Adware, Spyware and other
unwanted "malware" - and how to remove them
If you have a program that's
bothering you at start-up, go here for info on
getting rid of it.
Xupiter Class-Action Lawsuit
A computer user has gotten so annoyed by Xupiter's auto-installing crud,
he is taking the bastards to court and invites all others thusly afflicted
to join in. Read more in
this discussion thread.
Messenger Service Spam
Be on the lookout for Messenger Service Spam. This looks like all the usual
crud you receive in your email (enlarge your whang, herbal viagra, university
diplomas, mortgage etc.), but appears on your desktop in its own window while
you're online. This is done by spammers exploiting Windows Messaging, a service
present on Windows NT/2000/XP machines.
This page has instructions to turn this service off and thwart the spammers.
If for some reason you need Windows messaging enabled, you can use a firewall to block outside messages as described in this
MS Knowledge Base article.
Pest Database coming soon
Coming Soon (probably): A
comprehensive, searchable database of malware will replace the (disorganized,
incomplete, poorly-categorized) list below. You will be able to search for
specific behaviours (e.g. "displays popup ads"), types of pests, search for
suspicious filenames, etc., as well as obtain detailed information about
the malware's author and what it does.
The following list
is large and (for now) poorly-organized. You can use your browser's Find
feature (Ctrl-F on many systems) to search for a specific product.
components that are installed by some "shareware" products (and sometimes,
legitimately purchased commercial software) and may collect personal information
from your computer. These "adbots" are usually tied to a dodgy shareware
program you have installed.
- TSADBOT (tsadbot.exe) AdGateway by TimeSink / Conducent
- Aureate/Radiate spyware DLL ADVERT.DLL by Aureate
/ Radiate AdSoftware Network
- FluxPC AdPipe
- DSSAGENT (dssagent.exe) Brodcast by Broderbund (tags
along with some Mattel/Broderbund software)
- CyDoor "Ads On Software (tm)" - Comes with many ad-enabled
products including KaZaA.
- Web3000 (MSBB.EXE)
aka. N-Case - Dastardly advertising spyware that overwrites your wsock32.dll
system file, and may transmit lists of URLs you visit. See
Power! Reference and Network World Reference.
- Flyswat: See
- TransCom's BeeLine
- NewsUpd.exe - "News Engine Update Application" -
Creative Labs advertising software installed with SoundBlaster (tm) and perhaps
- Codehammer Message Mates
- BonziBuddy - A talking
gorilla/parrot/etc. "software companion" targeting children. Silently Installed
with some other software, and difficult to remove. See
- OnFlow - Installed
by BearShare among others. The company that makes this beastie
describes its purpose fairly well
on its own :) It is a browser plug-in designed specifically to display advertising,
usually of the large, loud and flashing variety.
- SaveNow (WhenUShop)
- Installed by BearShare among others. Put quickly, an advertising toolbar
that monitors what sites you visit and pops up sponsored "deals" when products/shopping/etc.
appears on those sites. Microsoft provides
- Gator "Trickler" (fsg.exe / fsg-ag.exe), OfferCompanion
- installed by AudioGalaxy among others.
- PhoenixNet - Spyware embedded in your system BIOS!
- WNAD.EXE - secretly installed background task that
goes online to transmit personal information and display stealth popup ads.
Installed by the "Yo Mamma, Osama" game from TwistedHumor.com, as well as
the SwapNut file sharing utility.
Data Transponder a.k.a. VX2 / RespondMiter / Sputnik
/ NetPal / Aadcom. This many-named piece of spyware is installed
as an IE Helper (BHO) by third-party software OR website visits, and pops
up ads continuously while you surf.
- FlashTrack (FTAPP.DLL)
- An advertising spyware module (BHO) installed with the iMesh filesharing
client. More information and removal procedure are
Flagged as a Trojan by McAffee.
- dlder.exe - An advertising trojan that is installed
by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified
versions) and KaZaA (unspecified versions). The spyware itself comes
from ClickTillUWin.com. Taking the torch from even the worst advertising
spyware to date, this one creates a fake Explorer executable and process
to hide its activities.
