Alexa
We've received many requests as to whether Alexa is spyware or not. Well, the
Alexa toolbar which is available for download contains spyware agents whereby
information about your web surfing is gathered for statistics purposes. Whether
or not the owner of Alexa does other things with this information is not known.
If you wish to use some of the Alexa functions, it is best to go to http://info.alexa.com
and get the information you want from the web site itself.
Aureate / Radiate
Their technology can be instantly embedded in any software product to give
advertisers the ability to target software users while they are using the software.
Registering
Aureate embedded software does not ensure Aureate will be uninstalled or will
stop transmitting information. The Aureate technology is not stopped by firewalls.
Radiate can deliver precise audience targeting, rich media, advertisements
can be viewed when users are not connected to the Internet, splash screens,
dynamic
messaging, customized demographic collection and real-time surveys. Aureate
components include adimage.dll, advert.dll, amcis.dll, amcis2.dll, anadsc.ocx,
anadscb.ocx,
htmdeng.exe, ipcclient.dll, msipcsv.exe and tfde.dll. Other components may
have been added.
Conducent Timesink
Their technology utilizes the Internet to dynamically deliver content to desktop
software. Once the content is received it can be displayed at any time in the
application. Content activity information such as advertising impressions and
click through data is recorded and sent back to Conducent for daily reporting.
Conducent does not provide users with an uninstall feature. Their software
provides real-time ad targeting campaigns through the Timesink component TSadbot.exe.
Conducent has formed strategic partnerships with most of the major Internet
advertising
networks. The following files are used: tsadbot.exe in C:\Program Files\TimeSink\AdGateway,
tsad.dll, vcpdll.dll and FlexActv.dll in C:\Winnt or C:\Windows, Addon2VB.dll
in C:\Winnt\System or C:\Windows\System. Right clicking on the filename, the
Properties tab shows Conducent Technologies Inc. You can delete the TimeSink
directory, the files, and the Registry entries. Look in Hkey_local_machine\Software,
Hkey_current_user\Software. Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current
Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls.
Cydoor
This technology can be activated both in online and offline modes. The technology's
architecture can be integrated into any software program. Cydoor can update
or rotate banner ads not only when users are online, but also when they are
offline.
Upon installation of a software application integrated with our advertising
technology, Cydoor Technologies sets a numerical identifier on your computer.
The following
files are used in C:\Windows\System: cd_clint.dll, cd_gif.dll, cd_swf.dll and
cd_load.exe. You can delete the C:\Windows\System\Adcache directory. Then remove
all instances from the Registry. Look in Hkey_local_machine\Software, Hkey_current_user\Software.
Look also for entries in Hkey_local_machine\Software\Microsoft\Windows\Current
Version\Run and in Hkey_local_machine\Software\Microsoft\Windows\Current Version\Shareddlls
Comet Cursor
a browser extension that gives web sites the power to change the cursor, substituting
any image or animation instead of the arrow. Comet Systems receives web log
information: cookies, referrer id's, IP addresses and other system information
using a unique
identifier system. Each time a user clicks on site content that information
is stored anonymously. Comet uses this aggregated usage information to determine
which cursor content is most popular as to improve the content selection and
performance of the site. To prevent Comet Cursor from automatically installing
itself in your MS Internet Explorer, make sure "Installation of Desktop
Items" is disabled or set to Prompt in the Security settings for Internet
and Restricted Zones, Download Signed Active X Controls should be set to Prompt
(under Tools | Internet options). Netscape users should have Require Manual
Confirmation of Each Install checked under Edit | Preferences | Advanced |
Smart Update. If
these settings do not stop automatic installs, check your 'trusted' applications
under Edit | Preferences | Navigator | Applications.
eZula & KaZaa Toptext
Sells targeted traffic based on the content of everyone's web page without
having to develop any content of their own. There is a new file sharing system
launched
in the wake of the MP3 war called KaZaa. When you install KaZaa you get a spyware
virus installed on your computer. Toptext takes control of your browser and
makes changes to everything you read on the Internet (like Flyswat), which
qualifies
it as a hacking program as well. It changes the way you'll browse forever.
NOTE: the latest version of this program also installs the following spyware agents: Cydoor, Webhancer and Newdotnet.
TopText operates with a browser to highlight words on every web page, inserting
a yellow background behind keywords that have been purchased through their
media sales company eZula, Inc. If a web user clicks on one of those yellow
highlighted words on a web page, the user is sent to the site of the company
paying the most that day for each click-through. If a user whose browser is
infected with TopText visits your web site, they will be offered links to competitor's
web sites for every keyword they find on your site for which they have a buyer.
This is not much different from the Smart Tags system that Microsoft announced
for their Windows XP browser. Media and webmaster outrage caused Microsoft
to cancel the release of that feature, for the time being that is. Several
download web sites are actively helping this kind of virus to spread, as long
as it pays, I guess. SimplytheBest.net does not. We don't like this invasion
of privacy and will not in any way assist in spreading the use of this program.
