Background: It just so happens I'm doing something with my Registry, in the Run/RunServices section... and what to my wondering eyes do appear, but a reference to a particularly nasty adware trojan named TSADBOT. Knowing what it is, what it does, and that it SHOULDN'T be there, I immediately delete the adware trojan (from DOS mode--I don't think you can kill it in Windows [sharing violation]) and replaced it with a batch file that was supposed to copy the first message, below, into my Netscape mail queue at regular intervals and send it to abuse@+conducent.com. I was extremely PO'd because I would NEVER install this type of software, and so (theoretically) would not have TSADBOT infesting my system.
 
 

To:   abuse@+conducent.com Subj: A message to Conducent. To whom it may concern: This message has been sent by CXMAILBOT, a Trojan Horse detection utility. An application named TSADBOT, which CXMAILBOT's records indicate your company is responsible for, has attempted an unauthorized network connection, which is why you are receiving this message. Since it's obvious you want to hear from me periodically, each time your software loads and attemps to establish a network connection to transmit data behind the user's back, this email will be transmitted in its place. "Since I am a privacy-conscious individual and would immediately remove any Trojan Horse existing on my system, it can be reasonably assumed that I am unaware that TSADBOT has been installed on my system. Fortunately, since I am a privacy-conscious individual I have also taken steps to protect my system--such as avoiding the use of any "Adware" products, installing anti-virus software, and using Trojan detectors such as CXMAILBOT."  CXMAILBOT has sent you this message to give you an opportunity to correct your mistake and inform this user of the software that has been installed on their system without their knowledge. If you don't want to hear from this user periodically, you will provide them with an uninstall utility that will remove all traces of the TSADBOT software. Since the CXMAILBOT antitrojan will still be running when/if an uninstaller is run, it will monitor activity which is not conducent to an uninstaller, such as snooping around the hard drive, replacement (not removal) of any files, or unauthorized network connections (in other words, don't try anything funny). It is hoped that you will remedy this situation as quickly as possible. Regards, bgip@+hotmail.com (A CountereXploitation Mailbot User.) -- Message queued at 5:27 PM CST Default message used

At this point, I should probably confess my fibs before getting to Conducent's replies. There is no such thing as CXMAILBOT.EXE that monitors adware behavior, so don't ask me for a copy. I made it up. The mail was instead sent by the cheapo batch file mentioned above--which, incidentally, didn't work quite as expected (Conducent got only ONE copy of the message, not the veritable mailbomb I was hoping for ):

In a day or two I got a reply from someone (apparently, a PR marketdroid) by the name of Robert Regular. It sure looks like a form-letter to me, something which I was careful to address in my reply--it would suggest that Conducent gets a lot of messages containing similar gripes, and that the mailer-daemon may even be set up to pick up on certain words (tsadbot, privacy, lawyer, etc) and spit out the reply accordingly. Lines in red indicate known false statements, as explained in more detail below and on the Adware page.
 

From: "Robert Regular" <regularr@+conducent.com> Subj: RE: A message to Conducent. Hi, Thank you for your feedback. We appologize for any concern that this may have caused you and hope to resolve your inquiry. Conducent provides technology to software publishers that enables them to integrate advertising in their PC software thereby providing users with FREE ad-supported applications. The software publisher informs the user of this activity during installation in the "user agreement". Our technology delivers ads from our server to the ad-enabled application that you have downloaded. The application occassionally contacts the server to send and receive new ad information. I assure you that we are in NO way collecting personal data or hurting your machine in any way. If you have privacy questions, we encourage you to review our privacy policy at: http://www.conducent.com/privacy.shtm If you would like to remove this from your computer simply uninstall the ad-enabled application. Please visit our online list of applications to determine which app is causing the concern. http://www.conducent.com/download.shtm Thank you for your feedback. Best Regards, Conducent www.conducent.com

