If you're one of the 200 million people who've downloaded a copy of the Kazaa
Media Desktop over the past few years, then your computer is probably infected
with one of the following nasties:
Cydoor (Advertising)
Cydoor has cleaned up its act considerably since previous versions of its
software. Previous versions left it up to the host application's vendor to
disclose (or not) that Cydoor ad components were being installed, leading to a
finger-pointing loop in cases where the software was not disclosed.
Additionally, previous versions used a GUID to track individual users across
multiple sessions. This has been removed from the current version, as verified
by our tests and information on the Cydoor website. Cydoor's components now come
with an uninstall feature that was not present in earlier versions.
Save Now (Spyware)
A single process run at startup which monitors open IE windows and opens adverts
when it sees targeted URLs and terms entered into forms.
SaveNow keeps a list of URLs and terms it is interested in on disk, in the file
'SaveNow\savenow.db' in Program Files. This file is obfuscated but it is trivial
to decode.* The (large - often over a megabyte) file maps from these targets to
adverts to serve, which are downloaded through Akamai's proxies.
As well as downloading the pop-up ads, SaveNow connects to WhenU's servers to
log the ad impression. It passes the name of the affiliate software which
installed the software, the ID of the advert being shown, and the site URL or
term that caused the pop-up to be triggered.
Dlder.exe (Adware)
Noted as a Trojan by some antivirus programs (W32.DlDer.Trojan), this little
nasty tracks your web surfing and uploads this information to a website (now
apparently shut down). It can also download and activate executable files. You
can expect to find a file called explorer.exe in your system directory (note
that a legitimate Windows file is also called explorer.exe, but that is in main
windows directory.
CommonName toolbar plug-in (Adware)
CommonName is marketed as a 'keywords' service, allowing one to enter simple
names insatead of URLs. After its original release, the software has become a
complicated (and sometimes buggy) search-hijacker and adware, aggressively
bundled with many third-party apps. All variants except Toolbar connect to their
controlling servers once a day, who may ask them to open pop-under advertising.
They also change search settings to point to commonname.com.
Cookies are used to identify you when requests are made to CommonName. This may
occur when the advertising is opened, a keyword is entered into the address bar.
When you visit a URL whose top-level-domain the CommonName/Agent or Mib software
does not know about (eg. alternative TLDs or intranet hostnames; CommonName/Agent
also does not know about .edu, .mil, .int, .su and .gb), a request is also made.
This could allow users to be tracked across web site visits.
PgMonitor (Unknown)
PgMonitr caused an error in pgsdk.dll - delete via Add/Remove Programs.
Delfin Media Viewer (Adware)
"DelFin Media Viewer delivers advanced "TV-like" rich-media entertainment free
during "latent times". Latent times are the unavoidable times you are captive
and waiting for a computer to dial-up and connect to the Internet. DelFin Media
Viewer fills this void with targeted, personalized rich media entertainment in
the form of movie trailers, music, music videos, TV shorts and game previews." -
delete via Add/Remove Programs.
Fastseeker toolbar (Spyware)
An IE toolbar offering search features, it illegaly monitors what sites you
visit and pops up sponsored "deals" when products/shopping/etc.
DownloadWare (Unknown)
http://and.doxdesk.com/parasite/DownloadWare.html
The site no longer exists, but some choice quotes included:
"...The EULA, when found, claims that it may clash with various other software
and so if it finds any it will remove it. (!)..."
"...As well as removing DownloadWare you should check your system for other
things it has installed and get rid of them too..."
Dw.exe (Unknown)
Causes invalid page faults.... remove via Add/Remove Programs.
Hot Text, Top Text, Ezula, ContextPro (Adware)
...Yellow underlining on web pages...
It can be removed via Control Panel, add/remove programs. Search for "eZula-README.html"
on your computer. This file contains information from Kazaa about the
...service.
Causes the error:
Explorer caused an invalid page fault in EABH.DLL
Removal instructions can be found here:
http://www.whirlywiryweb.com/removeezula.htm
http://ezula.com/TopText/Help.asp#7
ClickTheButton (Adware)
ClickTheButton is described as a price comparison service. It detects when you are visitng a known shopping site and provides sponsored links to competitor sites. It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs.
Contact/Submit
theNSAisWATCHIN
News Monster
Images Archive
News Monster Archive
The Killing The Messenger Web
Portal