Adware and Under-Wear - The Definitive Guide

RadLight

The multimedia player RadLight comes with a full complement of adware, but a recent discovery that one of its components deliberately disables the anti-spyware program Ad-aware really raised some eyebrows. This puts it dangerously near, if not fully into, the area of virus behavior. RadLight also comes with the SaveNow component described above. Ad-aware has updated its utility to handle RadLight's disable attempt.

BonziBuddy

BonziBuddy is an Internet search facility targeted at children to assist them in finding "kid-friendly" Websites. It sends information on your surfing activities to its home site at www.bonzi.com, and may also make your machine vulnerable to hackers looking for open ports. Other Bonzi products that are suspicious include InternetAlert and InternetBoost.

It can be removed by going through its own Uninstall procedure. Bonzi also gives us the ubiquitous "InternetBOOST" ads that thunder, "Your Internet Connection Is Not Optimized. Download InternetBOOST Now!" After the Better Business Bureau became involved, Bonzi changed the wording of the ad to more clearly reflect its status as an advertisement and not a system warning. However, the most recent incarnation of the ad intones, "Your Computer's Data is Currently At Risk." It certainly is, but the Bonzi program is part of the problem, not part of the solution.

CometCursor

CometCursors add "fun" cursors to the usual range of cursors on your machine, as well as "smart" cursors that link to encyclopedia definitions, Websites, and so forth. Since it collects marketing information from its users, it falls within the definition of spyware. CometCursors can be removed by going through Add/Remove in Control Panel.

GoHip.com

GoHip, a Web portal similar to Yahoo!, earn inclusion by the actions of a button on its home page that allows you to make GoHip your home page. The button adds an entry in your Registry that changes Internet Explorer's default search engine to GoHip, as well as changing your home page. A removal tool is available here.

Onflow

Onflow is a browser plugin that forces ads onto your browser display, and sends "back-channel" info on your surfing habits to Onflow. Installed by BearShare and others. You can get rid of it through Add/Remove.

PhoenixNet BIOS

This is a particularly annoying piece of spyware, which actually resides on the BIOS of some PhoenixNet-enabled motherboards, and subsequently cannot be removed. It presents users with sponsored Websites and downloads, displays "Special Offers" on the boot screen, allows third-party affiliates to change your home page and search engine defaults, and tinkers with your system settings. PhoenixNet discontinued offering these spyware-enabled motherboards in 2001.

WNAD.EXE

This program installs itself as part of the popular "Yo Mamma, Osama" game from www.twistedhumor.com as well as other games from this site and the SwapNut filesharing utility. WNAD hijacks your browser to display ads every hour. The ads purport to solicit donations for the Red Cross, but this claim is suspicious at best. WNAD also tends to cause computer crashes and is responsible for a whole range of instability problems. Ad-aware removes this little critter, or you can manually delete it by removing the WNAD.EXE and WNAD.DAT files, and making the proper deletions in the Registry.

VX2, Blackstone Data Transponder, Etc.

Installed or used by Audiogalaxy, iMesh, AADCOM, NetGeo, Akamai, Mindset Interactive, TrueData, and others, this one is available under a raft of names, including Transponder (from Blackstone Data Corp.), VX2 / RespondMiter / Sputnik (from VX2 Corp.), AADCOM Extreme Targeting (from Aadcom Corp.), NetPal (from NetPalNow / Mindset Interactive), and TPS108 Transponder (tps108.org, from DigitalRooster.com).

It bills itself as a free movie viewer for watching pornography, but it is also a BHO (Browser Helper Object) that installs itself in your browser and directs advertisements to you based on its tracking of your surfing habits. It also causes crashes and major stability problems with both browsers and Windows Explorer. Ad-aware gets rid of this one. VX2.com, the home for this little pest, claims that it will delete all collected info on a user upon request, but the request form asks for far more personal information than most of us care to provide.

Flashtrack

Another BHO, Flashtrack monitors Web pages viewed and terms entered into forms on search engines. The original version, FlashTrack/FTApp, writes into C:\Program Files\FTApp regardless of where your actual Program Files folder is. FlashTrack/flt, a newer variant, installs into C:\Program Files\flt instead. Among other places, iMesh provides this little beastie. Flashtrack often causes browser crashes. You can find manual removal instructions available at and.doxdesk.com/parasite/FlashTrack.html .

DLDER.EXE, ClickTillUWin, Explorer Trojan

Installed by numerous file-sharing clients as well as Net2Phone, DLDER is actually a trojan horse that masks itself under the ClickTillUWin component. Once you're asked whether you want to install ClickTillUWin, DLDER invades your system even if you refuse the install.

Upon installation, the virus first connects to the Website www.2001-007.com and transmits data, including a GUID, the user's IP address and browser version. Then the software downloads and installs a trojan file named Explorer.exe from the same site, to C:\WINDOWS\EXPLORER\EXPLORER.EXE (not to be confused with the required Windows file EXPLORER.EXE, located at C:\WINDOWS\EXPLORER.EXE). DLDER then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup, and adds a Registry key. It may also add icons for Clicktilluwin.com, an online gambling game, to the desktop. While you surf, the bogus EXPLORER.EXE file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Websites the user has visited since the last check-in -- not something any of us want on our systems. You can find out how to remove it here.

MediaCharger (Movie Network.EXE)

This one, once installed, displays lots of popup ads as you surf. Worse, Mediacharger may also function as a dialer for 1-900 #s for billing of adult movie downloads. Check for removal entries in Add/Remove Programs, and obtain detailed removal instructions here.

NETBUIE.EXE

This one is really offensive for those of us who dislike porn. Provided by a downloadable program called Port Detective among others, Netbuie insinuates itself into your Windows\System directory and continually sends porn ads and displays to your browser while you surf. According to a poster at C|Net, you can remove it by disabling it in MSCONFIG, deleting all Registry entries that reference NetBuie, and deleting all instances of files with "pink4free" in their titles. Lastly, remove NETBUIE.EXE from your System directory.

NE.EXE (Network Essentials, SmartPops)

Like so many others, this one displays stealthy popups while you surf or use a search engine. You may be able to get this one simply by visiting certain Websites. It can be squashed easily enough through Add/Remove.

Download Managers

Many programs that handle your Net downloads do so perfectly well. Some, however, like RealNetworks RealDownload, Netscape/AOL Smart Download, or NetZip Download Demon, track the files you download. The Netscape product even transmits your IP address to the program's publisher. RealDownload has removed the main spyware .DLL from its program; a lawsuit filed in July 2002 is still in the courts. These can be eradicated through Add-Remove.

Broadjump

Part of the software provided by reputable ISPs like Comcast, BellSouth, and TimeWarner, the Broadjump ChannelDirect program sends ad content to subscribers whenever the ISP chooses to relay the code. It's not the worst of the offenders, but it's still intrusive. One source says that the program's own uninstall routine is worthless, so it's probably better to remove it through your Control Panel.