Although I didn't hilight it in red, I would tend to differ with Conducent's definition of "FREE" software. Additionally, the mail made no mention of my unique situation nor acknowledged the "fact" that the outgoing mail was auto-submitted. Had I not crafted that message myself, I would have no idea why some company named Conducent was sending me an out-of-the-blue email about privacy, and I would probably have reported it back to abuse@ as spam. So I wrote them back, playing dumb, and demanded a personal reply to four unique privacy/etc. concerns (beware--it is a loooong message!) :
 
 

To:   regularr@+conducent.com Subj: Re: RE: A message to Conducent. Hello (again?) I was a bit confused at first, but now I think I know what's going on. After your (seemingly unsolicited) message yesterday, I did a little research on the TSADBOT trojan and the "antitrojan" app that first alerted me to it. From what I understand, and please correct me if I am wrong, the TSADBOT is installed as a condition of using certain software titles, e.g. "Advertising-Supported Shareware". The problem here lies in the fact that I prefer not to deal with unsolicited advertisement, not to mention the relevant privacy issues, and have *never* installed any of these applications. Frankly, I am at a loss to explain how your TSADBOT application arrived on my machine. Further digging led me to a Registry key named [HKEY_CURRENT_USER\Software\TimeSink, Inc.\AdGateway\Channels\BzeFit]. It contained one value, "ChannelID", with the hexadecimal data [08 6D 65 72 69 74 61 76 00 00 01 6B 08 17 1B 1D 15 17 15 56 54 02 50 56 11 36 38 1F 23 2F 1D 74]. I assume "BzeFit" is the name of the software that installed it, although I cannot find an entry for it in the list you cited. The TSADBOT.EXE file is dated Saturday, April 29, 2000. The TSADBOT trojan was apparently placed by a rogue installer I loaded from our LAN just over a week ago. (Since users typically do not label the applications they dump into the public directory, there's really no way of knowing what it is without executing it.) Upon execution, the installer application did the usual installer thing, "This will install such-and-such, would you like to continue?", and presented a license agreement. And here is where I begin to have a *major* problem. I understand your business model and have nothing against it for those who wish to be a part of it. However, the license agreement that was presented to me by the unknown installer *in no way* disclosed the fact that the software I was about to install would secretly install an advertising trojan onto my system--in fact, no mention of advertising *whatsoever* was readily apparent. This is a non-sequitir in this particular case, as I recognized the name "Conducent" and, having previously read about your connection with the advertising trojan, IMMEDIATELY DECLINED the license agreement, NOT installing the software, and terminated the installer. As you may know, most modern installers present an EULA (End-User License Agreement), stating the conditions of the software use, which must be agreed to by the user before the software can be installed. Declining the EULA declines the installation of the software and terminates the installer. This leaves four (4) unaddressed issues that I would like addressed satisfactorily and in a timely manner. These issues are as follows: (1) You have made the claim that "The software publisher informs the user of this activity [TSADBOT functions] during installation in the 'user agreement'." However, no advertising functions are mentioned in the EULA, or are mentioned in such a cryptic and indirect manner that no reasonable user would be fully aware of their significance. Further, this statement is openly misleading about the nature of the software: While the implication is that the advertising functions are tied to the program, the TSADBOT is in fact a separate application, which is automatically and *secretly* loaded as a background process every time the computer is started, performs its functions *whether or not the advertising-supported software is running*, and remains installed and continues to perform these functions *even after the advertising-supported software has been uninstalled*. I have done some research and found *numerous* reports of the TSADBOT software persisting after deinstallation of the host application, applying to numerous separate software titles. In other words, this is *not* a problem relating to a particular title and cannot be blamed on the developer. I would like this issue, false and misleading statements regarding the software and in the EULA, personally addressed by yourself or another member of the Conducent company. (2) While you make the claim that the TSADBOT trojan is installed alongside host software, this is not the case. Upon execution of an "infected" installer, the TSADBOT is *immediately* written to the user's hard disk, and Registry keys are *immediately* created which cause the trojan to automatically load each time the user starts his or her computer. This fact is borne out by a group of security experts I have contacted, who have used low-level disk monitoring tools to