Forget about cookies, cookies are child's play compared to the sheer nastiness of Gator or to the insolence of Newton Knows best. The more I studied them, the angrier I got, I simply had to write an article about them to warn the unsuspecting easy pray out there.
Let's first get our definitions straight so to speak. There is a lot of different names floating around. Spyware are seemingly useful software programs installed on your PC that will observe your actions, gather data on your surfing habits, what you are interested in, compile that data and send it back to the main server. In this sense, they are similar to a Trojan horse. Adwares mainly receive ads in form of images(simple gif, animated gifs) or other multimedia type files. Adwares can also include components which will spy on users' actions. Those components which are installed on the PC without a user's permission can be called sneakware. Spamwares are essentially the same as Adwares-serving unwanted ads. A lot of people(me included) have began calling all those types simply scumware.
There are many scumwares loose on the Internet. In fact, if I look at each and every one out there, I could easily create a whole book of 300+ pages just on that subject alone and won't have any space left over for my main topic! That is why i have narrowed the list to the most notorious ones and the ones you are most likely to meet. Gator/GAIN is one of them.
Gator is one of the nastiest spyware around.. Gator's parent company has recently changed their name to Claria Corporation(http://www.claria.com) in a vain attempt to disassociate themselves from Gator, but just as Radiate case, they still stink just as bad. It is carried by almost all P2P file-share apps, and free IPS like Netzero. I can't seem to be able to get rid of it. Every time I turn around, there is a fresh install of Gator on my system. Worse, Gator software is composed of several separate modules incarnations and names- Gator, OfferCompanion, Trickler, GAIN, GMT.exe, CMESys.exe and a quite a few others.
Gator/GAIN is marketed as a software product that will automatically fill in passwords and other form-elements on Web pages, but its main purpose is to load an advertising spyware module called OfferCompanion, which displays pop-up ads when visiting some Web sites. Once installed, Gator's software never stops running, and it monitors pretty much everything a user does. The program is freely distributed by http://www.gainpulbishing.com, but it can be found in a slew of file-sharing applications, including in the “most-downloaded software” on the Internet-the new KaZaa version 3.6 that just came out a few days ago and which I investigated while writing this article. In fact, you cannot even install and use KaZaa without agreeing to also install Gain. Talk about assholes!
Gator are so insolent, here is how they justify what they do as “right”:
"We get lots of angry calls; maybe even an attorney calls up because they're angry," said Gator's Eagle. ".We explain it's the consumers' right because we're invited onto the desktop. We're not changing their content; we're popping up on the consumers' desktop. Don't they advertise on TV showing competitor comparisons? The only difference is that we're more effective. The next call we get is usually from the VP of sales, saying, 'We would like to work with you.'"
In Gator's case, it can come into your PC in 3 ways:
1. either pre-bundled in either a file-sharing program such as KaZaa, iMesh and a few others, or
2. “freewares” such as AudioGalaxy, Go!zilla and WeatherBug carry it embedded or
2. the so-called drive-by-installation, using Internet Explorer's ActiveX controls where a Web site attempts to download and install software(executable code)from a banner or a pop-up ad on the user's PC. This is by far the sneakiest way, since most average users don't have a clue about Secure Zone settings setting, and often choose Yes when confronted with a dialog, thinking the browser is simply installing a needed plug in for a web site they are viewing. Depending on the browser's security settings, the software will either download silently and without any user action, or present an install dialog.
Gator is also now available for download in separate freeware applications called eWallet and Precision Time/Date Manager, but nobody in their right mind would even use those. I personally have never met a person who has done so. When installed, Gator begins to slowly download and install other modules.
Gator has two main purposes:
to deliver ads to the user based on the profile it builds
To collect information on the user's habits, including(but not limited to) every page visited, the length of time the user spent at each site, what the user is interested in, what ads(if any) the user clicks on, any special searches the user does, any keywords entered, any and all files downloaded. It saves all that info on a file on your computer in a file which identifies your PC through its IP address.
