advertising components that are installed by some "shareware" products (and
sometimes, legitimately purchased commercial software) and may collect
personal information from your computer. These "adbots" are usually tied to
a dodgy shareware program you have installed
TSADBOT (tsadbot.exe) AdGateway by TimeSink /
Aureate/Radiate spyware DLL ADVERT.DLL by
Aureate / Radiate AdSoftware Network
DSSAGENT (dssagent.exe) Brodcast by Broderbund
(tags along with some Mattel/Broderbund software)
CyDoor "Ads On Software (tm)" - Comes with
many ad-enabled products including KaZaA.
Web3000 (MSBB.EXE) aka. N-Case - Dastardly advertising spyware that
overwrites your wsock32.dll system file, and may transmit lists of URLs
you visit. See
Privacy Power! Reference and
Network World Reference.
Privacy Power! Reference.
TransCom's BeeLine see
NewsUpd.exe - "News Engine Update Application"
- Creative Labs advertising software installed with SoundBlaster (tm)
and perhaps other products.
Codehammer Message Mates
- A talking gorilla/parrot/etc. "software companion" targeting children.
Silently Installed with some other software, and difficult to remove.
Privacy Power! Reference.
OnFlow - Installed by BearShare among others. The company that makes
describes its purpose fairly well on its own
:) It is a browser plug-in designed specifically to display advertising,
usually of the large, loud and flashing variety.
SaveNow (WhenUShop) - Installed by BearShare among others. Put quickly,
an advertising toolbar that monitors what sites you visit and pops up
sponsored "deals" when products/shopping/etc. appears on those sites.
Gator "Trickler" (fsg.exe / fsg-ag.exe), OfferCompanion
- installed by AudioGalaxy among others.
PhoenixNet - Spyware embedded in your system
WNAD.EXE - secretly installed background task
that goes online to transmit personal information and display stealth
popup ads. Installed by the "Yo Mamma, Osama" game from TwistedHumor.com,
as well as the SwapNut file sharing utility.
Blackstone Data Transponder a.k.a. VX2
/ RespondMiter / Sputnik / NetPal / Aadcom.
This many-named piece of spyware is installed as an IE Helper (BHO) by
third-party software OR website visits, and pops up ads continuously
while you surf.
FlashTrack (FTAPP.DLL) - An advertising spyware module (BHO) installed
with the iMesh filesharing client. More information and removal
Flagged as a Trojan by McAffee.
dlder.exe - An advertising trojan that is
installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02),
Net2Phone (unspecified versions) and KaZaA (unspecified versions). The
spyware itself comes from ClickTillUWin.com. Taking the torch from even
the worst advertising spyware to date, this one creates a fake Explorer
executable and process to hide its activities.
More information here. Some antivirus
manufacturers have listed this as a virus or trojan horse: TROJ_DLDER.A.
ADP.EXE - Another
spyware, distributed with LimeWire(?) and others. Appears to be an
installer of Bargain Buddy (below).
BARGAINS.EXE (Bargain Buddy) - Advertising spyware installed with
Net2Phone and some versions of LimeWire. Appears related to ADP.EXE
above. More info at
bdeviewer.exe (B3D / BrilliantDigital Projector) - A "3D Web Animation"
advertising-display plugin, similar to Onflow, as well as distributed
computing client that can
sell your hard drive space, CPU cycles, and bandwidth.
Installed by KaZaA/Morpheus and probably others. Additional story
here. Removal procedure
here. This product, along with the
SecureInstall software of Altnet (a subsidiary of BrilliantDigital),
have been labeled spyware by some sources, a claim which
EverAd - No
information currently available.
Expedioware - No
information currently available.
adshow.exe - No
information currently available.
HelpExpress / Attune (HXIUL.EXE)
- Appears to be advertising spyware that displays sponsored ads, e.g.
"Buy toner"/etc. messages when you use your printer. No additional
information available at this time. Remove by uninstalling "HelpExpress"
and "Attune" under Windows' Add/Remove Programs.