independently verify this behavior. A Trojan Horse (regarded in many circles as the equivalent of a computer virus) is defined by this behavior--it is a piece of software code (the "payload") that is secretively installed to the user's machine as soon as a carrier program is executed, such as the more widely known NetBus and Back Orifice (you will notice I have continued to refer to the TSADBOT as a "trojan" in this message as on my Internet site). Why is the TSADBOT trojan secretively installed *before* the user has agreed to it? Why does it remain installed even as the user REFUSES the terms of the agreement? I would like this issue, the forcible and secretive installation of the TSADBOT trojan independently of other software, personally addressed by yourself or another member of the Conducent company. (3) Your initial message seemed to indicate that I had personally contacted you with "feedback" (expressing "concerns"), and looked very much like a form letter (which would tend to indicate that I am not the first to have expressed "concerns" of this nature.) Your reply quoted a message indicating it was sent by CXMAILBOT, a free Trojan Horse detection utility I installed a couple days ago. I contacted the author of this detection software to find out more about the TSADBOT and what steps, if any, the detector had taken to remedy the problem. When installed, the software indicated that it had found the TSADBOT trojan and could find no legitimate reason for it to be there--that is, there is no advertising-supported software on this system which would require the TSADBOT to be legitimately installed. It then asked if I would like to relocate the TSADBOT.EXE file and dereference it from the Registry's Run key, an option I accepted. While the detector, being a private beta release, did not come with documentation, the author was kind enough to explain how it sends a series of e-mail notifications (using a return e-mail address specified by the user) to the parties responsible for the trojan, and provided a copy of the message that was sent (matching the message quoted in your reply). From what I can tell, this message is very clear in its request that you inform the user of what has been placed on his or her system and furnish a method of removing all traces of it. Although I was already aware of what TSADBOT does at the time of detection, this detection software seems clearly aimed at users who are not. Your mail explained neither *what* was secretly installed on my system, *why* it was installed, nor what its purpose is. Was the reply I received a form letter, or perhaps an automated response which picked up on certain keywords (privacy, TSADBOT, trojan, etc.) and sent a reply? If not, then why was it assumed that I was personally expressing concerns, even though the CXMailBot's original message clearly states that it has been auto-generated and that the end-user is unaware of it? I would like this issue, the (lack of) notification of what TSADBOT is and what it does, even after being requested to provide this information, personally addressed by yourself or another member of the Conducent company. (4) The CXMailBot message also requests that the end-user be provided with a method of completely removing the TSADBOT software. While CxMailBot relocated and replaced the TSADBOT.EXE binary, other portions of the software remain untouched, including several directories and cryptic Registry entries. Your initial response indicates to "simply uninstall the >ad-enabled application", however, since the application was never installed [as indicated in point (1)], no method of uninstalling the "ad-enabled application" is available.  The original installer is also unavailable, although why anyone should have to accept a questionable EULA and *install* unwanted software before being provided the opportunity to remove an advertising trojan is beyond me. As it stands, how are all components of the advertising trojan itself to be removed from my system? I would like this issue, the process for *complete* removal of the TSADBOT software and all components, personally addressed by yourself or another member of the Conducent company. In addition, I would like to know the exact contents of the (encoded) data stored in the Registry key contained in the second paragraph of this message. Finally, I ask that any "user profiles" that may have been stored on your systems be permanently removed at once. Please provide a list of any identifying information necessary to determine the specific profile(s) to be removed. Thank you very much for your time and consideration. Sincerely, William. H. Webb

This message went ignored by Conducent. About a week went by, and I sent them another message, below, indicating my desire to initiate legal action if I could not get the situation satisfactorily resolved (a copy of the ignored message was attached at the point marked <original message>. To ensure accountability I went completely hog-wild with return receipts, getting hard confirmation that my local mailserver sent the mail, that Conducent's received it, and when it was read (& by who). Additionally, I CC'd it to legal@+cexx.org for added effect.
 