The newest Gator trick is to hijack a pop up ad from another company when users visit a competitor's Web site. This practice(which I find rather amusing, I must admit) is known as “being Gatored”. It is accomplished by selling common “keywords” to companies such as search engines. One e-tailer that's been bitten is 1-800-Flowers.com. When certain Web surfers visit the site to browse for bouquets, a pop-up ad appears for $10 off at chief rival FTD.com. The same sort of thing happens at AmericanAirlines.com, where a Delta Air Lines promotion is waiting in the wings. A search on http://search.yahoo.com/bin/search?p=Ford for the name "Ford" yields an advertisement from the company itself. In contrast, on http://www.altavista.com/sites/search/web?=Ford &pg=q&kl=XX&search=Search search for "Ford" draws an ad for a Toyota truck. Ads like these find their way onto browser windows through "plug-ins" that come bundled with certain software downloads.
Keyword advertising consists mostly of selling trademark owners the rights to their own names--on a search engine, for example. But the reverse is true in many new application services such as Gator. And because the applications are downloaded with the consumer's consent, the companies say they are standing on firm legal ground, despite numerous complaints from marketing executives.
After compiling the data it receives, Gator sells to to other advertisers, who can then purchase the opportunity to display pop up ads at certain moments, such as when specific words appear on the screen or specific words are typed into search engines.
Gator (iegator.dll and others)
is the main software,
which auto completes Web forms (which is completely unnecessary for
many users these days, since IE and Mozilla (and Netscape?) have had
automatic form completion, password saving, etc. built in for some
time.
OfferCompanion
is the advertising spyware module. It is
responsible for spying on your Web browsing habits, downloading and
displaying pop-up ads, and transmitting personal information to
Gator.
Trickler (fsg.exe, fsg-ag.exe, fsg*.exe)
is an
"install stub", a small program that is installed with the
application you really wanted. (Gator almost always appears on your
system due to installing other software, and not the installer
available from Gator's website.) When installed, Trickler inserts a
Run key in your Registry so that it is silently and automatically
loaded every time you start your computer. Trickler runs hidden and
very slowly downloads the rest of Gator/OfferCompanion onto your
system. It is suggested that this "trickling" activity is
intended to slip under the user's radar, the steady, low usage of
bandwidth going unnoticed.
NOTE: While often named fsg.exe, Trickler can go under other similar names, such as fsg-ag.exe (installed with AudioGalaxy) or another name containing "fsg" or "trickler".
GAIN (GMT.exe,
CMESys.exe, GAIN_TRICKLER_*.EXE, other files)
is short for
Gator Advertising Information Network, and is the newest incarnation
of the Gator spyware we all know and love.
Each .exe file installs itself into different directory. GAIN for example can be found in C:\Program Files\Gator\ and the registry key HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->Run. GMT is in C:\Program Files\Common Files\GMT\ and in the C:\Windows\Start Menu\Programs\StartUp\. CMiie can be found inside C:\Program Files\Common Files\.
is somewhat a long and annoying process, so let's get right to it. I must warn you it involves tweaking Window's registry, so if you don't feel comfortable doing that, seek professional attention. There are several places you need to clean up, depending on how the software was installed. I will go each step by step.
Add/Remove programs applet
The best way is to begin by first uninstall it by the Add/Remove function in Control panel, since simply manually removing it may result in some of the components being left on your PC. To accomplish this, go to Start-->Settings, open the Control Panel, start up Add/Remove applet and hunt for either GM, Gain, GATOR or any of the above listed modules.
Windows' registry
Click on START, go to RUN and type "regedit". Click "OK" to start the registry editor. There are several keys you need to check here:
First, using the directory tree browse to the key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
If you got either CMESys and the GMT in the right pane, delete them both by using the right mouse key. Now you need to exit the registry editor and restart your computer.