Gator GAIN (GMT.exe, CMESys.exe, GAIN_TRICKLER_*.EXE) - Pops up
advertising, apparently a new
Gator product. A security hole in some
allows Web sites to install arbitrary software
on your computer.
This URL will detect GAIN. Gator recommends on
its Web site to contact support(at)gator.com for removal
instructions. Gator software may be quietly installed by
Wurld Media / Morpheus Shopping Club (bpboh.dll / mbho.dll / MSCStat.exe)
- Installed by Morpheus, the "no spyware" (ya, we believe you)
filesharing tool. Sneakily redirects IE through advertisers' referral
links when certain sites are visited in your Web browser. More details
NE.EXE (Network Essentials / SmartPops) - Displays stealthy popup ads
while surfing the Web or using search engines. Wow! To hear it from
them, this is the
best service on earth--boy are they helpful.
Remove by uninstalling "Network Essentials" in Add/Remove Programs. I
have seen reports of this being installed simply by visiting certain Web
Movie Network.exe (Downloadware / Mediacharger / Movienetworks) -
Displays lots of popup ads as you surf; Mediacharger may also function
dialer for 1-900 #s for billing of adult movie
downloads. Check for removal entries in Add/Remove Programs. Some
removal instructions (may or may not work?) are
here. I have had reports that the program
will try to deter uninstallation by telling you that doing so will mess
up your browser. It is, however, bluffing.
ofrg.dll (FavoriteMan) - Installed by unknown means, possibly by NetPal
spyware. More information
here. One of its co-bundled products may be a
ctbclick.exe (ClickTheButton) - Installed by (NetPal),
Favoriteman parasite, and some versions of
KaZaA. More information
JavaRun.exe (Etraffic / TopMoxie) - Marketing software installed by
products from "loyalty marketing partners", that pops up ads and coupons
when you visit certain Web sites. TopMoxie description and info
here. According to this site, partner software
must be removed before an entry for TopMoxie will appear in Add/Remove.
Download_Plugin.exe - SpywareInfo
has the scoop on this, it is an infector for
the infamous Lop.com portal-potty. It reportedly modifies your browser
preference settings to place Lop.com as your start page, adds crap links
to your bookmarks, changes your desktop and adds a spyware plugin
("Swish Browser Helper").
openme.exe (xww.de ?) / Fast Download / Full Downloader - Loads at
startup and pops up porn ads ("Live Chat mit Cams!") after about 20
minutes, according to this
post in the message boards. May also try to
install a dialer. To remove, find and delete openme.exe in your Windows
directory, and remove it from your Registry's "shell=" line as well.
Radlight DivX Movie Player - The nature of the software itself is
unknown. However, it will
intentionally search out and delete AD-Aware
from your hard drive, then dump a number of malware products on your
system. This puts it on the level of a VIRUS in my book; such a
behaviour is completely unacceptable.
- Source unknown. Places itself in C:\windows\system and adds a startup
reference to the Registry. Continually loads porn popups (www.sexysquirter.com
et al) while the machine is switched on.
INetSpeak - Bundled with the Music Magnet file-sharing tool, installs a
permanent ad banner into IE. Installs as a Browser Helper Object. Remove
BHO remover, by disabling
BHO42602.clslnetspeak or similar. See write-up
plg_ie0.dll - More Lop.com crap, this one is a BHO that sends your
browser to their site for most any IE error page (e.g. "The site cannot
be found" becomes instead a bunch of useless lop.com links). See
writeup for details.
Related to Movienetworks (same registrar, IP block, etc.). There is
reported to be a malware product by this name. No additional information
Unknown (ftp_back.exe, istabm.exe, bm_insta.exe, attnvg.exe,
createsw.exe, driverpg.exe) - Suspected ad/spyware programs. Implicated
here. No additional information available.
