Your generous donations help keep this site online! Click here to support
Advertising Spyware: DLDER.EXE, Explorer.exe Trojan, ClickTillUWin

This spyware trojan consists of two executable files, dlder.exe and C:\Windows\explorer\Explorer.exe.

Infection Method
The dlder.exe spyware file, also functioning as a trojan dropper, is installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified versions) and KaZaA (unspecified versions). It may have also been installed by some versions of BonziBUDDY, but this has not been confirmed. The dlder.exe file is normally written to C:\Windows\dlder.exe. According to multiple sources, the user is asked whether or not they wish to install the "ClickTillUWin" component (carrier of the dlder.exe trojan), but the component may be installed even if the user chooses "NO".

Upon installation, the dlder.exe trojan first connects to the web site and transmits data, including a GUID, the user's IP address and browser version. According to this site (Spanish), the request is in the form: . This URL returns a numeric value that appears to count the number of unique installations.
The dlder.exe software then downloads and installs a trojan file named Explorer.exe from the same site, to C:\Windows\explorer\Explorer.exe (do not confuse this with the required Windows file explorer.exe, located at C:\Windows\explorer.exe). The dlder.exe file then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup.

The dlder.exe trojan will also add a Registry key, HKLM\SOFTWARE\Games\Clicktilluwin. This contains values similar to the following:

The exact numeric values differ for each installation and change each time dlder.exe is run. Dlder.exe may also add icons for, an online gambling game, to the desktop.

The trojan Explorer.exe file then connects to the Internet every few minutes to transfer the assigned GUID and lists of Web sites the user has visited since the last checkin.

This piece of spyware is being reported as a virus or Trojan Horse by some antivirus manufacturers. Some have since backed down and removed the file from their virus signatures, others have not.

Removal Procedure
Grokster, one of the companies that bundled the DLDER software, is offering an application that will remove it. You can get DLDER Remove from Grokster's site.
Manual Removal:

More Info

The ClickTillUWin product was distributed by Cydoor Technologies, makers of the Cydoor Ad-system adware products.
We were not able to reproduce Dlder/ExPlorer behaviour on our Windows 95 test system (POS).

F-Secure Virus Information: Dlder
File Sharing Programs Carry Trojan Horse (C|Net)
File-sharing software users unknowingly accepted tracking program (SFGate)

Up (Adware)
HomeE-mailCopyrights and Disclaimers


"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)