Here is the other keys you should check:
HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->Run-, HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->RunOnce, HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->RunOnceEx, HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->RunServices and HKEY_LOCAL_MACHINE-->Software-->Microsoft-->Windows-->Curent version-->RunServicesOnce.
Another three registry keys are: Using the directory tree browse to the following keys and delete them: HKEY_CLASSES_ROOT\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com
HKEY_LOCAL_MACHINE\SOFTWARE\GatorTest
Programs Files directory folder
Next, you will need to locate and remove both the CEII and GMT directory folders on your computer. They are both located in the Program Files directory. To get there, start from My Computer, go to program Files, locate Common Files, and peek inside. If you see CEII and/or GMT, simply click on them with the right mouse button and choose Delete.
If Gator was installed by Precision Time & Date Manager, locate and delete the "WebPT" or "WebDM" inside the "Program Files" folder if it exists.
StartUp directory folder
Next place to check will be your StartUp folder. The StartUp folder loads every software listed in there everytime you start up or reboot the computer. To go there, start up from My Computer, go to C:\, go inside Windows, and look for the Start Menu folder. Go inside and find StartUp fodler. See if any of the exe files listed above are in there. Remove them if you find any. This will have the added benefit of making your computer boot faster and run faster. Note that using the program associated with a particular ad-trojan may reinstall these references, and even the ad-trojan itself. PKZip is notorious for this. (For this reason, it is important that you zap the associated adware program as well, or at least make sure nobody runs it.)
MSCONFIG
Under Windows 98 and higher, there is a program called MSCONFIG that allows you to view and enable/disable StartUp applications. This can be used (usually) to turn off auto-loading spyware components. (To run MSCONFIG if you have it, click on Start > Run, and type msconfig in the Run box.)
As you can see, msconfig is a System Configuration Utility and it's got several options you can modify. Let's now go over each one, briefly discuss what they are and what can be changed inside them.
The General option specifies what system files your PC reads and executes while booting up. This option is useful in case of an emergency during Safe Mode boot up. Normally, most Autoexec.bat and Config.sys files are empty today, but they used to play a big role in the olden DOS days(Windows 95 and Windows 98). If you know DOS(and DOS is still extremely useful in many ways, even if Microsoft makes it exceedingly difficult for you to even run DOS programs on NT based systems such as Windows 2000 and XP) you can peek inside those files with option 2 and 3 and remove any lines you don't want or don't think you need. A good idea is instead of removing the lines, to just place a REM in front of them.
System.ini and Win.ini are more Windows configuration files, telling it how to boot up. I suggest you don't mess with them unless you really know what you are doing. Instead you should just concentrate on the last tab- the
Startup option is another more advanced way to tell Windows what software to run when it boots up. Personally, I like to keep mine as clean and tidy and program-free as possible. I have seen some people's computers that had at least 30 lines inside Startup, all from various software packages installed, that did nothing for the user, except they took memory. I had to argue with a client several days ago, trying to convince him that in fact, Microsoft's Office does not need to be inside Startup and that Yes, he still would have been able to use Office any time he wanted to. Talk about ignorance not being bliss!!
Here' show my Startup tab looks:
All, empty, huh? How does your look? Can you justify why all of the programs listed int here have to begin at boot up time? Do you know what each program is and what its function is? Don't you think you should?
is another very annoying spyware or scumware or whatever you wanna call it that gets installed in a variety of ways, including with several file sharing programs. One of them is Grokster. I read about Grokster, one of the most spy-whatever ware infested P2P service, so i decided to see if it was really as bad as the writer claimed. I'm sorry to report it was worse.
When Grokster ran for the first time, a separate program popped up, asking me what my country and zip code was. It was called Newton Knows Best. Since I didn't remember allowing it to install, instead of just removing it, I decided to observe what it what and what it would do. What I discovered has left me so mad, I took the time to write to the company and tell them how I really felt. I'm afraid I wasn't very nice either, heheh.