To:   regularr@+conducent.com CC:   legal@+cexx.org, abuse@+conducent.com Subj: 2nd Notice regarding TSADBOT trojan on my system.     To whom it may concern: This e-mail is a followup to my previous e-mail, which has so far been ignored. It concerns an unauthorized Trojan Horse, TSADBOT, that has been installed on my computing equipment without authorization or just cause, and has initiated unauthorized network connections from this equipment. The previous e-mail message was ignored by your staff. Please understand that I take the abuse of my privacy and computing facilities very seriously, and am prepared to pursue legal action if these concerns are not addressed in a complete, truthful and timely manner. My attorney has indicated that the TSADBOT trojan and its transfers of data to and from my system may constitute an invasion of privacy informally referred to as "data rape". Should this or future inquiries be ignored, proceedings may be initiated by my attorney without further reference to you. The original message is repeated below. Please take into consideration the four (4) major concerns listed and issue a timely response to this e-mail address within seven (7) business days. Upon failure to address these concerns in a complete and truthful manner within this time period, legal action will be pursued. What your company has done constitutes a serious offense. --- <original message>

After all that legal posturing I finally get (besides a mailboxfull of return receipts) a reply from a live human:
 

From:   regularr@+conducent.com Mr. Hebb, Ed. note #1: First things first, when replying to someone pissed off enough to sue you, at least spell their name right! Thank you for your feedback. Let me address your questions individually:   After your (seemingly unsolicited) message yesterday, I did a little research [...] a loss to explain how your TSADBOT application arrived on my machine. >> My response was sent to you in response to a specific email that was directed to Conducent. The technology that you make reference to is installed during the installation of specific ad-supported software programs. Our technology is not distributed in any other way.     Further digging led me to a Registry key [...] issues that I would like addressed satisfactorily and in a timely manner. These issues are as follows: (1) You have made the claim that "The software publisher informs the user of this activity [TSADBOT functions] during installation in the 'user agreement'." However, [...] addressed by yourself or another member of the Conducent company.   >> We appreciate your concerns and assure you that we require/request of all our developers to articulate this message to users in the user agreement. If you know of an application that does NOT articulate this in the agreement please rpovide us with the specific app(s) and I will personally look into it. However, we are re-evaluating our statement langusage and will take your suggestions into account on this.     (2) While you make the claim that the TSADBOT trojan is installed alongside host software, this is not the case. [...] addressed by  yourself or another member of the Conducent company.   >> TSADBOT is for the specific purpose of delivering advertising to individual applications. It merges with individual applications to accomplish this purpose, the two are tied together closely. TSADBOT does not have a seperate agenda that is unassociated with the delivery of advertising and is not to be treated as a seperate program by the computer or software. Our intent is not to "Hide" our technology. As you may know, it is not unusual to run in the background as do many pieces of software. Even though some have the opinion that ad delivery is inappropriate we believe that the delivery, display and online/offline use of TSADBot is an appropriate use of the technology to efficiently deliver advertising to valuable users who wish to utilize free software.     (3) Your initial message seemed to indicate that I had personally contacted you [...] addressed by yourself or another member of the Conducent company. >> I believe that you have already indicated that you understand what TSADBOT does. However, TSADBOT is a piece of our technology that enables software to deliver and display advertising in software. It utilizes the Internet to send new ads and instructions to the software for future ad display and then retrieves ad activity information for reporting to advertisers. It is married to the host program and is relied on to generate ad revenue in return for the use of this free software. Occassionally the technology will work in the background when the host program is not active to download new ads and cleanup space. TSADBOT is designed to take lowest bandwidth priority and lowest system priority. Ed. note #2: Don't tell someone they know exactly what your product does, then proceed to tell them exactly what your product does. Waste of valuable bandwidth & brain time. (4) The CXMailBot message also requests that the end-user be provided with a method of completely removing the TSADBOT software. [...] information you will need to determine the specific profile(s) to be removed.   >> Our technology is tied to the host ad-supported application and is ONLY installed when that host app is installed. I suggest that at some time you installed such an application and thereby utilized our technology. However, now that you wish to uninstall it and are unaware of the host application you must simply follow these instructions: Ed. note #3: Get the instructions right (more on this later). kill off tsadbot if availble (Using the CTRL-ALT_DEL task manager) Ed. note #4: Was this guy sleeping when I complained that the TSADBOT operates in FULL STEALTH and does not appear on the Ctrl-Alt-Del list?? remove the C:\Program Files\TimeSink folder remove the registry entry HKEY_CURRENT_USER\Software\TimeSink remove the registry key HKEY_LOCAL_MACHINE\Software\TimeSink remove the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TimeSink If this does not assist you please let me know and I will have a tech rep contact you. Also, No personal information is acquired about you or your machine. We follow strict privacy guidelines.   I hope this has been helpful and if you have further questions please feel free to contact me. Ed. note #5: "Please feel free to contact me" implies someone will actually read/respond when the recipient feels free to contact you (more on this later). Regards, Bob Robert S.K. Regular Marketing Director Ed. note #6: I knew it! A marketdroid. Conducent regularr@+conducent.com http://www.conducent.com ____________________________ Get the latest FREE software! http://www.conducent.com/download.shtm Ed. note #7: It doesn't take Martha Stewart to know it's bad 'netiquette to append SPAM to personal email messages.                 Our technology delivers ads from our server to the ad-enabled application that you have downloaded. The application occassionally contacts the server to send and receive new ad information. I assure you that we are in NO way collecting personal data or hurting your machine in any way. If you have privacy questions, we encourage you to review our privacy policy at: http://www.conducent.com/privacy.shtm If you would like to remove this from your computer simply uninstall the ad-enabled application. Please visit our online list of applications to determine which app is causing the concern. http://www.conducent.com/download.shtm Thank you for your feedback. Ed. note #8: Look familiar? Told ya it was a form letter!! Can I spot 'em or what? :)

