Spyware List


Company Profile
Contact Us
Products Online
Web Hosting


Advertising Spyware :
Stealth advertising components that are installed by some "shareware" products (and sometimes, legitimately purchased commercial software) and may collect personal information from your computer. These "adbots" are usually tied to a dodgy shareware program you have installed

  • TSADBOT (tsadbot.exe) AdGateway by TimeSink / Conducent Technologies

  • Aureate/Radiate spyware DLL ADVERT.DLL by Aureate / Radiate AdSoftware Network

  • FluxPC AdPipe

  • DSSAGENT (dssagent.exe) Brodcast by Broderbund (tags along with some Mattel/Broderbund software)

  • CyDoor "Ads On Software (tm)" - Comes with many ad-enabled products including KaZaA.

  • Web3000 (MSBB.EXE) aka. N-Case - Dastardly advertising spyware that overwrites your wsock32.dll system file, and may transmit lists of URLs you visit. See Privacy Power! Reference and Network World Reference.

  • Flyswat: See Privacy Power! Reference.

  • TransCom's BeeLine  see Web3000.

  • NewsUpd.exe - "News Engine Update Application" - Creative Labs advertising software installed with SoundBlaster (tm) and perhaps other products.

  • Codehammer Message Mates

  • BonziBuddy - A talking gorilla/parrot/etc. "software companion" targeting children. Silently Installed with some other software, and difficult to remove. See Privacy Power! Reference.

  • OnFlow - Installed by BearShare among others. The company that makes this beastie describes its purpose fairly well on its own :) It is a browser plug-in designed specifically to display advertising, usually of the large, loud and flashing variety.

  • SaveNow (WhenUShop) - Installed by BearShare among others. Put quickly, an advertising toolbar that monitors what sites you visit and pops up sponsored "deals" when products/shopping/etc. appears on those sites. Microsoft provides removal instructions.

  • Gator "Trickler" (fsg.exe / fsg-ag.exe), OfferCompanion - installed by AudioGalaxy among others.

  • PhoenixNet - Spyware embedded in your system BIOS!

  • WNAD.EXE - secretly installed background task that goes online to transmit personal information and display stealth popup ads. Installed by the "Yo Mamma, Osama" game from TwistedHumor.com, as well as the SwapNut file sharing utility.

  • Blackstone Data Transponder a.k.a. VX2 / RespondMiter / Sputnik / NetPal / Aadcom. This many-named piece of spyware is installed as an IE Helper (BHO) by third-party software OR website visits, and pops up ads continuously while you surf.

  • FlashTrack (FTAPP.DLL) - An advertising spyware module (BHO) installed with the iMesh filesharing client. More information and removal procedure are here. Flagged as a Trojan by McAffee.

  • dlder.exe - An advertising trojan that is installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified versions) and KaZaA (unspecified versions).  The spyware itself comes from ClickTillUWin.com. Taking the torch from even the worst advertising spyware to date, this one creates a fake Explorer executable and process to hide its activities. More information here. Some antivirus manufacturers have listed this as a virus or trojan horse: TROJ_DLDER.A.

  • ADP.EXE - Another spyware, distributed with LimeWire(?) and others. Appears to be an installer of Bargain Buddy (below).

  • BARGAINS.EXE (Bargain Buddy) - Advertising spyware installed with Net2Phone and some versions of LimeWire. Appears related to ADP.EXE above. More info at www.doxdesk.com.

  • bdeviewer.exe (B3D / BrilliantDigital Projector)  - A "3D Web Animation" advertising-display plugin, similar to Onflow, as well as distributed computing client that can sell your hard drive space, CPU cycles, and bandwidth. Installed by KaZaA/Morpheus and probably others. Additional story here. Removal procedure here. This product, along with the SecureInstall software of Altnet (a subsidiary of BrilliantDigital), have been labeled spyware by some sources, a claim which BrilliantDigital disputes.

  • EverAd - No information currently available.

  • Expedioware - No information currently available.

  • adshow.exe - No information currently available.

  • HelpExpress / Attune (HXIUL.EXE) - Appears to be advertising spyware that displays sponsored ads, e.g. "Buy toner"/etc. messages when you use your printer. No additional information available at this time. Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.

