops up ads targeted to specific search terms, which by the way seem to be emanating from the web site you just visited. It is installed with software of which we do not know the list at this time. FlashTrack allows the media buyer to purchase media based on any URL visited and any keyword typed into any of the major search engines. FlashTrack further enhances the media buy through time-of-day based ad serving, frequency capping and seven differing web usage occasions to determine the type of web usage being conducted by the user. All of this real-time data mining is designed to effectively segment the optimal audience (it may be YOU). To remove the Flashtrack spyware agent you can get FTunin.exe from the Flashpoint web site.
You can try to remove it yourself. FlashTrack installs its software in a directory called c:\program files\ftapp. Before you delete this file, you must remove it from the registry and restart the computer.
On Windows 95/98/Me, enter this command at the command line:
" %WinDir%\SYSTEM\regsvr32.exe" /u "C:\Program Files\ftapp\ftapp.dll"
On Windows NT/2000/XP, enter:
regsvr32 /u "%ProgramFiles%\ftapp\ftapp.dll"
Then remove the file and the directory program files\ftapp.

Flyswat
A search enhancement for MSIE. To install and use it, Active X controls and plug-ins in IE's security setting must be enabled. Flyswat is also bundled with some other applications. The service logs anonymous click-streams as users navigate the Internet. The data has no personal demographic information. Flyswat uses the information for product enhancement and shares it with partners. Uninstall it via the Add/Remove Programs function.
Gator
Gator helps you to fill out forms and remember usernames and passwords of sites you frequently visit. You may even have credit card information readily available when you wish to purchase something online. A very dangerous thing to do. Your personal information is stored on your computer in an encrypted file. Gator accesses this personal information, using your IP address. Gator targets consumers based on site visitation and historical behavior. Gator provides aggregate statistics about its customers, traffic patterns and related site information to third-party vendors. As banners from sites you visit are being served, Gator will show their advertiser's banners instead.

GoHip
A browser extension that installs a program called 'Windows Startup' in your Start menu. This cutie will reconfigure your browser's setting for Startup page. It also attaches an advertisement to every message you send and as such works like the new Sircam virus. GoHip places a file in your Windows directory that sets your AutoSignature, changes your search page and sets your start page. The executable program is called 'winstartup.exe' and is usually located in C:\Windows. You can delete this EXE and remove the Startup entry. GoHip removal can also be done using the GoHip 'remove.exe'. Download it here. Save it to your desktop and run it, then reboot.

Hotbar
This is a fairly new one. We received their unsolicited e-mail through one of our e-mail addresses and it reads as follows:
Hi, I thought you might be interested in a marketing program that will place your clients' logo and link on 4,000,000 users' Internet Explorer browsers specifically when users visit relevant sites or search for related keywords. Hotbar's recently released toolbar allows for this non-intrusive targeted advertising via buttons that change while users surf to relate to the websites they visit so for instance a Web Hosting advertiser can place their button on our bar that will appear when users visit other web hosting sites. Alternatively we can deliver a flash popup to any url you choose on a cpc basis. You determine which sites you want your ad to appear on and when a user visits any of those sites we'll send your pop up. We can generate targeted traffic for any category of advertiser. Please contact me if you are interested in more information. Best, E. M., Business Development Manager, Hotbar.com, Inc.

Hotbar collects and stores information about the web pages you view and the data you enter in search engine search fields while using the software (some browser toolbar you can download for free). While using the Hotbar toolbar, Hotbar uses this information to determine which ads and buttons are displayed in the toolbar and which ads to show your browser (including Flash popups). As the above unsolicited e-mail states: they can deliver a flash popup to any url the advertiser chooses. When you visit web sites with the toolbar installed (the "Service"), Hotbar collects information about the web sites you visit and the pages you view. Hotbar stores your IP address, domain name, URL of the web page you are visiting, information about your browser, information about your computer's operating system, your Hotbar cookie number and the date/time the above information is logged. When you type search terms into a search engine, the search term you entered is transmitted from your computer and stored by Hotbar. Also stored is what toolbar buttons you click on, what links within the toolbar buttons you click on, the amount of time you have used it during each session, what browser skins you have downloaded during any given session, and if you have encountered forms where you have entered your personal information, this may be stored as well (if the site you entered the information at, forwards the entered information via form scripts). Hotbar serves ads from some well known ad networks. Amazingly, this program received a 5-star rating from ZDnet?

