Description Of The Spyware Bundled With Kazaa

A:link { COLOR: #000000; TEXT-DECORATION: none } A:active { COLOR: #000000; TEXT-DECORATION: none } A:visited { COLOR: #000000; TEXT-DECORATION: none } A:hover { COLOR: #ffffff; BACKGROUND-COLOR: #666666; TEXT-DECORATION: none } BODY { FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: verdana } TD { FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: verdana }

Kazaa And Spyware - A History

If you're one of the 200 million people who've downloaded a copy of the Kazaa Media Desktop over the past few years, then your computer is probably infected with one of the following nasties:

Cydoor (Advertising)
Cydoor has cleaned up its act considerably since previous versions of its software. Previous versions left it up to the host application's vendor to disclose (or not) that Cydoor ad components were being installed, leading to a finger-pointing loop in cases where the software was not disclosed. Additionally, previous versions used a GUID to track individual users across multiple sessions. This has been removed from the current version, as verified by our tests and information on the Cydoor website. Cydoor's components now come with an uninstall feature that was not present in earlier versions.

Save Now (Spyware)
A single process run at startup which monitors open IE windows and opens adverts when it sees targeted URLs and terms entered into forms.

SaveNow keeps a list of URLs and terms it is interested in on disk, in the file 'SaveNow\savenow.db' in Program Files. This file is obfuscated but it is trivial to decode.* The (large - often over a megabyte) file maps from these targets to adverts to serve, which are downloaded through Akamai's proxies.

As well as downloading the pop-up ads, SaveNow connects to WhenU's servers to log the ad impression. It passes the name of the affiliate software which installed the software, the ID of the advert being shown, and the site URL or term that caused the pop-up to be triggered.

Dlder.exe (Adware)
Noted as a Trojan by some antivirus programs (W32.DlDer.Trojan), this little nasty tracks your web surfing and uploads this information to a website (now apparently shut down). It can also download and activate executable files. You can expect to find a file called explorer.exe in your system directory (note that a legitimate Windows file is also called explorer.exe, but that is in main windows directory.
CommonName toolbar plug-in (Adware)

CommonName is marketed as a 'keywords' service, allowing one to enter simple names insatead of URLs. After its original release, the software has become a complicated (and sometimes buggy) search-hijacker and adware, aggressively bundled with many third-party apps. All variants except Toolbar connect to their controlling servers once a day, who may ask them to open pop-under advertising. They also change search settings to point to commonname.com.

Cookies are used to identify you when requests are made to CommonName. This may occur when the advertising is opened, a keyword is entered into the address bar.
When you visit a URL whose top-level-domain the CommonName/Agent or Mib software does not know about (eg. alternative TLDs or intranet hostnames; CommonName/Agent also does not know about .edu, .mil, .int, .su and .gb), a request is also made. This could allow users to be tracked across web site visits.

PgMonitor (Unknown)
PgMonitr caused an error in pgsdk.dll - delete via Add/Remove Programs.

Delfin Media Viewer (Adware)
"DelFin Media Viewer delivers advanced "TV-like" rich-media entertainment free during "latent times". Latent times are the unavoidable times you are captive and waiting for a computer to dial-up and connect to the Internet. DelFin Media Viewer fills this void with targeted, personalized rich media entertainment in the form of movie trailers, music, music videos, TV shorts and game previews." - delete via Add/Remove Programs.

Fastseeker toolbar (Spyware)

An IE toolbar offering search features, it illegaly monitors what sites you visit and pops up sponsored "deals" when products/shopping/etc.

DownloadWare (Unknown)
http://and.doxdesk.com/parasite/DownloadWare.html

The site no longer exists, but some choice quotes included:

"...The EULA, when found, claims that it may clash with various other software and so if it finds any it will remove it. (!)..."

"...As well as removing DownloadWare you should check your system for other things it has installed and get rid of them too..."

Dw.exe (Unknown)
Causes invalid page faults.... remove via Add/Remove Programs.

Hot Text, Top Text, Ezula, ContextPro (Adware)
...Yellow underlining on web pages...

It can be removed via Control Panel, add/remove programs. Search for "eZula-README.html" on your computer. This file contains information from Kazaa about the ...service.

Causes the error:
Explorer caused an invalid page fault in EABH.DLL

Removal instructions can be found here:
http://www.whirlywiryweb.com/removeezula.htm
http://ezula.com/TopText/Help.asp#7

ClickTheButton (Adware)

ClickTheButton is described as a price comparison service. It detects when you are visitng a known shopping site and provides sponsored links to competitor sites. It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs.

Contact/Submit theNSAisWATCHIN News Monster Images Archive News Monster Archive
The Frances Farmers Revenge Web Portal