  • Gator GAIN (GMT.exe, CMESys.exe, GAIN_TRICKLER_*.EXE) - Pops up advertising, apparently a new Gator product. A security hole in some versions allows Web sites to install arbitrary software on your computer. This URL will detect GAIN. Gator recommends on its Web site to contact support(at)gator.com for removal instructions. Gator software may be quietly installed by drive-by download.

  • Wurld Media / Morpheus Shopping Club (bpboh.dll / mbho.dll / MSCStat.exe) - Installed by Morpheus, the "no spyware" (ya, we believe you) filesharing tool. Sneakily redirects IE through advertisers' referral links when certain sites are visited in your Web browser. More details here and here.

  • NE.EXE (Network Essentials / SmartPops) - Displays stealthy popup ads while surfing the Web or using search engines. Wow! To hear it from them, this is the best service on earth--boy are they helpful. Remove by uninstalling "Network Essentials" in Add/Remove Programs. I have seen reports of this being installed simply by visiting certain Web sites.

  • dw.exe, Movie Network.exe (Downloadware / Mediacharger / Movienetworks) - Displays lots of popup ads as you surf; Mediacharger may also function as a dialer for 1-900 #s for billing of adult movie downloads. Check for removal entries in Add/Remove Programs. Some removal instructions (may or may not work?) are here. I have had reports that the program will try to deter uninstallation by telling you that doing so will mess up your browser. It is, however, bluffing.

  • ofrg.dll (FavoriteMan) - Installed by unknown means, possibly by NetPal spyware. More information here. One of its co-bundled products may be a homepage hijacker.

  • ctbclick.exe (ClickTheButton) - Installed by (NetPal), Favoriteman parasite, and some versions of KaZaA. More information here.

  • JavaRun.exe (Etraffic / TopMoxie) - Marketing software installed by products from "loyalty marketing partners", that pops up ads and coupons when you visit certain Web sites. TopMoxie description and info here. According to this site, partner software must be removed before an entry for TopMoxie will appear in Add/Remove.

  • Download_Plugin.exe - SpywareInfo has the scoop on this, it is an infector for the infamous Lop.com portal-potty. It reportedly modifies your browser preference settings to place Lop.com as your start page, adds crap links to your bookmarks, changes your desktop and adds a spyware plugin ("Swish Browser Helper").

  • openme.exe (xww.de ?) / Fast Download / Full Downloader - Loads at startup and pops up porn ads ("Live Chat mit Cams!") after about 20 minutes, according to this post in the message boards. May also try to install a dialer. To remove, find and delete openme.exe in your Windows directory, and remove it from your Registry's "shell=" line as well.

  • Radlight DivX Movie Player - The nature of the software itself is unknown. However, it will intentionally search out and delete AD-Aware from your hard drive, then dump a number of malware products on your system. This puts it on the level of a VIRUS in my book; such a behaviour is completely unacceptable.

  • NETBUIE.EXE (Unknown) - Source unknown. Places itself in C:\windows\system and adds a startup reference to the Registry. Continually loads porn popups (www.sexysquirter.com et al) while the machine is switched on.

  • INetSpeak - Bundled with the Music Magnet file-sharing tool, installs a permanent ad banner into IE. Installs as a Browser Helper Object. Remove using a BHO remover, by disabling BHO42602.clslnetspeak or similar. See write-up here.

  • plg_ie0.dll - More Lop.com crap, this one is a BHO that sends your browser to their site for most any IE error page (e.g. "The site cannot be found" becomes instead a bunch of useless lop.com links). See SpywareInfo's writeup for details.

  • Netbroadcaster(?) - Related to Movienetworks (same registrar, IP block, etc.). There is reported to be a malware product by this name. No additional information available.

  • Unknown (ftp_back.exe, istabm.exe, bm_insta.exe, attnvg.exe, createsw.exe, driverpg.exe) - Suspected ad/spyware programs. Implicated here. No additional information available.

  • AdBreak (kvnab.dll) - The name implies an advertising program, but has not been observed in action. May be installed by a trojan. Some info here.

  • PAgent, Vegas Palms Casino (MicroGaming), KFH, MediaLoads, WinEME - sub-parasites installed by DownloadWare, include casino gaming apps, ad programs and an unknown email-sending background task. Info and removal help here.

  • HotBar - an advertising toolbar that spies on sites visited and the contents of forms you fill out. Installed by IMesh. More info here.

  • OnlineDialer (VLoading / Download class and other variants) - A loader or "trickler" that is used to download and execute arbitrary programs, typically dialers, on your PC. More info here.