I did a quick search on Newton Knows Best, but couldn't find much. Newton bills itself as a personal search companion. It claims it will help us get the most out of the Internet. Here is what one of the few web sites at http://www.newfreeware.com/internet/711/ says:
We designed NewtonKnows based on user functionality and benefit. As you surf the web, Newton sits discretely in the background, waiting to fetch relevant content for you. As soon as he digs some up, the Newton suggestion window slides up and presents his top finds. For example, "My Auction Items" fetches eBay auctions for your favorite items. Newton further enhances your browsing experience by delivering related content links directly into his toolbar. Newton quickly connects you to your favorite shopping, music, travel sites and more. With its built-in auto-update feature and our continuing commitment to quality, Newton will continue to evolve, and so too will your surfing prowess. Plus, with the ability to request your favorite new feature, NewtonKnows is destined to become your ultimate internet search companion.
"If Newton finds anything relevant while I am using the Internet, he'll let you know by showing you a small link in the corner of your active browser window. If you like what he's found, just click the link and Newton will take you there, if not, the link will disappear after a few moments."
It gets installed into:
HKEY_LOCAL_MACHINE\Software\Virtualmundo\Program\Newton Knows best
It seems to have added an extra bar to my Internet Explorer without even asking me if I would allow it to do so. I had a bit of trouble trouble removing that bar. I found Newton while running Process Explorer and I launched Netscape. Newton jumped up and stared too. It even booted the self-Updated Newton exe. I was aghast. This is yet more of the countless shameless companies who surreptitiously install software on my PC without asking me first, then begin to monitor my surfing habits.
When a targeted site is visited, NewtonKnows sends a request back to its controlling servers include the hostname of the site being viewed, and a unique ID. This can be used to track your usage of different web sites.
If you were dumb enough to have entered an e-mail address at the time of install, such a browsing record is personally identifying. The privacy policy explicitly allows NewtonKnows's makers to combine personally identifying web usage records with other databases (which might include, for example, addresses and telephone numbers), and to use this database for marketing.
NewtonKnows also has a silent self-updating feature which allows its controlling server to execute arbitrary unsigned code on your machine. Oh yeah, I LOVE this feature!
is somewhat difficult, since they place a key inside the registry and install themselves in several places. Run a search via Start-->Find and uninstall, not just remove Newton. Hit the same places I outlined above in removing GAIN/Gator.
The Control Panel's Add/Remove Programs entry should remove NewtonKnows fully. Do not attempt to delete the files manually: incorrect removal of the LSP used by the software will result in a broken network connection.
is one of the newer scumware applications trying to give Gain a run for their money when it comes to sheer annoyance. When installed and running, SaveNow appears as an advertising toolbar that monitors/tracks what sites you visit and what you are doing online, and pops up separate browser windows with targeted advertisements, special offers or sponsored "deals" when products/shopping/etc. appears on those sites. It also observes any terms entered into forms. SaveNow gets installed into the Startup folder so it begins running the moment you boot a computer up.
Here is what the honest business men who distribute SaveNow have to say about their “product”:
There are a vast number of offers and services available to Internet users that SaveNow may display. In addition, WhenU.com negotiates exclusive offers to maximize value for users. SaveNow's goal is to show users information about these offers and services - right at the moment when they need it. For example, if you visit a search engine and typed in "long distance", you might get an offer for SmartPrice - a site that we found to be the best for comparing long distance plans. If you visit a travel site, we might show you how to save 40% on travel at Hotwire. If you visit a retail site, you might see a coupon that can be used for online savings.
To read more of their wisdom or maybe tell them how you really feel about SaveNow, visit their web site at: http://www.whenu.com/about_savenow.html
Distribution
of SaveNow happens in several ways, just like Gain/Gator.