Again, lie-equivalent statements are flagged in red...additionally, my own editorial comments have been interspersed. Now, to tackle the ol' redlines...

• Our technology is not distributed in any other way. However it was distributed to MY computer, it certainly wasn't from installing adware apps!
• we require/request of all our developers to articulate this message to users in the user agreement. NOT! While conducent claims to personally evaluate developers' programs before activating them, there was certainly no mention of advertising functions in the spamware installer that was executed on my system. I terminated the installer because "Conducent" was mentioned in the EULA, and I already had a damn good idea of what they do.
• TSADBOT does not have a seperate agenda that is unassociated with the delivery of advertising. Does hiding illegitimate spyware trojans on one's system AGAINST their own license agreement not count as a hidden agenda of some sort or another? (I'm not even getting started on the demographic profiling, user-tracking and all the data streams flowing from my system to theirs.)
• Our intent is not to "Hide" our technology. Well, it's certainly well hidden for a program that's not trying to hide. Spoofing a Windows component so as not to appear on the Ctrl-Alt-Del list just isn't something most applications do. And if you can't bring it up on the task manager, you can't shut it down (on ANY task manager, including WinTop!). And if you can't shut it down, you can't delete the program (sharing violation / file in use). Nor can you stop it from loading on start-up, unless you are a guru and first restart in DOS mode, delete TSADBOT, then restart in Windows, open Registry Editor and remove the "Run" reference TSADBOT put there. Of course, before you would do this, you'd have to know it was there in the first place!! If I hadn't been editing my Registry as a result of another, unrelated start-up app, I would never have found it myself--I STILL would have their ad-trojan on my system.
• Our technology ... is ONLY installed when that host app is installed. I suggest that at some time you installed such an application and thereby utilized our technology. Again, a steaming load of BS. The TSADBOT trojan was installed on my system despite the fact that the host app was NOT installed--as has been independently verified, the TSADBOT trojan is written to disk, executed, and linked into your Registry as soon as the installation binary is loaded into memory. It proceeds to connect to the Internet immediately, even before the license agreement (where you are *supposedly* told about the ad-trojan and allowed to accept/decline installation) is displayed. Who knows what kind of data is being shuttled off your system, even before you've been given a chance to okay it!
• simply follow these instructions: The instructions do not even come close to eliminating the ad-trojan's files. Thanks to File Monitor and a developers-eyes-only file listing buried on Conducent's site, I have been able to piece together a more complete removal list.
• kill off tsadbot if availble (Using the CTRL-ALT_DEL task manager). Again, TSADBOT can't be killed off on the Ctrl-Alt-Del list, because it's cloaked and doesn't even APPEAR on the list! Other task managers (e.g. Wintop) can't terminate it either, because it spoofs an integral Windows component.