More information here. Some antivirus manufacturers
have listed this as a virus or trojan horse: TROJ_DLDER.A.
- ADP.EXE - Another spyware,
distributed with LimeWire(?) and others. Appears to be an installer of Bargain
- BARGAINS.EXE (Bargain
Buddy) - Advertising spyware installed with Net2Phone and some versions
of LimeWire. Appears related to ADP.EXE above. More info at
- bdeviewer.exe (B3D
/ BrilliantDigital Projector) - A "3D Web Animation" advertising-display
plugin, similar to Onflow, as well as distributed computing client that can
sell your hard drive space, CPU cycles, and bandwidth.
Installed by KaZaA/Morpheus and probably others. Additional story here. Removal procedure here. This product, along with the SecureInstall
software of Altnet (a subsidiary of BrilliantDigital), have been labeled
spyware by some sources, a claim which BrilliantDigital disputes.
- EverAd - No information
- Expedioware - No information
- adshow.exe - No information
- HelpExpress / Attune
(HXIUL.EXE) - Appears to be advertising spyware that displays sponsored
ads, e.g. "Buy toner"/etc. messages when you use your printer. No additional
information available at this time. Remove by uninstalling "HelpExpress"
and "Attune" under Windows' Add/Remove Programs.
- Gator GAIN (GMT.exe,
CMESys.exe, GAIN_TRICKLER_*.EXE) - Pops up advertising, apparently a new
Gator product. A security hole in some versions
allows Web sites to install arbitrary software on your
computer. This URL will detect GAIN. Gator recommends on its Web
site to contact support(at)gator.com for removal instructions. Gator
software may be quietly installed by drive-by
- Wurld Media / Morpheus
Shopping Club (bpboh.dll / mbho.dll / MSCStat.exe) - Installed by Morpheus,
the "no spyware" (ya, we believe you) filesharing tool. Sneakily redirects
IE through advertisers' referral links when certain sites are visited in
your Web browser. More details
- NE.EXE (Network Essentials
/ SmartPops) - Displays stealthy popup ads while surfing the Web or using
search engines. Wow! To hear it from them, this is the
best service on earth--boy
are they helpful. Remove by uninstalling "Network Essentials" in Add/Remove
Programs. I have seen reports of this being installed simply by visiting
certain Web sites.
- dw.exe, Movie Network.exe
(Downloadware / Mediacharger / Movienetworks) - Displays lots of popup ads
as you surf; Mediacharger may also function as a
1-900 #s for billing of adult movie downloads. Check for removal entries
in Add/Remove Programs. Some removal instructions (may or may not work?)
I have had reports that the program will try to deter uninstallation by telling
you that doing so will mess up your browser. It is, however, bluffing.
- ofrg.dll (FavoriteMan)
- Installed by unknown means, possibly by NetPal spyware. More information
here. One of its co-bundled products may be a homepage hijacker.
- ctbclick.exe (ClickTheButton)
- Installed by (NetPal),
parasite, and some versions of KaZaA. More information here.
- JavaRun.exe (Etraffic
/ TopMoxie) - Marketing software installed by products from "loyalty marketing
partners", that pops up ads and coupons when you visit certain Web sites.
TopMoxie description and info
to this site, partner software must be removed before an entry for TopMoxie
will appear in Add/Remove.
has the scoop on this, it is an infector for the infamous
Lop.com portal-potty. It reportedly modifies your browser preference settings
to place Lop.com as your start page, adds crap links to your bookmarks,
changes your desktop and adds a spyware plugin ("Swish Browser Helper").
- openme.exe (xww.de
?) / Fast Download / Full Downloader - Loads at startup and pops up porn
ads ("Live Chat mit Cams!") after about 20 minutes, according to this post
in the message boards. May also try to install a dialer. To remove, find
and delete openme.exe in your Windows directory, and remove it from your Registry's
"shell=" line as well.
