Adware and Under-Wear - The Definitive Guide

Cydoor

Sneaky -- this particular Cydoor installation doesn't even identify itself except as "adware support." Cydoor uses its CD_CLINT.DLL file as the central nexus for its variety of installations. CD_LOAD.EXE runs in the background for offline uses. It downloads ads for on- and offline viewing.

Cydoor now seems to be behaving better than it once did. Earlier versions had it leaving it up to the host vendor's installation procedure (as in the illustration above) to warn the user that they were about to install Cydoor. It also used to use a GUID to track individual users across multiple browsing sessions. They have since halted those actions. However, it still installs itself into your Registry, making it more difficult to remove, and can install itself even if you don't approve the installation of its parent utilities.

Ad-aware seems to delete Cydoor fairly effectively, but to be sure, you can access a more in-depth removal feature on this site.

TSADBOT

A proud member of the Cydoor adware family and considered a virus by several sources, TSADBOT connects to the Internet when you fire up your Net connection, downloads ads, and implements an unauthorized proxy server on your system which cloaks the program's network connections. AdGateway "profiles", which are demographic, behavioral, or both, are stored in encrypted files on the user's system, and are sent to Cydoor. It's pernicious, remaining after you delete its accompanying software, difficult to remove, and likely to reinstall itself if you do remove it. If for some reason the adbot is prevented from connecting to Cydoor by a firewall or other security measures, it starts to attempt continually, up to 10 times a second, which can overload local network facilities. It may even attempt to connect using Telnet or other ports, coming back to the HTTP connects after a time. Lovely, huh? PKZip is one known source of this piece of code.

As I said, it isn't easy to remove this one. The folks at CounterExploitation provide good removal instructions here.

Aureate/Radiate

An infamous source of ads overlaid on your browser, this one comes along with over 300 files and sources, including Go!Zilla, CuteFTP, GetRight, Buddyphone and others. Some of the ads it sends your way are fullscreen 640x480 ones. While we know that Aureate/Radiate transmits a goodly amount of information to its parent company and/or its licensees, exactly what is being sent is hard to determine. Better yet, it secretly installs itself as a Windows Service, and registers itself as a browser helper app that loads with your Web browser, giving itself the capability of monitoring every site you visit. Web advertisers can't be too happy with it either, since Aureate skims off 40% of the developers' revenue right off the top for using their wares. If you're running Aureate/Radiate, you'll have a file called ADVERT.DLL somewhere in your system; there are others, but this .DLL is the heart of the system.

Uninstalling the program(s) that gave you Radiate won't delete the intruder, but Ad-aware will, deleting the 9 associated files and accompanying Registry entries. The CounterExploitation page on Aureate/Radiate tells you how to uninstall the program manually, and Aureate/Radiate also provides a tool for getting rid of it that reportedly removes both the associated files and Registry entries. Be aware that some "parent" programs such as Go!Zilla won't run without the Aureate/Radiate software.

Alexa

Released in 1997, Alexa is a search toolbar that integrates with your browser and provides a variety of links and functions. It's currently partnered with Google, and was bought out by Amazon in 2000, so you might think Alexa is a completely aboveboard and innocent program. In many ways, it is.

However, it ran afoul of the law in 2001 when it was accused of selling private information to Amazon without users' consent, and paid over $1.9 million after a court found Alexa guilty of violating users' privacy.

Although Alexa claims to have cleaned up its act, Ad-Aware still lists Alexa as adware. Personally, I'd certainly be leery of having this program on my machine. Note, though, that Alexa comes bundled with Microsoft Internet Explorer. Therefore, everyone will have this on their machine at one point or another. It's safe to remove.

SaveNow

Created by a company called WhenU.com, "SaveNow" is described as "[o]ne of the most pervasive pieces of piggyback software" on the filesharing networks. BearShare, iMesh, and the Global DivX online movie player, among others, distribute this little goodie. It tracks where you surf and uses that information to target you with pop-up ads.

While this one doesn't send information back to its parent company, it does continuously download updated information about new offers and keep a record of where you surf on your machine. It stays on in the background no matter if its associated program is running or not. It can be removed by going through Add/Remove, and uninstalling both SaveNow and WhenUShop. After doing this, you'll need to remove a WhenUDownloadClass object from your browser's temporary files, or it may reinstall itself.

Lop.com

Lop.com is known far and wide as a major purveyor of spyware and underhanded advertising techniques. Owed by C2 Media, it's mainly a pay-per-click search portal where other Websites pay for each click-through to their sites through Lop. So far so good, but the Lopsters got devious on us by creating a program either labeled as an MP3 or porn search program. Once installed, the program uses its own stripped-down browser code to reconfigure your browser to "everything Lop." Your start page and default search engine are reset to Lop or to www.mp3search.com, your toolbar is modified, unwanted links are added to your bookmarks, your browser redirects to Lop if an error is detected in loading any other page, and a spyware plugin is installed. Older versions gave your desktop an HTML wallpaper loaded with shortcuts to Lop, but those were discontinued due to bugs in the code.

CounterExploitation notes, "The user becomes a visitor to Lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window. A recently discovered variant of lop's software omits the browser and BHO altogether, and instead installs dozens of Internet shortcuts and sets the home page to http://unitedstates.rub.to. The installer for this variant may be named MP3.EXE or FREEMP3Z.EXE."

The heart of the Lop installer is the file PLG_IE1.DLL; older versions use the DOWNLOAD_PLUGIN.EXE file.

Getting rid of it is tedious but not too difficult; right-clicking the taskbar icon gives you a Help button in the Menu option that takes you to an uninstall tool. Running Ad-aware immediately thereafter removes the debris left behind by Lop, though you may find yourself manually deleting added bookmarks. You'll now need to delete your Windows Temp files, then look inside your WINDOWS\WINDOWS\WEB\WALLPAPER folder (WINNT\WEB\WALLPAPER for NT/2K users) and hunt for two files, DESKTOP.EXE and DESKTOP.SWF. Delete them if you find them, and reset your wallpaper if need be.

BHODemon from Definitive Solutions also removes the program itself, as does Ad-aware, but you still may find yourself making some of the manual deletions as detailed above.