This spyware agent is very hard to get rid of so your best option is to never
download it in the first place. Look for alternatives instead that offer the
same functionality without the spyware agent.
You can remove EZula instances from the Registry:
HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1.
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\eZulaBootExe.EXE
HKEY_LOCAL_MACHINE\Software\CLASSES\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\ C:/WINDOWS/Downloaded
Program Files/eZulaBoot.dll
And in HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc
Find Spec MRU you'll find an entry for EZulaboot.
And from your harddisk:
C:\WINDOWS\Downloaded Program Files\InstallCtrl.class, which mentions two files
it depends on ezulaboot.dll and ezulaboot.inf.
C:\WINDOWS\eZulains.exe
C:\WINDOWS\APPLOG\ezulains.lgc
You can use AD-aware to get rid of Toptext, but it will cause problems with
your Internet connection and so forth. Best way to go is not to download and
install ANY spyware. It's getting more difficult to get rid of them and even
to find them. After using AD-aware you can double check the Registry by doing
a Find for eZula.
You can also visit the WhirlyWiryWeb.com web site for more information on eZula
and Toptext. They also feature a script which checks if you have Toptext installed
and a complete Toptext removal guide.
Flashpoint / Flashtrack
Yet another spyware agent called FlashTrack has made its entrance into your
PC and your web surfing experience. FlashTrack's website claims that the program
monitors queries from 27 search engines in over 50 languages, and performed
by users who have mistakenly downloaded it, and pops up ads targeted to specific
search terms, which by the way seem to be emanating from the web site you just
visited. It is installed with software of which we do not know the list at
this time. FlashTrack allows the media buyer to purchase media based on any
URL visited and any keyword typed into any of the major search engines. FlashTrack
further enhances the media buy through time-of-day based ad serving, frequency
capping and seven differing web usage occasions to determine the type of web
usage being conducted by the user. All of this real-time data mining is designed
to effectively segment the optimal audience (it may be YOU). To remove the
Flashtrack spyware agent you can get FTunin.exe from the Flashpoint web site.
You can try to remove it yourself. FlashTrack installs its software in a directory
called c:\program files\ftapp. Before you delete this file, you must remove
it from the registry and restart the computer.
On Windows 95/98/Me, enter this command at the command line:
"
%WinDir%\SYSTEM\regsvr32.exe" /u "C:\Program Files\ftapp\ftapp.dll"
On Windows NT/2000/XP, enter:
regsvr32 /u "%ProgramFiles%\ftapp\ftapp.dll"
Then remove the file and the directory program files\ftapp.
Flyswat
A search enhancement for MSIE. To install and use it, Active X controls and
plug-ins in IE's security setting must be enabled. Flyswat is also bundled
with some other applications. The service logs anonymous click-streams as users
navigate the Internet. The data has no personal demographic information. Flyswat
uses the information for product enhancement and shares it with partners. Uninstall
it via the Add/Remove Programs function.
Gator
Gator helps you to fill out forms and remember usernames and passwords of sites
you frequently visit. You may even have credit card information readily available
when you wish to purchase something online. A very dangerous thing to do. Your
personal information is stored on your computer in an encrypted file. Gator
accesses this personal information, using your IP address. Gator targets consumers
based on site visitation and historical behavior. Gator provides aggregate
statistics about its customers, traffic patterns and related site information
to third-party vendors. As banners from sites you visit are being served, Gator
will show their advertiser's banners instead.
GoHip
A browser extension that installs a program called 'Windows Startup' in your
Start menu. This cutie will reconfigure your browser's setting for Startup
page. It also attaches an advertisement to every message you send and as such
works like the new Sircam virus. GoHip places a file in your Windows directory
that sets your AutoSignature, changes your search page and sets your start
page. The executable program is called 'winstartup.exe' and is usually located
in C:\Windows. You can delete this EXE and remove the Startup entry. GoHip
removal can also be done using the GoHip 'remove.exe'. Download it here. Save
it to your desktop and run it, then reboot.
Hotbar
This is a fairly new one. We received their unsolicited e-mail through one
of our e-mail addresses and it reads as follows:
Hi, I thought you might be interested in a marketing program that will place
your clients' logo and link on 4,000,000 users' Internet Explorer browsers
specifically when users visit relevant sites or search for related keywords.
Hotbar's recently released toolbar allows for this non-intrusive targeted advertising
via buttons that change while users surf to relate to the websites they visit
so for instance a Web Hosting advertiser can place their button on our bar
that will appear when users visit other web hosting sites. Alternatively we
can deliver a flash popup to any url you choose on a cpc basis. You determine
which sites you want your ad to appear on and when a user visits any of those
sites we'll send your pop up. We can generate targeted traffic for any category
of advertiser. Please contact me if you are interested in more information.
Best, E. M., Business Development Manager, Hotbar.com, Inc.