- Radlight DivX Movie
Player - The nature of the software itself is unknown. However, it will
intentionally search out and delete AD-Aware from your
hard drive, then dump a number of malware products on your system. This
puts it on the level of a VIRUS in my book; such a behaviour is completely
- NETBUIE.EXE (Unknown)
- Source unknown. Places itself in C:\windows\system and adds a startup
reference to the Registry. Continually loads porn popups (www.sexysquirter.com
et al) while the machine is switched on.
- INetSpeak - Bundled
with the Music Magnet file-sharing tool, installs a permanent ad banner into
IE. Installs as a Browser Helper Object. Remove using a
BHO remover, by disabling BHO42602.clslnetspeak
or similar. See write-up here.
- plg_ie0.dll - More
Lop.com crap, this one is a BHO that sends your browser to their site for
most any IE error page (e.g. "The site cannot be found" becomes instead
a bunch of useless lop.com links). See SpywareInfo's
- Netbroadcaster(?) -
Related to Movienetworks (same registrar, IP block, etc.). There is reported
to be a malware product by this name. No additional information available.
- Unknown (ftp_back.exe,
istabm.exe, bm_insta.exe, attnvg.exe, createsw.exe, driverpg.exe) - Suspected
ad/spyware programs. Implicated
here. No additional information available.
- AdBreak (kvnab.dll)
- The name implies an advertising program, but has not been observed in action.
May be installed by a trojan. Some info
- PAgent, Vegas Palms
Casino (MicroGaming), KFH, MediaLoads, WinEME - sub-parasites installed by
DownloadWare, include casino gaming apps, ad programs and an unknown email-sending
background task. Info and removal help
- HotBar - an advertising
toolbar that spies on sites visited and the contents of forms you fill out.
Installed by IMesh. More info
- OnlineDialer (VLoading / Download
class and other variants) - A loader or "trickler" that is used to download and execute arbitrary
programs, typically dialers, on your PC. More info
- EchoBahn.com BookmarkExpress
(BMupdate.exe) - A program bundled with scanner drivers (!?) that allows
you (and marketing partners(!)) to manage your bookmarks from anywhere, and
pops up ads at you. The service itself has since been discontinued, and it
is recommended to delete this file.
- wbeCheck (pbsysie.dll / Floid.dll / wbeCheck.exe) - Spies, and modifies the contents of
HTTP traffic in IE. More info
- HuntBar - A browser toolbar and homepage hijacker. See its listing below, under Homepage Hijackers.
- Tgdc.exe / shopforgood.com - An affiliate link stealer similar to Wurld Media. More info
- CnsMin / 3271.com - A Chinese keyword-lookup
program, possibly similar to QuickClick? Does not appear that harmful, but
is very difficult to remove and re-installs itself even while you are still
removing it. More info
- Search-Explorer - Another useless Browser Toolbar. Displays popup ads and places some cookies on your machine. More info
- WINSERVS / PurityScan / sear1.exe
(winservs.exe, winservn.exe, etc.) - On first running, scans your IE cache/history/cookies for
files with porn-words in them and displays a list of any found. Also drops
in a background program (winservs.exe) that constantly loads popup ads when the computer is running.
- SmartAd (Cybersurf / www.cia.com) (file names unknown) - Canadian advertising program that "enables
true one-to-one targeting of advertising messages against audiences defined
by demographics, psychographics, lifestyle or location". The company boasts
that its software's ads "can never be covered up, moved offscreen, or otherwise
disabled." This product appears targeted mainly toward Internet kiosks and
"free internet access" companies, not end-users. The company also hypes an
"ad player" format similar to Onflow
- Permissioned Media (friendgreetings.com / cool-downloads.com / WinSrv
Reg / OTMS.EXE / winservc.exe)
- Another company that hawks those infamous "online greeting cards".
