Your generous donations help keep this site online! Click here to support

Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll

Jump to:
At-A-Glance info
Detailed info
Removal Procedure

CD_Clint.dll: At-A-Glance
(see also: CD_Load.exe)
Nature of application Adware/Spyware
  • See in-depth notes below
Type of application DLL
Calls home to: (HTTP/80) (HTTP/80) (HTTP/80) (HTTP/80) (HTTP/80) (HTTP/80)
Placed on system by: Free Software (KaZaA, iMesh, etc.)
Paid-for Software
  • Handled by Cydoor installer (latest version)
  • Handled by the host application: leading to a potential finger-pointing loop. (previous versions)
Loads via: Other Program
  • Programs using Cydoor load the DLL at run-time and import functions from it.
Stealth Features
  • All files (including ad cache) buried in System dir.
Hostile Features N/A
Insecure Features
  • Downloads executable code
  • Transmits email address (if supplied) to Cydoor only.
  • Transmits user-supplied demographic information (if supplied) to Cydoor. Shared with others in aggregate.
  • Transmits advertising metrics (ad displays, clicks, etc.)
  • Uses cookies
  • Uses GUID to track users across sessions*
* Depending on version. The current version no longer includes a GUID.

In-Depth Info

Cydoor's CD_CLINT.DLL is a libarary used by Cydoor-sponsored applications:

In our test installation (version 3.2), Cydoor was clearly disclosed during the installation, before it was actually installed. Upon starting, it connects to [log], presumably to get a list of other ad servers (listed above). The DLL logs into one or more of these servers to exchange data [log]. Ads are then downloaded from these servers and stored in C:\Windows\System\adcache\ for display by the host application(s).

In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user.

The current version appears to respect the user's privacy and informed consent. Therefore, we consider this version most accurately categorized as "Adware". Older versions could more accurately be considered "Spyware".

Other Versions
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.

If you have older Cydoor components installed, we recommend you either remove the software or (if you use software which requires Cydoor) download the Cydoor file update.

Earlier versions of Cydoor CD_LOAD were similar to the TSADBOT ad-trojan. It is a seperate, always-loading component that digs itself into your Windows Registry (so as to load always on start-up) and refuses to uninstall. It connects to the Internet and downloads ads, transferring data (including a GUID unique to your computer) whether the associated app is running or not. As with TSADBOT, running the installer immediately infects you with the CyDoor trojan, even if the associated application is never installed (you cancel the installation, don't install the software, and/or reject the license agreement). Privacy Power explains:

"If installation of software embedded with Cydoor is terminated by not agreeing with the EULA, Cydoor software may install itself without the software host. This has been personally noted during a rejected installation of MP3 Tag Studio (version 1.6.1) by Magnus Brading Software. If host software containing Cydoor has been fully installed and then uninstalled, the Cydoor component will not be uninstalled."
Imesh, the popular file-sharing client, installs Cydoor spyware. (Guest)

Technical Info
CD_CLINT.DLL exports five functions:

(Actually, it exports many more, but you're not supposed to know about them.) ServiceShow and ServiceClose return 1 if the operation was successful, and 0 if not. Programs are supposed to refuse operation if the call returns 0.

Removal Procedure:
(Also courtesy of Privacy Power)

1.Delete the following files (usually found in C:\WINDOWS\SYSTEM\):


2.Delete the ADCACHE folder and its contents (usually found under C:\WINDOWS\SYSTEM\).

3.Remove Cydoor and Cydoor Services from the Windows Registry. The following Cydoor keys were added in my Windows 98 Registry and are shown for reference only:

HKEY_CURRENT_USER\Software\Cydoor Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Cydoor=CD_Load.exe
Note: See the Adware Neutering section.

Privacy Power! Adware, Badware, Spyware: CyDoor - Especially applicable to the previous Cydoor version
Version analysed:  Cydoor CD_CLINT.DLL version 3,2,0,9
Analysis by: Bill Webb, on SPYBOX (Windows 95 OSR2)


Up (Adware)
HomeE-mailCopyrights and Disclaimers


"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)