• I assure you that we are in NO way collecting personal data or hurting your machine in any way. This one I found particularly creative--they've managed to cram two bad fibs into a single line.

 
First, a number of advertisers make the mistaken claim that if your name, address, or Social Security number has not been obtained, they are not collecting personal information. In fact, personally-identifying information has been collected if the ad-agency can target a specific user across multiple sessions, which is exactly what TSADBOT is setting up via your internet connection even before you've OKed it via the license agreement. (Specifically, personally-identifying information is information that allows the advertiser to identify a specific person at any time and from any location, and tie information gathered during the current session to information collected in previous sessions. It does not matter if the person is identified by their name (e.g. "William H Webb, xxxx yyyy Street") or a randomly-generated code number ("X058368TC") assigned by the advertiser's tracking technologies, the end result is the same--the advertiser can maintain a detailed, long-term profile on you personally and identify you as the same individual when you return.) Some people believe "personal" and "personally-identifying" mean about the same thing, and some don't. I'm not getting into this argument, but besides the use of personally-identifying codes, there is also data being collected (hobbies, interests, fetishes, preferences, favourite underwear, psychographic and behavioral data) that I would indeed consider to be personal information.

Second, the claim that they are not hurting your machine. There is obviously no physical damage to the hardware, no matter what software is run--it's not as though executing more instructions & less idle time will make your CPU die faster. But the ad-trojan, besides wasting disk space, is consuming valuable memory and tying up the processor whenever Windows is running, which means your other programs will be running s-l-o-w-e-r while fighting with TSADBOT for a slice of the CPU pie. While I can't say the actual percentage worse your computer will run with less CPU and less memory, I do know (especially on MY pathetic machine :) that ANY unauthorized trojan eating away at my system resources is Not a Good Thing. Also note that a number of reputable sources, including PC Magazine, have traced system instability issues and program crashes to certain ad-trojans.

It took awhile, but the Conducent PR machine issued forth another reply with nothing new to say (more damn backpedalling), but it does sound like they're getting rather annoyed with me :) (rest assured folks, the feeling is mutual).
 
 
 