Hotbar collects and stores information about the web pages you view and the data you enter in search engine search fields while using the software (some browser toolbar you can download for free). While using the Hotbar toolbar, Hotbar uses this information to determine which ads and buttons are displayed in the toolbar and which ads to show your browser (including Flash popups). As the above unsolicited e-mail states: they can deliver a flash popup to any url the advertiser chooses. When you visit web sites with the toolbar installed (the "Service"), Hotbar collects information about the web sites you visit and the pages you view. Hotbar stores your IP address, domain name, URL of the web page you are visiting, information about your browser, information about your computer's operating system, your Hotbar cookie number and the date/time the above information is logged. When you type search terms into a search engine, the search term you entered is transmitted from your computer and stored by Hotbar. Also stored is what toolbar buttons you click on, what links within the toolbar buttons you click on, the amount of time you have used it during each session, what browser skins you have downloaded during any given session, and if you have encountered forms where you have entered your personal information, this may be stored as well (if the site you entered the information at, forwards the entered information via form scripts). Hotbar serves ads from some well known ad networks. Amazingly, this program received a 5-star rating from ZDnet?
Why would anyone want a toolbar in their browser showing advertising buttons (don't we get enough advertising in one day to last us a lifetime?) and why would anyone want the 'non-intrusive' popups with every web site visited?
Lop (C2Media)
We've been getting reports about lop.com placing spyware agents on user's systems.
We've had a look and it seems that if you use their site they collect data
using cookies (cookies are a technology which can be used to provide you with
tailored information from a Web site. A cookie is an element of data that a
Web site can send to your browser, which may then store it on your system).
The lop.com site makes use of cookies for the following purposes: user targeting
and research & development, and if you install their (toolbar' you'll get
spied on (in cooperation with DoubleClicks and the Network Advertising Initiative
(NAI) both serving the ads). To remove this toolbar: select 'Uninstall' from
the 'Help menu' of the software you installed, or if you are not sure which
piece of software you installed you can run their toolbar uninstaller available
here or use Ad-Aware. We're not clear as to what exactly lop.com does with
the data and if 'things' are served even after leaving their web site. We'd
like some more feedback on this.
Mattel Brodcast
Utilizes its DSSAgent.exe to send information from user computers to Mattel.
It also sends unsolicited information on product offerings and discounts to
users. It is mostly spread among the Mattel product lines for children.
Morpheus
Users wanting the functionality of KaZaa can download Morpheus, but Morpheus
contains spyware agents as well. Morpheus has licensed the technology of Gnutella
for use in the Morpheus program.
Realplayer
The well-known RealPlayer also seems to be full of spyware agents. We have
not tested each version ourselves, but many complaints have been coming in
about this. From what we can gather the Basic version may not be infested,
but the full version is (for which you have paid for). If you remove the spyware
agents, the program won't run anymore. To avoid their spyware agents from taking
control keep RealPlayer from loading on startup. Use a firewall when using
it on the Net. Go into Preferences and disable any option that allows the player
to call home. So, if you're in need of a media player, try downloading some
from this page.
Songspy (IMG Entertainment)
Songspy is a new music sharing program and states that it is 100% freeware.
According to Songspy, you aren't tracked, logged or monitored for analysis
by the client software. The spyware agent uses port 5190. Once it connects
to their server there is no disconnecting possible and your hard drive is openly
available for 'sharing'.
Web3000
Their ad shows up above banner ads and it travels with you to all the sites
you visit. You'll see text messages on the upper right corner of your browser,
and there are splash screens or pop-up offers, and a button in the lower right
area of your screen may try to sell you something. They analyze the number
of users, visited pages, amount of time spent there and incoming addresses.
Registering software embedded with Web3000 does not ensure the software will
stop transmitting your private information. The Web3000 network ads component
runs independent of the inflicted spyware program. The ad component allows
the network to serve you advertising in your browser whenever and wherever
you are on the Internet. Messages are delivered via browser headlines, splash
screens, status bar messages and newsletters. Web3000 replaces winsock32.dll
and other Windows system files.
WebHancer
WebHancer provides a traffic measurement service that uses a client agent that
is installed on user machines. It gathers information such as visited web page
address, web page size, web page load time, web page completion state and network
delay time. The latest version has features including cross-site and on-site
web analytics and performance analysis. The installation is hidden and triggered
by the installation of software that is bundled with it. Incorrect removal
procedures will destroy your Internet connection. The running WebHancer process
appears in the Task List of Windows as Whagent. Any of the following files
in your Windows directory indicate the presence of WebHancer: webhdll.dll,
whagent.inf, whInstaller.exe, and whInstaller.ini.
According to Webhancer you
uninstall as follows:
1. go to Start / Settings / Control Panel and double-click on the "Add/Remove
Programs" icon.
2. select the program called "Webhancer Customer Companion" and click
the Add/Remove button.
3. once the program has been uninstalled, restart your computer.
We suggest to do the following as well:
1. check your Windows directory for these files (webhdll.dll, whagent.inf,
whInstaller.exe, whInstaller.ini) and delete them.
2. delete the WebHancer folder in your Program Files directory (if still there).
Reboot if you can't delete a file called wbhshare.dll.
3. clean up your default Temp directory (used for placing files during installation).