This page is not all-inclusive. I just chose to discuss some of the more "popular" and insidious spyware programs. There are hundreds of different spyware programs proliferating the Internet, and possibly thousands of different versions of them. This page includes a few of the worst offenders, with short descriptions of what they do, and how they can be removed. While some specific removal procedures are listed here, the next section will talk about removing spyware using other programs. A longer and more detailed list of known spyware can be found at
cexx.org's adware page.
Gator Offer Companion
What it says it does: Gator appears to the user to be a form manager that will remember data entered in forms so the user doesn't have to type everything in next time they access the form. This is pointless, because most browsers (including IE5 and Mozilla 1.x) feature an auto-fill form option or a form manager.
What it also does: It downloads adbanners from the GAIN adserver and displays them on top of legitimate banners on ANY website a user with an infected computer accesses. They take away advertising revenues from webmasters. Also "phones home" with a list of the websites visited.
How it is installed: It is bundled with third-party software (Audiogalaxy Satellite, Snnod, to name a few) and also through adbanners (this is often called "drive-by downloading"). I've seen a few GAIN advertisements in popup ads on Yahoo! Mail that have prompted me to install Gator. This is only because I have my browser set to prompt me before running any ActiveX content; if I had used the default setting, Gator would have installed itself automatically.
Removal procedure: a general removal procedure is given at scumware.com, but Gator creates many files and registry entries that this one misses. Gator is completely removed by both Ad-Aware and Spybot Spyware Remover.
For more information: gator page at cexx.org
eZula TopText
What it says it does: It claims to "turn every site into a search engine" by turning words on websites to links.
What it really does: eZula sells keywords to advertisers, and whenever a computer infected with the program goes to websites with text on them, creates ugly yellow links to the advertisers website. Much of the time, these websites are irrelevant or even offensive to the user or the webmaster. For example, a porn site could buy the keyword "children" and thus direct unsuspecting victims to their site, or a business could buy a keyword for the product they create, and thus advertise on competitors websites.
How it is installed: It is bundled with third-party software including KaZaa Media Desktop and Go!Zilla.
Removal procedure: scumware.com has full removal procedures...look at the number of steps it takes!! It can also be removed using Ad-Aware or Spybot.
For more information: scumware.com has a full description of the program and how it works.
WebHancer
What it says it does: It has no user interface.
What it really does: It makes registry changes and binds itself to Winsock so that all inbound and outbound packets must go through it.
How it is installed: Third-party software, including Audiogalaxy Satellite.
Removal procedure: It is very difficult to remove, as some versions are not listed in Add/Remove programs. Deleting the webhance.exe file will no longer allow the user to send or receive packets, and may cause Windows to crash on startup. Ad-Aware or Spybot will safely remove it.
For more information: webhancer at cexx.org
RealDownload
What it says it does: Acts as a download manager that will help resume broken downloads.
What it also does: Sends reports of all downloads, including personally identifying Windows GUIDs.
How it is installed: RealPlayer default installation. During installation, you can choose not to install this program.
Removal procedure: Go to Start, then Settings -> Control Panel. Click on Add/Remove Programs. Select RealDownload from the list. Click Uninstall Program. It is not removed by Ad-Aware or Spybot.
For more information: grc.com has a detailed analysis of the information RealDownload sends, as well as claims made by RealNetworks.
Bonzi Buddy
What it says it does: Appears to be a friendly "screen mate" for the user. Will give "tips" and tell the user about websites they can visit.
What it also does: Hijacks IE. This means that it changes the page which is opened by IE when it is started up. If the user changes the homepage, when they start up their browser, they will be greeted with a prompt asking them if they want to set Bonzi Buddy's page as their homepage. Whether they choose yes or no, it becomes their default homepage. It also keeps track of the users web-browsing behavior and downloads and installs other programs without asking the user first.
How it is installed: Third-party software, as well as "drive-by downloads" in adbanners.
Removal procedure: Add/Remove software does not fully remove this program, and the pieces left over will reinstall the main program. Ad-Aware and Spyboy both remove this program safely.
Brilliant Digital Entertainment (BDE):
What it says it does: Has no user interface. Is vaguely alluded to in the KaZaa Media Desktop EULA
What it really does: Creates a secret peer-to-peer (p2p) network underneath the KaZaa p2p filesharing network. However, unlike KaZaa, the user has no direct access to this network. The BDE p2p network is used to serve advertisements for KaZaa and other advertising-based software. It downloads ads onto an infected computer, and uses their internet connection to serve the advertisements to other people. It works in conjunction with DoubleClick, one of the worst online advertisers (who I discuss in the "Browsing" section.) Because this program creates a direct connection between the users computer and other websites, it creates a GAPING security hole that can be easily exploited by anyone who wants to. For example, a hacker can break into BDE's main adserver, and when the BDE program on all the infected computers phones home, the hacker can then send the users all sorts of malicious files, like viruses, trojans, and worms. The specific information BDE phones home with is unknown, but presumably includes the type of OS, disk capacity, and Internet connection speed.
How it is installed: Is bundled with KaZaa. There is a brief mention in the KaZaa EULA of a program that will help better serve advertising that MUST be installed along with the main KMD application. When installing KaZaa, the user can select certain components to also be installed, and BDE is listed as one of these components. However, if the user unchecks the box next to BDE, they will not be able to install KaZaa.
Removal procedure: KaZaa WILL continue to function without BDE. You can use Ad-Aware or Spybot to automate the removal process, or you can manually delete the following file, which will be scattered around your hard drive. cdfreaks has a page with more information and removal procedures.
It also contains directions to remove entries from your Windows Registry. You MUST remove these entries to ensure that other software will not be affected. To modify the windows registry, shut down all programs, then go to Start -> Run and type in regedit. This opens a program called Regedit, which, quite literally, allows you to edit the registry. A note of caution: before doing ANYTHING to the Registry, you will want to backup your current version. If you edit the wrong entries, some other software may cease to work. You can do this in the Regedit program by going to Registry in the top menu, then clicking on "Export Registry File." This will allow you to choose the directory you want to save your current registry entries in. A note about files with a .reg extension: when you open a .reg file (except in a text editor), it will automatically add the entries in the file to your registry without notifying you. If you make a lot of important changes, then double-click on the backup file, all your modifications will be lost. Finally, to search for registry entries, click on Edit in the regedit menu, then Find. To delete an entry, right-click on the "key" in the left frame and select "delete."
previous main next