AdBreak (kvnab.dll) - The name implies an advertising program, but has
not been observed in action. May be installed by a trojan. Some info
PAgent, Vegas Palms Casino (MicroGaming), KFH, MediaLoads, WinEME -
sub-parasites installed by DownloadWare, include casino gaming apps, ad
programs and an unknown email-sending background task. Info and removal
HotBar - an advertising toolbar that spies on sites visited and the
contents of forms you fill out. Installed by IMesh. More info
OnlineDialer (VLoading / Download class and other variants) - A loader
or "trickler" that is used to download and execute arbitrary programs,
typically dialers, on your PC. More info
BookmarkExpress (BMupdate.exe) - A program bundled with scanner drivers
(!?) that allows you (and marketing partners(!)) to manage your
bookmarks from anywhere, and pops up ads at you. The service itself has
since been discontinued, and it is recommended to delete this file.
/ Floid.dll / wbeCheck.exe) - Spies, and modifies the contents of HTTP
traffic in IE. More info
HuntBar - A browser
toolbar and homepage hijacker. See its listing below, under Homepage
Tgdc.exe / shopforgood.com - An affiliate link
stealer similar to Wurld Media. More info
CnsMin / 3271.com - A Chinese keyword-lookup
program, possibly similar to QuickClick? Does not appear that harmful,
but is very difficult to remove and re-installs itself even while you
are still removing it. More info
Search-Explorer - Another useless Browser Toolbar.
Displays popup ads and places some cookies on your machine. More info
WINSERVS / PurityScan / sear1.exe (winservs.exe,
winservn.exe, etc.) - On first running, scans your IE
cache/history/cookies for files with porn-words in them and displays a
list of any found. Also drops in a background program (winservs.exe)
that constantly loads popup ads when the computer is running.
/ www.cia.com) (file names unknown) - Canadian advertising program that
true one-to-one targeting of advertising messages against audiences
defined by demographics, psychographics, lifestyle or location". The
company boasts that its software's ads "can never be covered up, moved
offscreen, or otherwise disabled." This product appears targeted mainly
toward Internet kiosks and "free internet access" companies, not
end-users. The company also hypes an "ad player" format similar to
(friendgreetings.com / cool-downloads.com /
WinSrv Reg / OTMS.EXE
- Another company that hawks those infamous "online greeting cards". The
catch? To view the greeting card, the site attempts to install a 1+
megabyte application that will (unless you carefully read the license
agreements and click "NO!") spam everybody in your Outlook address book
with phony greeting cards and ads for their service, then place
advertising spyware on your computer. The spyware will collect your
name, email address and surfing habits, popping up ads and delivering
HTML spam to your email address. Removal: Go to Add/Remove Programs and
remove "Friend Greetings" and "WinSrv Reg". Possibly the first spyware
program that lists "minimum 64MB memory" in its system requirements, and
attempts to forbid linking to their Web site. It seems this company
may have gone out of business--their web site / domain has ceased to be.
Save / WhenUSave (SAVE.EXE)
- Installed by some "free" software including Radlight Media Player. A
removal reference is placed in Add/Remove Programs, but warns that
removal will also disable the program (e.g. media player) that it was
installed with. Appears to be a rebranded version of the SaveNow
Stealth components and background processes that may violate your privacy or
expose your computer to attack.
BESS, the notorious
censorware program, caught spying on childrens'
surfing habits and selling the information.
Details at ZDnet.
"The Red Sheriff" Java Applet from
C_Dilla - A CD copy-protection program and more.
Messes with the system, may interfere with Internet connection and use
of CDRW drives. More info
Non-stealth "freeware" and shareware apps that may transmit personal
information or expose your computer to attack, under the pretense of
providing a useful service.
one of these nasty ad-trojans worms onto your system, it will constantly
reset your homepage (and maybe Search, etc.) to where they want you
to go. You can't change it back!
General Homepage Hijacker info
More information on this is available at
(the newest venture of "Spam King" Sanford Wallace) Hijacker.
See this article for details.
United Parcel Service
- see this
"Gearbox Connection Kit"
used by some ISPs, a tool to let the ISP auto-setup or update users'
connection settings, will reportedly attach to the browser and change
the IE homepage back to the ISPs everytime the browser is started (more
info). Rockstar Software clarifies that the
software isn't "evil" or a security concern,
this simple procedure for changing the
homepage on a computer using Gearbox Connection Kit. This software,
unlike other listed here, does not appear to be malicious in
uninstall page to undo the hijacking.