The catch? To view the greeting card, the site attempts to install a 1+
megabyte application that will (unless you carefully read the license
agreements and click "NO!") spam everybody in your Outlook address book
with phony greeting cards and ads for their service, then place
advertising spyware on your computer. The spyware will collect your
name, email address and surfing habits, popping up ads and delivering
HTML spam to your email address. Removal: Go to Add/Remove Programs and
remove "Friend Greetings" and "WinSrv Reg". Possibly the first spyware
program that lists "minimum 64MB memory" in its system requirements,
and attempts to forbid linking to their Web site. It seems this company may have gone out of business--their web site / domain has ceased to be.
/ WhenUSave (SAVE.EXE) - Installed by some "free" software including Radlight
Media Player. A removal reference is placed in Add/Remove Programs, but warns
that removal will also disable the program (e.g. media player) that it was
installed with. Appears to be a rebranded version of the SaveNow advertising
Stealth components and
background processes that may violate your privacy or expose your computer
- BESS, the notorious
censorware program, caught spying on childrens'
surfing habits and selling the information.
Details at ZDnet.
- "The Red Sheriff" Java Applet from imrworldwide.com
- A CD copy-protection program and more. Messes with the system, may interfere
with Internet connection and use of CDRW drives. More info
and shareware apps that may transmit personal information or expose your
computer to attack, under the pretense of providing a useful service.
Once one of these nasty
ad-trojans worms onto your system, it will constantly reset your homepage
(and maybe Search, etc.) to where they want you to go. You can't change
- General Homepage Hijacker info
- Gohip.com "Browser
Enhancement" (Hijacker): More information on this is available at
(the newest venture of "Spam King" Sanford Wallace) Hijacker.
See this article for details.
- United Parcel Service
(UPS) - see this
- Rockstar Software's
"Gearbox Connection Kit" used by some ISPs, a tool to let the ISP auto-setup
or update users' connection settings, will reportedly attach to the browser
and change the IE homepage back to the ISPs everytime the browser is started
(more info). Rockstar Software clarifies that the
software isn't "evil" or a security concern,
and provides this simple procedure for changing
the homepage on a computer using Gearbox Connection Kit. This software, unlike
other listed here, does not appear to be malicious in nature.
page to undo the hijacking.
(a bogus porn site consisting entirely of blind links to a referral script)
hijacks the IE settings using a .jse file as well as a .tmp file loaded
in at startup with Registry Editor. (Search for and remove .jse files, remove
the start-up trash from the registry)
also hijacks, and even points IE's DNS Error and other error pages to lop.com.
If you can't get rid of this as your homepage, download their two (!) uninstallers,
remove hompage hijacking and remove the Lop.com
Reportedly, lop.com may also alter the Domain field of your DNS configuration,
visible by clicking Start > Settings > Control Panel > Network >
(name of adapter) > DNS Configuration . There is also an unconfirmed report of it altering the domain suffix as well.
- Unknown portal potties
(redirecting to goto.com, topsearcher.com, et al) - add files with names
such as: sps.dll, sp.dll, sp.reg, sb.dll or similar to your system. In your
StartUp folder you will see one or more lines such as: "regedit
-s c:\windows\sp.dll". To fix, delete/rename the files appearing in this manner in the
StartUp folder, and (optionally) remove the entries from the StartUp folder.
These are actually Registry files that are loaded in at startup via Registry
- save this registry file and
double-click on it to un-hijack your settings. This will remove the stuff
that auto-changes your settings on startup and restore your IE defaults (e.g.
MSN start page). If you prefer other settings, you can right-click the file
and Edit..., and change the homepage settings to your liking before clicking
- no verified fix yet. Possible fix (from examining suspect "Uninstall"
binaries from the site): Find and delete the files: gshp.vbs,
- Bonzi Buddy
- Unconfirmed, but it is reported that the Bonzi software will change your
homepage, and if you change it back, pop up a "Would you like to change your
homepage (back to Bonzi's)". Whether you select yes or no, your homepage
- Delete WINSYS.VBS (or .VBA), win0.txt,
win1.txt from your Windows
directory. Also find and delete the program that is loading them, which may
be under a random name (in one case it was "zzgghh").
