Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll
(see also: CD_Load.exe)
|Nature of application||Adware/Spyware
|Type of application||DLL|
|Calls home to:||www.rgs1.net (HTTP/80)
|Placed on system by:||Free Software (KaZaA, iMesh,
|Loads via:||Other Program
Cydoor's CD_CLINT.DLL is a libarary used by Cydoor-sponsored applications:
In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user.
The current version appears
to respect the user's privacy and informed consent. Therefore, we consider
this version most accurately categorized as "Adware". Older versions
could more accurately be considered "Spyware".
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.
If you have older Cydoor components installed, we recommend you either remove the software or (if you use software which requires Cydoor) download the Cydoor file update.
Earlier versions of Cydoor
CD_LOAD were similar to the TSADBOT ad-trojan.
It is a seperate, always-loading component that digs itself into your Windows
Registry (so as to load always on start-up) and refuses to uninstall. It
connects to the Internet and downloads ads, transferring data (including
a GUID unique to your computer) whether the associated app is running or
not. As with TSADBOT, running the installer immediately infects you with
the CyDoor trojan, even if the associated application is never installed
(you cancel the installation, don't install the software, and/or reject
the license agreement).
"If installation of software embedded with Cydoor is terminated by not agreeing with the EULA, Cydoor software may install itself without the software host. This has been personally noted during a rejected installation of MP3 Tag Studio (version 1.6.1) by Magnus Brading Software. If host software containing Cydoor has been fully installed and then uninstalled, the Cydoor component will not be uninstalled."Imesh, the popular file-sharing client, installs Cydoor spyware. (Guest)
CD_CLINT.DLL exports five functions:
(Also courtesy of Privacy Power)
1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):
2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).
3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:
HKEY_CURRENT_USER\Software\Cydoor\Note: See the Adware Neutering section.
Power! Adware, Badware, Spyware: CyDoor - Especially applicable to
the previous Cydoor version
Analysis by: Bill Webb, on SPYBOX (Windows 95 OSR2)
"All trademarks are hereby
acknowledged as the property of their respective owners." So don't even
THINK about suing me :)