(a bogus porn site consisting entirely of blind links to a referral
script) hijacks the IE settings using a .jse file as well as a .tmp file
loaded in at startup with Registry Editor. (Search for and remove .jse
files, remove the start-up trash from the
also hijacks, and even points IE's DNS Error and other error pages to
lop.com. If you can't get rid of this as your homepage, download their
two (!) uninstallers, to
remove hompage hijacking and
remove the Lop.com toolbar. Reportedly,
lop.com may also alter the Domain field of your DNS configuration,
visible by clicking Start > Settings > Control Panel > Network >
(name of adapter) > DNS Configuration . There is also an unconfirmed
report of it altering the domain suffix as well.
Unknown portal potties
(redirecting to goto.com, topsearcher.com, et al) - add files with names
or similar to your system. In your StartUp folder you will see one or
more lines such as:
To fix, delete/rename
the files appearing in this manner in the StartUp folder, and
(optionally) remove the entries from the StartUp folder. These are
actually Registry files that are loaded in at startup via Registry
this registry file and double-click on it to
un-hijack your settings. This will remove the stuff that auto-changes
your settings on startup and restore your IE defaults (e.g. MSN start
page). If you prefer other settings, you can right-click the file and
Edit..., and change the homepage settings to your liking before clicking
- no verified fix yet. Possible fix (from examining suspect "Uninstall"
binaries from the site): Find and delete the files:
- Unconfirmed, but it is reported that the Bonzi software will change
your homepage, and if you change it back, pop up a "Would you like to
change your homepage (back to Bonzi's)". Whether you select yes or no,
your homepage gets changed.
WINSYS.VBS (or .VBA),
from your Windows directory. Also find and delete the program that is
loading them, which may be under a random name (in one case it was "zzgghh").
- A browser toolbar and hijacker. Believed to be a drive-by download.
Reportedly, even redirects "My Computer" and "Control Panel" to their
site. Close IE, use Find to search for "MSIETS.DLL", and write down the
path to it. It is normally "C:\Program Files\Common Files\MSIETS".
Deregister it by typing the following command into Windows' Run box: "regsvr32.exe
/u C:\Program Files\Common Files\MSIETS",
replacing C:\Program... with the path you noted earlier.
- This site will hijack your start page by way of a "browser
enhancement" toolbar BHO. It is difficult to remove manually, but
SpybotS&D both remove it without any trouble.
This sneaky b*stard is sometimes even disguised as an unsubscribe for
spam mails: "In a moment a pop-up
box will appear. Press Yes to be removed from all future mailings."
The popup box, of
course, installs the hijacker.
- Hijacker prefixes the URL prolivation.com/cgi-bin/r.cgi?
to Web sites you visit (even when you type the
address in manually), allowing the site to monitor visited URLs and/or
redirect the requests, add popups, etc. Adult sites may be substituted
for the requested site.
SpybotS&D will remove this hijacker.
- This hijack courtesy of a junk plugin from 'IGetNet', bundled with
some p2p applications. More info and removal instructions
at Doxdesk. A 'Support' page on the
searchresult.net site claims to reset the homepage, but only sets a
cookie and displays a popup ad.
Typically not hazardous, just annoying. These programs have
bait-and-switched customers into viewing annoying blinky advertisements on
the program's main window.
Unwanted application programs that come along, trojan-style, with completely
unrelated software. Usually because some jerk is getting paid to foist it on
your system whether you want it or not. Since they tag along with so many
different pieces of third-party software, it is not uncommon to get
re-infected with these foistware products again and again.
Gator, Offer Companion, Trickler (FSG.EXE
/ fsg-ag.exe)@ - Installed by
(EVERYTHING!) - Including AudioGalaxy
WhenUShop / SaveNow@
AOL Instant Messenger@
Installed by Netscape Navigator and other products.