Why would anyone want a toolbar in their browser showing advertising buttons (don't we get enough advertising in one day to last us a lifetime?) and why would anyone want the 'non-intrusive' popups with every web site visited?

Lop (C2Media)
We've been getting reports about lop.com placing spyware agents on user's systems. We've had a look and it seems that if you use their site they collect data using cookies (cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system). The lop.com site makes use of cookies for the following purposes: user targeting and research & development, and if you install their (toolbar' you'll get spied on (in cooperation with DoubleClicks and the Network Advertising Initiative (NAI) both serving the ads). To remove this toolbar: select 'Uninstall' from the 'Help menu' of the software you installed, or if you are not sure which piece of software you installed you can run their toolbar uninstaller available here or use Ad-Aware. We're not clear as to what exactly lop.com does with the data and if 'things' are served even after leaving their web site. We'd like some more feedback on this.

Mattel Brodcast
Utilizes its DSSAgent.exe to send information from user computers to Mattel. It also sends unsolicited information on product offerings and discounts to users. It is mostly spread among the Mattel product lines for children.
Morpheus
Users wanting the functionality of KaZaa can download Morpheus, but Morpheus contains spyware agents as well. Morpheus has licensed the technology of Gnutella for use in the Morpheus program.

Realplayer
The well-known RealPlayer also seems to be full of spyware agents. We have not tested each version ourselves, but many complaints have been coming in about this. From what we can gather the Basic version may not be infested, but the full version is (for which you have paid for). If you remove the spyware agents, the program won't run anymore. To avoid their spyware agents from taking control keep RealPlayer from loading on startup. Use a firewall when using it on the Net. Go into Preferences and disable any option that allows the player to call home. So, if you're in need of a media player, try downloading some from this page.

Songspy (IMG Entertainment)
Songspy is a new music sharing program and states that it is 100% freeware. According to Songspy, you aren't tracked, logged or monitored for analysis by the client software. The spyware agent uses port 5190. Once it connects to their server there is no disconnecting possible and your hard drive is openly available for 'sharing'.

Web3000
Their ad shows up above banner ads and it travels with you to all the sites you visit. You'll see text messages on the upper right corner of your browser, and there are splash screens or pop-up offers, and a button in the lower right area of your screen may try to sell you something. They analyze the number of users, visited pages, amount of time spent there and incoming addresses. Registering software embedded with Web3000 does not ensure the software will stop transmitting your private information. The Web3000 network ads component runs independent of the inflicted spyware program. The ad component allows the network to serve you advertising in your browser whenever and wherever you are on the Internet. Messages are delivered via browser headlines, splash screens, status bar messages and newsletters. Web3000 replaces winsock32.dll and other Windows system files.

WebHancer
WebHancer provides a traffic measurement service that uses a client agent that is installed on user machines. It gathers information such as visited web page address, web page size, web page load time, web page completion state and network delay time. The latest version has features including cross-site and on-site web analytics and performance analysis. The installation is hidden and triggered by the installation of software that is bundled with it. Incorrect removal procedures will destroy your Internet connection. The running WebHancer process appears in the Task List of Windows as Whagent. Any of the following files in your Windows directory indicate the presence of WebHancer: webhdll.dll, whagent.inf, whInstaller.exe, and whInstaller.ini.

According to Webhancer you uninstall as follows:
1. go to Start / Settings / Control Panel and double-click on the "Add/Remove Programs" icon.
2. select the program called "Webhancer Customer Companion" and click the Add/Remove button.
3. once the program has been uninstalled, restart your computer.
We suggest to do the following as well:
1. check your Windows directory for these files (webhdll.dll, whagent.inf, whInstaller.exe, whInstaller.ini) and delete them.
2. delete the WebHancer folder in your Program Files directory (if still there). Reboot if you can't delete a file called wbhshare.dll.
3. clean up your default Temp directory (used for placing files during installation).