Your generous donations help keep this site online! Click here to support cexx.org.
Advertising Spyware: TSADBOT

Update
It seems Conducent has officially gone out of business - No more Conducent, and no more server for TSADBOT to report back to. An anonymous tipster shares the following on Conducent's TSADBOT and PKware's PKZIP.
Robert Regular, marketing boob of Conducent, has relocated to Cydoor, another spyware/adware company (this one responsible for pushing the Dlder/ClickTillUWin trojan).
 

Software functions: Various
Advertising functions: displays a stream of flashing ad banners when certain software is installed, including monstrous fullscreen (640x480) ads!
Network Connections: Multiple connections to Conducent ad-servers including adsdl.conducent.com, redirects.conducent.com (various ports). Proxy service prevents NETSTAT and similar network tools from disclosing actual addresses connected to (they appear in the form of ADS*:portnumber)
Backdoors: Unauthorized proxy service on high ports (e.g. 10000+). This proxy is most likely restricted to the local system, not allowing hackers external access to the user's files or network connections.
HD/Registry/Application Snooping: Yes. On my test installation, the TSADBOT software snooped my browser history and cache files. (This does not rule out any other snooping I may not have caught.) I do not, however, have evidence of these materials being transmitted.

FileMonitor log for TSADBOT (renamed to SPAMBOT.EXE during my testing)

TSADBOT is installed as a Windows Service when certain software is installed, most notably new versions of PKzip.
Several sources actually list this program under "Viruses", and it's not difficult to see why. It is secretly loaded onto your system when you install completely unrelated software (or even if you don't!), makes clandestine network connections behind the user's back, persists even after the software it came with has been uninstalled, and is very difficult to remove. An advertising-supported Trojan Horse, I am very happy to see this one bite the dust.
Once installed, the TSADBOT program is loaded every time Windows starts and runs invisibly in the background until the computer is shut down. It connects to the Internet and downloads ads, whether the advertising-supported application is running or not, and implements an unauthorized proxy server on the user's system which disguises the adware's network connections. AdGateway (demographic/behavioral?) "profiles" are stored in encrypted files on the user's system, and may be transmitted to Conducent by the TSADBOT software. The TSADBOT software accesses the user's browser cache and History (list of sites you've visited) for purposes unknown, and may use this information in the creation of behavioral profiles or transmit this information to Conducent.

Once installed, TSADBOT (like many Adwares) is very difficult to remove. If deleted, the adbot will often forcibly reinstall itself. In addition, it remains on your system, and continues to download advertisements and monitor your viewing habits, even after the associated app has been uninstalled. This means if you install a "free" version of PKZIP or a similar app, run it once and find out it's powered by Adware, and immediately uninstall it, the TSADBOT process remains on your system and secretly continues to perform its unwanted functions permanently. While Conducent claims to pre-examine TSADBOT-using applications for certification, many of the "certified" apps available from them do not meet the certification criteria. These often-unmet criteria include a notice that the application installs an advertising client (which transfers data via your 'net connection) and uninstallation of the TSADBOT client when the supported program is uninstalled.

The Risks Digest (vol 20, issue 65) provides information about another misanthropic (and very pushy, IMHO) feature of TSADBOT:


To me, the most disturbing aspect of this program is what it was doing with my browser history. Just as disturbing are the statements made on the website of the *ssh*l*s responsible for TSADBOT:
"By collecting valuable user data and marketing new and existing software titles to dedicated users, publishers can drive retail sales of specific titles. Conducent offers Advertisers the unique opportunity to reach specific software users in highly targeted categories." So not only is it a Trojan Horse, it is also gathering marketing data on you while you work! This program is a clear and present danger to the privacy of any user.

Note: Long after initially writing this page, I became infected with the TSADBOT trojan for nearly a month and didn't know it! See my game of Nastygram Volleyball with Conducent's lying-like-dogs PR stiffs after I became aware of the infection.

Solutions:

Press here for manual removal instructions for Conducent TSADBOT.

Normally, if you try to delete TSADBOT or the AdGateway directories you will get an error message saying that the files are in use. To delete them, you must typically restart in MS-DOS mode and use your DOS console commands to remove the tsadbot.exe file. Only then you can delete/rename the adbot's directories and other files. The newer versions of the TSADBOT trojan operate in FULL STEALTH--they do not appear on the Ctrl-Alt-Del "End Task" menu, and cannot be terminated by the user by any known means. The trojan tricks Windows into believing it is a required Windows component such as kernel32.dll or the multimedia handler.

The TSADBOT trojan also places a reference to itself in your Windows Registry so that it is automatically loaded at start-up. To remove this, open regedit.exe and search for "tsadbot". It's not critical that you delete *all* things related to it, but be sure to remove any reference to it under "\CurrentVersion\Run" or "\CurrentVersion\RunServices". This will prevent your computer from searching for the file (existant or not) everytime you start it. For more info on removing Startup references from your system registry, see this page.

A PKWARE user by the name of Gary has shared some excellent info regarding the TSADBOT program. If you remove the adbot program and its Registry entry, then run the program that uses it (in this case PKZip), it will reinstall the adbot and its registry junk. He has solved this problem by not deleting TSADBOT.EXE, but replacing it with a dummy executable that does nothing (e.g. terminates immediately after it is loaded) and making this program read-only. If you already have (legitimate) programs that run at start-up, you can instead copy one of these over your existing TSADBOT.EXE and then make it read-only.

If you have access to a personal firewall program, blocking any and all Conducent domains is strongly recommended.
 

Note: See the Adware Neutering section.

Links
Privacy Power! Conducent (TimeSink) info 

Network issues caused by TSADBOT hammering the DNS Server
.

 

Up (Adware)
HomeE-mailCopyrights and Disclaimers



 

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)