  • EchoBahn.com BookmarkExpress (BMupdate.exe) - A program bundled with scanner drivers (!?) that allows you (and marketing partners(!)) to manage your bookmarks from anywhere, and pops up ads at you. The service itself has since been discontinued, and it is recommended to delete this file.

  • wbeCheck (pbsysie.dll / Floid.dll / wbeCheck.exe) - Spies, and modifies the contents of HTTP traffic in IE. More info here and here.

  • HuntBar - A browser toolbar and homepage hijacker. See its listing below, under Homepage Hijackers.

  • Tgdc.exe / shopforgood.com - An affiliate link stealer similar to Wurld Media. More info here.

  • CnsMin / 3271.com - A Chinese keyword-lookup program, possibly similar to QuickClick? Does not appear that harmful, but is very difficult to remove and re-installs itself even while you are still removing it. More info here.

  • Search-Explorer - Another useless Browser Toolbar. Displays popup ads and places some cookies on your machine. More info here.

  • WINSERVS / PurityScan / sear1.exe (winservs.exe, winservn.exe, etc.) - On first running, scans your IE cache/history/cookies for files with porn-words in them and displays a list of any found. Also drops in a background program (winservs.exe) that constantly loads popup ads when the computer is running.

  • SmartAd (Cybersurf / www.cia.com) (file names unknown) - Canadian advertising program that "enables true one-to-one targeting of advertising messages against audiences defined by demographics, psychographics, lifestyle or location". The company boasts that its software's ads "can never be covered up, moved offscreen, or otherwise disabled." This product appears targeted mainly toward Internet kiosks and "free internet access" companies, not end-users. The company also hypes an "ad player" format similar to Onflow

  • Permissioned Media (friendgreetings.com / cool-downloads.com / WinSrv Reg / OTMS.EXE / winservc.exe) - Another company that hawks those infamous "online greeting cards". The catch? To view the greeting card, the site attempts to install a 1+ megabyte application that will (unless you carefully read the license agreements and click "NO!") spam everybody in your Outlook address book with phony greeting cards and ads for their service, then place advertising spyware on your computer. The spyware will collect your name, email address and surfing habits, popping up ads and delivering HTML spam to your email address. Removal: Go to Add/Remove Programs and remove "Friend Greetings" and "WinSrv Reg". Possibly the first spyware program that lists "minimum 64MB memory" in its system requirements, and attempts to forbid linking to their Web site. It seems this company may have gone out of business--their web site / domain has ceased to be.

  • Save / WhenUSave (SAVE.EXE) - Installed by some "free" software including Radlight Media Player. A removal reference is placed in Add/Remove Programs, but warns that removal will also disable the program (e.g. media player) that it was installed with. Appears to be a rebranded version of the SaveNow advertising parasite.

Stealth components and background processes that may violate your privacy or expose your computer to attack.

  • BESS, the notorious censorware program, caught spying on childrens' surfing habits and selling the information. Details at ZDnet.

  • "The Red Sheriff" Java Applet from imrworldwide.com

  • C_Dilla - A CD copy-protection program and more. Messes with the system, may interfere with Internet connection and use of CDRW drives. More info here.

"Backdoor Santas":
Non-stealth "freeware" and shareware apps that may transmit personal information or expose your computer to attack, under the pretense of providing a useful service.

Homepage Hijackers:
Once one of these nasty ad-trojans worms onto your system, it will constantly reset your homepage (and maybe Search, etc.) to where they want you to go. You can't change it back!

  • General Homepage Hijacker info

  • Gohip.com "Browser Enhancement" (Hijacker): More information on this is available at Privacy Power!. Undo hijacking

  • PassThisOn.com (the newest venture of "Spam King" Sanford Wallace) Hijacker. See this article for details.

  • United Parcel Service (UPS) - see this article.

  • Rockstar Software's "Gearbox Connection Kit" used by some ISPs, a tool to let the ISP auto-setup or update users' connection settings, will reportedly attach to the browser and change the IE homepage back to the ISPs everytime the browser is started (more info). Rockstar Software clarifies that the software isn't "evil" or a security concern, and provides this simple procedure for changing the homepage on a computer using Gearbox Connection Kit. This software, unlike other listed here, does not appear to be malicious in nature.

  • www.ezcybersearch.com - uninstall page to undo the hijacking.