- A browser toolbar and hijacker. Believed to be a drive-by download. Reportedly,
even redirects "My Computer" and "Control Panel" to their site. Close IE,
use Find to search for "MSIETS.DLL", and write down the path to it. It is
normally "C:\Program Files\Common Files\MSIETS". Deregister it by typing the following command into Windows' Run box: "regsvr32.exe /u C:\Program Files\Common Files\MSIETS", replacing C:\Program... with the path you noted earlier.
- www.xupiter.com - This site will hijack your start page by way of a "browser enhancement" toolbar BHO. It is difficult to remove manually, but luckily
Ad-Aware and SpybotS&D both remove it without any trouble. This sneaky b*stard is sometimes even disguised as an unsubscribe for spam mails: "In a moment a pop-up box will appear. Press Yes to be removed from all future mailings." The popup box, of course, installs the hijacker.
- www.provilation.com - Hijacker prefixes the URL prolivation.com/cgi-bin/r.cgi? to
Web sites you visit (even when you type the address in manually), allowing
the site to monitor visited URLs and/or redirect the requests, add popups,
etc. Adult sites may be substituted for the requested site.
SpybotS&D will remove this hijacker.
- This hijack courtesy of a junk plugin from 'IGetNet', bundled with some p2p applications. More info and removal instructions
at Doxdesk. A 'Support' page on the searchresult.net site claims to reset
the homepage, but only sets a cookie and displays a popup ad.
Typically not hazardous,
just annoying. These programs have bait-and-switched customers into viewing
annoying blinky advertisements on the program's main window.
programs that come along, trojan-style, with completely unrelated software.
Usually because some jerk is getting paid to foist it on your system whether
you want it or not. Since they tag along with so many different pieces of
third-party software, it is not uncommon to get re-infected with these foistware
products again and again.
Offer Companion, Trickler (FSG.EXE / fsg-ag.exe)@ - Installed by (EVERYTHING!)
- Including AudioGalaxy
- WhenUShop / SaveNow@
Instant Messenger@ Installed by Netscape Navigator and other products.
- MSN Messenger - Installed
by/with a number of Microsoft applications, including MSIE and MSN Explorer
- New Net, Inc (NewDotNet) Installed by BearShare among
- EZula TOPtext / ContextPro / HOTText - This is a
product some are calling "ThiefWare" - It inserts "yellow highlighter" advertising
links in arbitrary web sites you visit! - Installed by KaZaA file-sharing
tool among others.
- Spedia Surf+ - another
"ThiefWare" product. Installed by Spedia software and very difficult to
See this site for removal instructions.
- WebHancer - a secretive "connection reporting tool"
that seems to be quietly installed by dozens of unrelated programs!
- Fotino by Meltingpoint
Software - A "thiefware" product similar to EZula TopText--see
this article. No information currently available.
- Mirazo / NetAngel -
A "thiefware" product similar to EZula TopText. No information currently available.
- CameoCast and CameoONE - May be installed by Western
Digital Lifeline Installer.
- BackWeb / Western Digital DLGLI.EXE - Installed by
Western Digital Data Lifeline among others. Purports to monitor your hard drive for problems,
but is suspected of being a vehicle for displaying unwanted advertisements
as well. More recently, Backweb was caught installing along with Logitech
mouse drivers (!) (Do you really need web-update for ****ing mouse drivers?)
- Liveshows - A dialer program that
tries to get you to accept a set of Terms it hounds you with on every startup.
May be installed via unsolicited mail attachment and some adult Web sites.
- NetSetter / Marketscore
- A "market research" program along the lines of WebHancer, intended to
track your Internet usage and buying habits. Some users seem to have it
and not know where it came from. Removal instructions
here. (If you did voluntarily sign up for this service
and wish to remove it, you can login to the Marketscore Web site for removal
Backdoor.Autoupder Trojan / BrowserToolbar (Ausvc.exe,
Bvt.exe, Mnsvc.exe, Absr.exe) - A bona-fide backdoor trojan, this one is
caught by antivirus. Writeup here and technical info here. A sneaky spyware dropper that was installed by
an ad on a Web site (flowgo.com).