1. It can come pre-bundled in file-sharing applications such as BearShare, iMesh and many others.
2. Software video players such as the extremely popular global DivX now carry SaveNow. DivX player is used to play movies coded with the wildly popular DivX codec. RadLight video player is another software that carries it.
3. A pop up advertisement can install SaveNow via a simple ActiveX control. This way the user doesn't even know when SaveNow has ben added to his/her system and what Web site is even responsible
4. All the software distributed by Galt Technologies comes pre-bundled with SaveNow.
SaveNow/Download comes bundled with a "WhenUDownload" ActiveX control.
SaveNow/B comes without the WhenUDownload component.
SaveNow/Save is a new version, rebranded as 'Save!', which works in the same manner.
SaveNow/Db is the same as the Save variant, but includes an ActiveX 'marker' control to prevent it being installed twice.
SaveNow/WUInst is an installer for the Save variant.
The Download, Db and WUInst variants of SaveNow can be detected by the script at this site; B and Save cannot.
The Db and WUInst variants are also installed by drive-by-download in pop-ups, often coupled with 'ClockSync' or 'WeatherCast'.
Yes. SaveNow keeps a list of URLs and terms it is interested in on disk, in the file 'SaveNow\savenow.db' in Program Files. This file is obfuscated but it is trivial to decode.* The (large - often over a megabyte) file maps from these targets to adverts to serve, which are downloaded through Akamai's proxies.
As well as downloading the pop-up ads, SaveNow connects to WhenU's servers to log the ad impression. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.
No cookie is set on these accesses, so at the moment users are not being tracked across sites visited.
The WUInst variant can be used by any web site to download and install SaveNow or other code form WhenU.
Yes, it can cause frequent crashes.
SaveNow/B can be removed from the 'SaveNow' entry in the Control Panel's 'Add/Remove Programs' option. SaveNow/Save can sometimes be removed from a 'Save' entry in Add/Remove Programs.
SaveNow/Db does not provide an Add/Remove Programs entry and must be removed manually. SaveNow/Download may be removed through the Control Panel, but leaves an ActiveX control behind, see below for removal.
SaveNow often also installs 'WeatherCast', a system tray icon that displays the current weather conditions, and/or 'ClockSync', a trivial NTP client. Unless you find these useful for some reason, you should probably also remove them from Add/Remove Programs.
Ad-Aware and Spybot S&D can both remove SaveNow. At the time of writing, neither will remove the ActiveX object of the Db or WUInst variants.
Open the registry (Start->Run->regedit) and find the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Whenu
Delete the 'SaveNow' or 'WhenUSave' value. Reboot and you should be able to delete the 'SaveNow' or 'Save' folder inside 'Program Files'.
To remove the ActiveX objects installed by the Download and Db variants, open the 'Downloaded Program Files' folder inside the Windows folder, and delet the SaveNow object. The name of this is 'WhenUDownload' in the Download variant, 'FC327B3F-377B-4CB7-8B61-27CD69816BC3' in the Db variant, and 'E2F2B9D0-96B9-4B25-B90C-636ECB207D18' in the WUInst variant.
http://www.trafficvendors.com sells advertising on the system. They advertise their services through junk mail (spam).
Even Microsoft's has an advisory listing stability problems associated with it
Ucmore
is an Internet Explorer toolbar. When shown, it displays links to other sites it deems appropriate and similar to the current page the user is viewing.
Taken from http://www.ucmore.com/product5.htm:
"Our software is completely safe to install and use: It is unobtrusive, easy to deactivate and remove, and does not transmit any information in a manner that can identify a user. Most importantly, UCmore does only what it's supposed to do - help users search and surf more effectively - and so it cannot be classified as "Spyware" even under the broadest definition.
Unlike other, disreputable Internet programs, UCmore DOES NOT spy on your browsing habits. URLs of pages you visit are sometimes sent to the UCmore server, but only to allow generation of relevant categories. The information is then promptly erased. To ensure your anonymity, there is no unique ID that can distinguish one user from another."