  • mycpworld.com (a bogus porn site consisting entirely of blind links to a referral script) hijacks the IE settings using a .jse file as well as a .tmp file loaded in at startup with Registry Editor. (Search for and remove .jse files, remove the start-up trash from the registry)

  • Lop.com also hijacks, and even points IE's DNS Error and other error pages to lop.com. If you can't get rid of this as your homepage, download their two (!) uninstallers, to remove hompage hijacking and remove the Lop.com toolbar. Reportedly, lop.com may also alter the Domain field of your DNS configuration, visible by clicking Start > Settings > Control Panel > Network > (name of adapter) > DNS Configuration . There is also an unconfirmed report of it altering the domain suffix as well.

  • Unknown portal potties (redirecting to goto.com, topsearcher.com, et al) - add files with names such as: sps.dllsp.dll, sp.reg, sb.dll or similar to your system. In your StartUp folder you will see one or more lines such as: "regedit -s c:\windows\sp.dll". To fix, delete/rename the files appearing in this manner in the StartUp folder, and (optionally) remove the entries from the StartUp folder. These are actually Registry files that are loaded in at startup via Registry Editor.

  • www.allcybersearch.com - save this registry file and double-click on it to un-hijack your settings. This will remove the stuff that auto-changes your settings on startup and restore your IE defaults (e.g. MSN start page). If you prefer other settings, you can right-click the file and Edit..., and change the homepage settings to your liking before clicking on it.

  • www.globesearch.com - no verified fix yet. Possible fix (from examining suspect "Uninstall" binaries from the site): Find and delete the files: gshp.vbs, gsc0.txt, gsc1.txt.

  • Bonzi Buddy - Unconfirmed, but it is reported that the Bonzi software will change your homepage, and if you change it back, pop up a "Would you like to change your homepage (back to Bonzi's)". Whether you select yes or no, your homepage gets changed.

  • www.cool-xxx.net - Delete WINSYS.VBS (or .VBA), win0.txt, win1.txt from your Windows directory. Also find and delete the program that is loading them, which may be under a random name (in one case it was "zzgghh").

  • www.huntbar.com - A browser toolbar and hijacker. Believed to be a drive-by download. Reportedly, even redirects "My Computer" and "Control Panel" to their site. Close IE, use Find to search for "MSIETS.DLL", and write down the path to it. It is normally "C:\Program Files\Common Files\MSIETS". Deregister it by typing the following command into Windows' Run box: "regsvr32.exe /u C:\Program Files\Common Files\MSIETS", replacing C:\Program... with the path you noted earlier.

  • www.xupiter.com - This site will hijack your start page by way of a "browser enhancement" toolbar BHO. It is difficult to remove manually, but luckily Ad-Aware and SpybotS&D both remove it without any trouble. This sneaky b*stard is sometimes even disguised as an unsubscribe for spam mails: "In a moment a pop-up box will appear. Press Yes to be removed from all future mailings." The popup box, of course, installs the hijacker.

  • www.provilation.com - Hijacker prefixes the URL prolivation.com/cgi-bin/r.cgi? to Web sites you visit (even when you type the address in manually), allowing the site to monitor visited URLs and/or redirect the requests, add popups, etc. Adult sites may be substituted for the requested site. SpybotS&D will remove this hijacker.

  • www.searchresult.net - This hijack courtesy of a junk plugin from 'IGetNet', bundled with some p2p applications. More info and removal instructions at Doxdesk. A 'Support' page on the searchresult.net site claims to reset the homepage, but only sets a cookie and displays a popup ad.

Other Adware :
Typically not hazardous, just annoying. These programs have bait-and-switched customers into viewing annoying blinky advertisements on the program's main window.

Foistware (Everything-installs-it-can't-get-rid-of-it):
Unwanted application programs that come along, trojan-style, with completely unrelated software. Usually because some jerk is getting paid to foist it on your system whether you want it or not. Since they tag along with so many different pieces of third-party software, it is not uncommon to get re-infected with these foistware products again and again.

  • Gator, Offer Companion, Trickler (FSG.EXE / fsg-ag.exe)@ - Installed by (EVERYTHING!) - Including AudioGalaxy

  • WhenUShop / SaveNow@

  • AOL Instant Messenger@ Installed by Netscape Navigator and other products.