MSN Messenger -
Installed by/with a number of Microsoft applications, including MSIE and
New Net, Inc (NewDotNet)
Installed by BearShare among others
EZula TOPtext / ContextPro / HOTText
- This is a product some are calling "ThiefWare" -
It inserts "yellow highlighter" advertising links in arbitrary web sites
you visit! - Installed by KaZaA file-sharing tool among others.
Spedia Surf+ - another "ThiefWare" product. Installed by Spedia software
and very difficult to remove.
See this site
for removal instructions.
- a secretive "connection reporting tool" that
seems to be quietly installed by dozens of unrelated programs!
Fotino by Meltingpoint Software - A "thiefware" product similar to EZula
No information currently available.
Mirazo / NetAngel - A
"thiefware" product similar to EZula TopText. No information currently
CameoCast and CameoONE
- May be installed by Western Digital Lifeline
BackWeb / Western Digital DLGLI.EXE
- Installed by Western Digital Data Lifeline among
others. Purports to monitor your hard drive for problems, but is
suspected of being a vehicle for displaying unwanted advertisements as
well. More recently, Backweb was caught installing along with Logitech
mouse drivers (!) (Do you really need web-update for ****ing mouse
- A dialer program that tries to get you to accept
a set of Terms it hounds you with on every startup. May be installed via
unsolicited mail attachment and some adult Web sites.
NetSetter / Marketscore - A "market research" program along the lines of
WebHancer, intended to track your Internet usage and buying habits. Some
users seem to have it and not know where it came from. Removal
(If you did voluntarily sign up for this service
and wish to remove it, you can login to the Marketscore
for removal procedures.)
Trojan / BrowserToolbar (Ausvc.exe, Bvt.exe, Mnsvc.exe, Absr.exe) - A
bona-fide backdoor trojan, this one is caught by antivirus. Writeup
and technical info
A sneaky spyware dropper that was installed by an ad on a Web site (flowgo.com).
CommonName toolbar - "Internet marketing tool" (and resolver of
bogus domain names) which, while it can be downloaded from its maker's
Web site, often appears due to KaZaA and similar software. Info
UCMore (ucmie.dll) - An IE toolbar that displays "related links" for the
site you're visiting. Distributed by FreeWire file-sharing tool among
others. Versions 3.x and below report back the URLs you visit along with
a unique ID. As of Version 4, the ID has been removed, and the company
asserts that the product will no longer be stealth-installed. More info
Distributed via adult spam, appears to be a dialer.
sentry.exe, sentrystub.exe, ipinsigt.dll? (IPInsight
UserTag / TrafficSensor) - Provides Web sites with demographic and
geographic information about you (the company brags that it can
determine what city you live in to 90% accuracy), along with
connection-speed and other data. Thread
and full write-up
Interestingly, the company claims its product
(installed on YOUR computer) as an
alternative to spyware.
Programs for the specific purpose of violating your privacy, stealing data,
taking over or trashing your computer.
* NetBus seems to have
"gone legit" and progressed from its original form as a Trojan Horse to a
non-malevolent, commercial remote-administration tool. Information is
provided "for reference" as many of the "trojan" installations persist.
* Norton AntiVirus refers
to all password-snarfing trojans under the general name PWSteal.
See PCHelp Reference.
Sub Seven - Another fairly nasty trojan, which can monitor keystrokes on
your machine and allow others to access it remotely. While this program
has a few limited "helpful" uses (retrieving keystrokes/passwords from
your own system, e.g.
passwords), it is still a Trojan and should be
used with extreme caution.
for description and
here for removal utility.
Worm.Kazaa.Benjamin a.k.a. Full Downloader - A worm that spreads via the
Kazaa file-sharing network. Signs of infection include presence of the
file "EXPLORER.SCR" and a directory "C:\Windows\Temp\SYS32". To remove,
delete both of these components. More info
Load.exe - Part of the Nimda virus, can produce
error messages ("Windows cannot find load.exe") and possible inability
to run programs. To remove, run a virus scanner. To remove error
message, open SYSTEM.INI, find the line similar to "Shell=explorer.exe
load.exe" and change it to "Shell=explorer.exe". More info
The Great Unknown:
generally bad-behaving software whose purpose and motive are not clear...