“Sometimes”? How often do you mean by “sometimes”? Every five sites? Every ten? Huh?
“UCmore may even prevent the use of search engines in many cases by predicting your information needs and then presenting you with subjects that you may not have considered initially, but then realize their importance to you.”
Gee, isn't this nice of them? And they do that out of the goodness of their hearts, right?
Other names it is known under are ucmie, after the DLL containing the code.
What does it do:
As is the case with other scumwares, UCmore is a multipurpose application. It saves, complies and send every URL opened by the user is to the servers at users.ucmore.com together with a unique user ID. It brings ads to your PC. Those ads may or may not be targeted, but are "injected" and are not merely displayed within the form of an ad-sponsored application, but also via a Pop-Up. The company that produces it are called Effective-i Inc.
Distribution methods:
distributed with FreeWire, a file-sharing application, VCatch, and other ad-supported products.
UCmore gets installed into the following Registry keys:
HKEY_LOCAL_MACHINE\Software\UCmore
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ucid
HKEY_CLASSES_ROOT\clsid\{53cbee82-d747-11d3-9ed0-005004189684}
HKEY_CLASSES_ROOT\clsid\{ed8db0fd-d8f4-4b2c-bb5b-9ef040fe104d}
HKEY_CLASSES_ROOT\interface\{67f59627-8b6d-4643-97f3-1c58b28d8b17}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{ed8db0fd-d8f4-4b2c-bb5b-9ef040fe104d}
HKEY_CLASSES_ROOT\typelib\{c347eca2-ef7d-46ba-ae8e-92a10e559514}
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\{53cbee82-d747-11d3-9ed0-005004189684}
HKEY_LOCAL_MACHINE\software\classes\clsid\{53cbee82-d747-11d3-9ed0-005004189684}
HKEY_LOCAL_MACHINE\software\classes\clsid\{ed8db0fd-d8f4-4b2c-bb5b-9ef040fe104d}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{53cbee82-d747-11d3-9ed0-005004189684}
HKEY_LOCAL_MACHINE\software\microsoft\windows\ucid
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ed8db0fd-d8f4-4b2c-bb5b-9ef040fe104d}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ucmore
HKEY_LOCAL_MACHINE\software\microsoft\windows\ucid
HKEY_LOCAL_MACHINE\software\ucmore
Is a long and bothersome process because you can easily see how many places Ucmore puts in tentacles in.
Running processes you need to stop/eliminate are:
ucmoreiex.exe that can be found in Program Files\Common\ vcatch\ and unwise.exeunwise.exe(notice the double naming) that is in Program Files\ucmore\
Program Files\ucmore\ucmie.dlliucmore.dll
The Add/Remove Programs option works reasonably well but leaves behind an empty 'UCmore' folder in Program Files, and keys HKEY_CLASSES_ROOT\53CBEE82-D747-11D3-9ED0-005004189684 and HKEY_LOCAL_MACHINE\UCmore in the registry.
If you have no Add/Remove Programs entry available, you will first have to deregister the DLL. For Windows 95/98/Me, open a DOS window and enter the following command:
"%WinDir%\SYSTEM\regsvr32.exe" /u "C:\Program
Files\UCmore\UCMIE.dll"
Or, for Windows NT/2000/XP:
regsvr32 /u "%ProgramFiles%\UCmore\UCMIE.dll"
(If
your Program Files directory is called something else or is on
another drive, you will have to change the commands accordingly.)
After a machine reset, you should be able to delete the UCmore
folder.
I don't need to see more. I don't want to see u more. Sorry. Bye bye, Ucmore.