  • MSN Messenger - Installed by/with a number of Microsoft applications, including MSIE and MSN Explorer

  • New Net, Inc (NewDotNet) Installed by BearShare among others

  • EZula TOPtext / ContextPro / HOTText - This is a product some are calling "ThiefWare" - It inserts "yellow highlighter" advertising links in arbitrary web sites you visit! - Installed by KaZaA file-sharing tool among others.

  • Spedia Surf+ - another "ThiefWare" product. Installed by Spedia software and very difficult to remove. See this site for removal instructions.

  • WebHancer - a secretive "connection reporting tool" that seems to be quietly installed by dozens of unrelated programs!

  • Fotino by Meltingpoint Software - A "thiefware" product similar to EZula TopText--see this article. No information currently available.

  • Mirazo / NetAngel - A "thiefware" product similar to EZula TopText. No information currently available.

  • CameoCast and CameoONE - May be installed by Western Digital Lifeline Installer.

  • BackWeb / Western Digital DLGLI.EXE - Installed by Western Digital Data Lifeline among others. Purports to monitor your hard drive for problems, but is suspected of being a vehicle for displaying unwanted advertisements as well. More recently, Backweb was caught installing along with Logitech mouse drivers (!) (Do you really need web-update for ****ing mouse drivers?)

  • Liveshows - A dialer program that tries to get you to accept a set of Terms it hounds you with on every startup. May be installed via unsolicited mail attachment and some adult Web sites.

  • NetSetter / Marketscore - A "market research" program along the lines of WebHancer, intended to track your Internet usage and buying habits. Some users seem to have it and not know where it came from. Removal instructions here. (If you did voluntarily sign up for this service and wish to remove it, you can login to the Marketscore Web site for removal procedures.)

  • IntelliTech Backdoor.Autoupder Trojan / BrowserToolbar (Ausvc.exe, Bvt.exe, Mnsvc.exe, Absr.exe) - A bona-fide backdoor trojan, this one is caught by antivirus. Writeup here and technical info here. A sneaky spyware dropper that was installed by an ad on a Web site (flowgo.com).

  • CommonName toolbar - "Internet marketing tool" (and resolver of New.Net-esque bogus domain names) which, while it can be downloaded from its maker's Web site, often appears due to KaZaA and similar software. Info here.

  • UCMore (ucmie.dll) - An IE toolbar that displays "related links" for the site you're visiting. Distributed by FreeWire file-sharing tool among others. Versions 3.x and below report back the URLs you visit along with a unique ID. As of Version 4, the ID has been removed, and the company asserts that the product will no longer be stealth-installed. More info here.

  • freeaccess.exe - Distributed via adult spam, appears to be a dialer.

  • sentry.exe, sentrystub.exe, ipinsigt.dll? (IPInsight UserTag / TrafficSensor) - Provides Web sites with demographic and geographic information about you (the company brags that it can determine what city you live in to 90% accuracy), along with connection-speed and other data. Thread here and full write-up on Doxdesk. Interestingly, the company claims its product (installed on YOUR computer) as an alternative to spyware.

Trojan Horses:
Programs for the specific purpose of violating your privacy, stealing data, taking over or trashing your computer.

* NetBus seems to have "gone legit" and progressed from its original form as a Trojan Horse to a non-malevolent, commercial remote-administration tool. Information is provided "for reference" as many of the "trojan" installations persist.

* Norton AntiVirus refers to all password-snarfing trojans under the general name PWSteal.

  • PrettyPark See PCHelp Reference.

  • Sub Seven - Another fairly nasty trojan, which can monitor keystrokes on your machine and allow others to access it remotely. While this program has a few limited "helpful" uses (retrieving keystrokes/passwords from your own system, e.g. censorware passwords), it is still a Trojan and should be used with extreme caution. See here for description and here for removal utility.

  • Worm.Kazaa.Benjamin a.k.a. Full Downloader - A worm that spreads via the Kazaa file-sharing network. Signs of infection include presence of the file "EXPLORER.SCR" and a directory "C:\Windows\Temp\SYS32". To remove, delete both of these components. More info here

  • Load.exe - Part of the Nimda virus, can produce error messages ("Windows cannot find load.exe") and possible inability to run programs. To remove, run a virus scanner. To remove error message, open SYSTEM.INI, find the line similar to "Shell=explorer.exe load.exe" and change it to "Shell=explorer.exe". More info here.

The Great Unknown:
Some generally bad-behaving software whose purpose and motive are not clear...




Home Up

Copyright 2005 P.C. Professional, Inc.