- CommonName toolbar
- "Internet marketing tool" (and resolver of New.Net-esque
bogus domain names) which, while it can be downloaded from its maker's Web
site, often appears due to KaZaA and similar software. Info
(ucmie.dll) - An IE toolbar that displays "related links" for the site
you're visiting. Distributed by FreeWire file-sharing tool among
others. Versions 3.x and below report back the URLs you visit along
with a unique ID. As of Version 4, the ID has been removed, and the
company asserts that the product will no longer be stealth-installed.
- freeaccess.exe - Distributed via adult spam, appears to be a dialer.
sentrystub.exe, ipinsigt.dll? (IPInsight UserTag / TrafficSensor) - Provides Web sites with
demographic and geographic information about you (the company brags that
it can determine what city you live in to 90% accuracy), along with connection-speed
and other data. Thread
here and full write-up on Doxdesk. Interestingly, the company claims its product (installed on YOUR computer) as an alternative to spyware.
Programs for the specific
purpose of violating your privacy, stealing data, taking over or trashing
- NetBus See also
PCHelp Reference , Barton
Networking Reference and official NetBus homepage
* NetBus seems to have
"gone legit" and progressed from its original form as a Trojan Horse to a
non-malevolent, commercial remote-administration tool. Information is provided
"for reference" as many of the "trojan" installations persist.
- Back Orifice
See Trojans Lair
Reference (use Find..)
- PWSteal (Note: several
trojans go under this name) An
stealer is among the most common.
* Norton AntiVirus refers
to all password-snarfing trojans under the general name PWSteal.
See PCHelp Reference.
- Sub Seven - Another
fairly nasty trojan, which can monitor keystrokes on your machine and allow
others to access it remotely. While this program has a few limited "helpful"
uses (retrieving keystrokes/passwords from your own system, e.g. censorware passwords), it is still a Trojan and
should be used with extreme caution.
here for description and here for removal utility.
a.k.a. Full Downloader - A worm that spreads via the Kazaa file-sharing network.
Signs of infection include presence of the file "EXPLORER.SCR" and a directory
"C:\Windows\Temp\SYS32". To remove, delete both of these components. More
- Part of the Nimda virus, can produce error messages ("Windows cannot find
load.exe") and possible inability to run programs. To remove, run a virus scanner.
To remove error message, open SYSTEM.INI, find the line similar to "Shell=explorer.exe
load.exe" and change it to "Shell=explorer.exe". More info
|The Great Unknown
Some generally bad-behaving
software whose purpose and motive are not clear...
mdm.exe (Remote Procedure Call, Machine Debug Manager) by Microsoft
Update: Purpose clarified.
See "What is RPCSS.EXE?" (Guest). It appears to be
a glorified port mapper.
Note: In the style of Yahoo's
directory, "@" indicates a repeated listing.
parasite lists them by the dozens, with concise and brief descriptions,
removal instructions, etc. (unlike my own ten-page-rant tendancy :)
Has information on spyware, downloads, spyware announcements, forums and
even a weekly newsletter. Home of a comprehensive page on browser homepage
Gibson Research Corp.'s
Steve Gibson brought the Spyware issue to the forefront with his in-depth
analyses and the first ever (?) removal utility.
Anti-Adware Essay covers reverse- and social-engineering of the spyware
apps; details how he obtained more information about how the spyware operates
and who is responsible.
Parasites deals with useless 'malware' and software
parasites, in addition to spyware programs. These parasites, while not necessarily
a threat to privacy, waste disk space, processing and memory, often for no
ScumWare and ThiefWare discuss ad-overlay
products such as Gator and EZula TopText. The products cover sites' banners
with their own, and add advertising hyperlinks to those pages on the client
Sponge's Anti-Spyware Page
- Step-by-step instructions to secure your system, aimed at novices;
easy to understand information about cookies, spyware, how Internet
protocols work, Denial of Service attacks and more.
email the Webmaster to report new spyware, broken links, errors or other
problems, or recommend new links.
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even THINK
about suing me :)