Seems to be a fairly popular scumware, since it has been found in over 400 “innocent” applications, including the famous KaZaa and iMesh. Here is their official description:
The Cydoor Technologies delivers highly targeted advertising directly to desktops in advertising enabled software applications. Over 2,000 software products are distributed for free to users who agree to accept advertising and to provide Cydoor with detailed demographic information. This highly successful online and offline advertising solution now reaches over 10 million active desktops, providing advertisers with the power to target virtually any demographic audience. Cydoor's SoftClick Optimization Engine ensures that advertising is delivered to the precise target audience.
Their main page is at http://www.cydoor.com/Cydoor/.
Here is what Cydoor does:
Stays resident in background
Stealth: hides itself from user
Show advertisements
Downloads executable code
Transmits email address (if supplied) to Cydoor only.
Transmits advertising metrics (ad displays, clicks, etc.)
Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate.
Uses GUID to track users across sessions* * Depending on version. The current version no longer includes a GUID.
Uses cookies
Connects to the Internet all by itself and send the collected information back to their home base.
You can find Cydoor in the following directory: C:\WINDOWS\SYSTEM\ADCACHE\ as the files:
CD_CLINT.DLL
CD_GIF.DLL
CD_HTM.DLL
CD_SWF.DLL
CD_LOAD.EXE
It also gets installed into the following registry keys:
HKEY_LOCAL_MACHINE\Software\Cydoor\
HKEY_USERS\DEFAULT\Software\Cydoor
To manually remove Cydoor,
2.Delete the ADCACHE folder and its contents (usually found under
C:\WINDOWS\SYSTEM\).
3.Remove Cydoor and Cydoor Services from
the Windows Registry. The following Cydoor keys were added in my
Windows 98 Registry and are shown for reference only:
HKEY_CURRENT_USER\Software\Cydoor\
HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Cydoor=CD_Load.exe
The easiest way to avoid parasite programs is to stop using Internet Explorer because the majority of scumwares are
a) dependent on it so they can get installed and run; b) it is targeted by many of the companies who produce the scumwares. c)IE is full of holes Never, ever click 'Yes' to a 'Do you want to download and install?' prompt unless you 100% sure the people who made it are trustworthy Best solution is to install another borswer such as Mozilla, or learn Linux and forget about windows all together!
1. Begin using a process observer that will show all the software currently running on your system at all times. I can easily find and monitor any of these programs using the great and free Process Explorer from http://www.sysinternals.com/ntw2k/freeware/procexp.shtml Using it, I discovered Gain, Gator-whatever you wanna call it writes to the following files:
c:!windows!cookies!, c:!windows!history!history.ie5!, c:!windows!temporary internet files!content.ie5! C:\WINDOWS\COOKIES\INDEX.DAT, C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT, C:\WINDOWS\TEMPOR~1\CONTENT.IE5\, 0C:_WINDOWS_Cookies_index.dat, C:_WINDOWS_History_History.IE5_index.dat, C:_WINDOWS_Temporary Internet Files_Content.IE5_index.dat
2. Set up and configure a good firewall. Make sure you monitor all the incoming and outgoing connection your computer makes. Forget about ZoneAlarm. That's not good enough and it doesn't do much. I tested it several times, trying to figure out, why so many people liked it. I think the main reason is because it is free.
3. Run a weekly check on all the places i mentioned-Windows' StartUp folder, Registry's Run, mconfig. Keep them clean. There are so many scumwares confronting the average computer users today, it's easy to become overwhelmed! Worse, new ones are coming our daily!
4. Keep up with them by reading sites such as http://www.cexx.org, http://www.doxdesk.com/, http://www.searchlores.org, http://www.parasiteware.com/ http://www.spywareguide.com, www.spychecker.com and others, plus alt.privacy.spywarecheck is a good Usenet group. You can use the Google interface at: http://groups.google.com/groups?q=alt.privacy.spyware to access it directly.
5. Practice some self control and stop downloading and installing all the new hot P2P apps your buddies told you about.
This is just a small introduction into the world of most prevalent scumwares. If you want an easier and automatic way to deal with scumwares, read the chapter on using free applications to find and remove scumwares from your PC.