From:  regularr@+conducent.com Subj: A message to Conducent. >According to your web site, all TSADBOT-enabled apps must be personally >tested by the Conducent staff and meet certain criteria before being >made available to the public, one of which is the disclosure of the >advertising technology. (Ref: >http://www.conducent.com/integration-certchecklist.shtm) >If the software does not disclose the use of TSADBOT, wouldn't it fail >certification? ** This is correct, but there is human error to account for and to date we have not experienced one that has been missed. This is why I would like to know of one that you may have found. Quick, quick, slow; quick, quick, slow.... Everybody step along now, as we dance around the issue! This is rather disingenuous; I have myself seen several apps that fail to disclose use of the ad-trojan. Has anyone out there actually found a Conducent app that comes out and says, "Hey! Installing this software will place a stealthy Trojan Horse on your system you can't get rid of. OK to continue?" Of course, even if you choose "NO!", it is installed anyway.... >If it were indeed tied as closely with the host application as stated, >why is it installed BEFORE the host application, and why is it not >UNinstalled with the host application? Why is it installed even as the >user chooses "NO, I do NOT want to install this software"? ** The installation before is simply to reduce work for the software developer and reduce overall byte size of the installation. As you may know the size of a developers client is a serious consideration due to download time. If you cancel installation after it has begun our technology is already installed and must be deleted manually. This is being upgraded to be automatic with our new technology to be released next month. Erm, how would deleting an unwanted component affect download time?  ...OK, folks, we'll see if a less user-hostile "upgrade" is really available next month. This message is dated Fri, 9 Jun 2000. Surfers, start your calendars! >True, some applications run "in the background", however, these are >typically Windows components--other background apps normally indicate >their presence via a Task Tray icon. The TSADBOT trojan does not simply >run in the background--it runs as a WINDOWS SERVICE, that is, tricks >Windows into thinking it is a system component (a la kernel32), and >ACTIVELY HIDES from the user. Not only does it not appear in the tray, >it does not even appear on the Ctrl-Alt-Del task list!! This software is >trying very hard not to be found--don't try to tell me otherwise.   ** Once again I stress that our intent and purpose is not to hide. We are not a consumer or seperate brand application that has an individual purpose. We are integrated technology used by the host application to perform functions associated with owning their application. There is no purpose to being displayed in the tray or task window. If you choose to terminate the activity of TSadbot simply uninstall the ad-supported software. *Sigh* Some people just never learn... >NO. I DID NOT install this software! Loading an >installer binary does not constitute acceptance of the EULA nor >installation of the software!! > >I sincerely doubt it results from any "previous installation", either. >The TSADBOT.EXE file was dated as follows: [CREATED: Saturday, April 29, >2000].   ** I do not wish to debate this with you, I simply recommend that you delete the host app, or other associated pieces if you DO NOT wish to have it on your machine. We in NO WAY are attempting to insist that the ad-supported app or TSADbot should remain on you system and you are free to remove it. Good. Am I then free to invoice you for my hours of time spent researching your spyware app, running it under FileMonitor for a dependent-file list, removing the files, cleansing my Registry.... Computer consultant time doesn't come cheap, guys. >You still haven't told me the contents of the encrypted Registry key(s) >installed on my system: >...   *** I appreciate that you are concerned about your privacy and believe it or not we adhere to strict guidelines that prohibit us from collecting "personally-identifiable" information. The ID assigned to your machine simply allows us to know which ads you saw and clicked on. >Bill > >(Note: Please CC replies to legal@+cexx.org.) No CC: to legal@+cexx.org. Not a major issue by any means, but perhaps worthy of note. *** I hope I have been helpful. Regards, Bob If hope was horses...

For a long time, that was the end of the story. Much later (about 6 months), the following appeared in my inbox.
 

From: "Matt *****" <*****@conducent.com> Subject: Not read: 2nd Notice regarding TSADBOT trojan on my system.  Date: Thu, 21 Dec 2000 11:09:35 -0500 Your message     To:  abuse@+conducent.com; regularr@+conducent.com     Cc:  legal@+conducent.com; legal@+cexx.org     Subject:  2nd Notice regarding TSADBOT trojan on my system.     Sent:  5/12/2000 1:57 AM was deleted on 12/21/2000 11:09 AM.      Attachment: attach3 (235b)

Really though, I'm just glad to be done with these creeps :) And that's about the end of the story so far. If anything new crops up, I'll add it here. BTW, in light of this ad-trojan onslaught, be on the lookout for some new adware detection & removal software I'm working on (when I'm not really working, that is :).
 

Email addresses have been +munged to make things hard on spammers. These messages are otherwise un-edited (e.g. any spelling bugs present in the originals are present here). And for the last time, No, you cannot have a copy of CXMAILBOT! :)