Your generous donations help keep this site online! Click here to support cexx.org.
Creative Labs spyware
 
This seems a fairly new--and disturbing--application of spyware...once relegated to shareware/adware applications, it seems it is now being bundled with legitimately purchased hardware as well. This behaviour has been noted with some Creative Labs products, including SoundBlaster LIVE (TM) and some modems produced by Creative Labs or a subsidiary (Digicom), but may extend to other Creative Labs products.

Specifically, it has been reported that installing software bundled with the SoundBlaster also installed spyware components, including ADVERT.DLL and CD_LOAD.EXE. They are believed to be installed with the "freeware" product, Media Ring Talk, which allows PC-to-PC voice communication. (This software goes under several names, including Media Ring Chat, MRTalk99, SBring or MRTS.) Upon further investigation, the advert.dll file appears to be proprietary to Media Ring, and not associated with the Aureate spyware by the same name. It is unknown whether the cd_load.exe file is the one from Cydoor's spyware foundry.

Due to the possibility of spyware infestation, I recommend using Windows' Add New Hardware wizard (if possible), rather than any auto-installers on the Soundblaster setup disk, to install the hardware drivers. (Use of SB-supplied installers means a higher risk of having other things besides the drivers installed!)

See also: NewsUpd.exe, another confirmed spyware application installed by CreativeLabs installers.
 

Spyware/MRTalk Removal Procedures
In addition to the files in the program's own directory, some files are also added to the Windows system directory, as described below.

Bruce writes:

Should you decide to do your own housekeeping after uninstalling
MediaRing Talk as I am forced to do after my brief evaluation you
might search your hard drive for the following files and delete them
manually.

c:\WINDOWS\FONTS\R0DFONT.fon
c:\WINDOWS\mruninst.exe
c:\WINDOWS\SYSTEM\Dbwin32.exe
c:\WINDOWS\SYSTEM\mstart.exe
c:\WINDOWS\SYSTEM\sp3.dll
c:\WINDOWS\SYSTEM\sx20.ini
c:\WINDOWS\SYSTEM\Sx20p32.dll
c:\WINDOWS\SYSTEM\sx5363.ini
c:\WINDOWS\SYSTEM\sx5363s.dll
c:\WINDOWS\SYSTEM\sx7383.ini
c:\WINDOWS\SYSTEM\Sx73p32.dll
c:\WINDOWS\wutil.dll

Also remove your MediaRing Talk directory if anything was left in it.
I installed this software on a computer that has no modem or Internet
connection I therefore feel my privacy was not compromised your
results may vary.

The following Registry entries are created by the software and can safely be removed:
HKEY_USERS\.Default\Software\Mediacom Technologies (S)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mrt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-mediaring-mrt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mstart.Document
The program is also said to tamper with certain Windows fonts and/or their Registry entries, including the Verdana font. When removing the application, search for and delete the advert.dll and cd_load.exe spyware files. If the MRTalk program is run with the files missing, it reportedly crashes with a GPF and can take Windows down with it.

More information will be posted here as it becomes available.

Thanks Privacy Power for the spyware alert and additional information.
 
 
 
 

Up One Level (Unlimited Free File Storage)
HomeE-mailCopyrights and Disclaimers

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)