This program is supposed to remove the adware mentioned below, we have not tested it so use it at your own risk.
News: As of today 7/7/00 We had to remove the doubleclick.net block because it was causing web pages to fail and all sorts of other problems with displaying pages. It appears there isn't a good way we can protect you from their spying eyes yet.
News: As of today 7/4/00 Netlink services is declaring independence from the net trackers. Namely Aureate and Doubleclick. What we have done is create domains with these names in our dns servers and aimed them at null. Basically this should prevent these organizations from invading your privacy with their most common methods.
Web bug code such as http://ad.doubleclick.net/activity; will no longer function if you are using our dns servers. This basically means that some ads may show up as blank when you go to certain websites. It also means that these spys will not be able to track you from one site to the next. If this causes problems for you please let us know.
-------------------------------
prior news:
Netlink has learned of an activity by a company called aureate.com to monitor users activities on the internet without the knowledge of those users. As a result we have blocked access to their network temporarily in an attempt to protect our users privacy. This may or may not be enough to protect your privacy and we suggest you research this issue yourself, but we are trying to do what we can. (this isn't the only privacy issue on the net, read here for more)
These are some of the files the Aureate spy installs on your system, if you have them you may be compromised by their spy program. Amstream.dll and advpack.dll are also installed by valid MS software so if you only have those two then you don't need to worry. georger@nls.net
> adimage.dll
> advert.dll
> advpack.dll (modified version of the MS dll for multimedia)
> amcis.dll
> amcis2.dll
> amcompat.tlb
> amstream.dll (modified version of the MS dll for multimedia)
> anadsc.ocx
> anadscb.ocx
> htmdeng.exe
> ipcclient.dll
> msipcsv.exe
> tfde.dll
from http://federalcourts.com : (check there for news after 2/26/00 when I copied this)
FederalCourts.com Press -
By Deborah Hirshberg
Dale Haag, President of Net-Defender, Inc., a Computer Security and Forensics
Investigation firm based in Seabrook, Texas, has made a discovery few of us wish
to hear about. Especially given the most recent outbreak of criminal activity on
the Internet. Denial of Service attacks and the clandestine monitoring of user
activities are creating negative connotations for the future of the Internet.
Haag's allegations involve the practices of one Media Advertising company that
specializes in integrating banner advertising into desktop software. Through the
use of software components installed unknowingly by end users during the
installation of legitimate software packages, users may be unsuspectingly giving
access to not only their private Internet surfing habits, but access to their
system as well.
Haag's allegations, in essence, send a chilling statement that "Big Brother
is Alive and Well." At least in this case, "Big Brother" is a
private corporation. The company, Aureate Media Corporation, through its desktop
advertising software, appears to be violating the privacy and security of the
unsuspecting victims who have downloaded products containing Aureate Media's
software. These findings may be a major blow to Aureate Media Corporation, an
electronic media and software services company, whose website promotes that it
"distributes content to consumer desktops." Aureate Media also
promotes itself as a company that brings together software developers and
publishers, advertisers and consumers to deliver "value to consumers,
generate new revenue streams for software providers and offer a highly targeted
market to advertisers."
According to Haag's allegations, the means by which Aureate Media performs its
services, and thus leads to the privacy concerns, begins with the installation
of one or more software programs that a user may wish to use on their own
computer. The developers of these software programs, who have contracted with
Aureate Media to receive revenues for including advertising into their programs,
install Aureate Media's proprietary software into the programs that will be
installed onto an end user's computer. Aureate Media in turn, has contracted
with advertisers who pay to have banner advertising displayed on the desktops of
these users.
According to Haag, when the user launches the program
containing the Aureate Media software, the software collects data about the
user's computer and sends this data to Aureate Media's servers for collection
and analysis. The data that is collected includes, but may not be limited to, A
unique ID assigned to the system the software has been installed upon; the
user's Internet address which can be used to determine the geographic location
of the user; a listing of the software packages that have been installed on the
user's computer; a listing of the websites visited by the user; advertiser
banners that the user clicks on while connected to the Internet; names and
rating levels of files downloaded to the user's machine; and actions the user
performs while connected to the Internet.
Haag has identified several files specifically associated with Aureate Media's
services. Many of these files are what software developers term as "Dynamic
Link Libraries", or DLL's, these files are used by a computer program to
assist in the functionality of a program. These files are installed on a user's
computer at the time the user installs software programs where the developers
have contracted with Aureate Media. In this case, these files are the key to the
security and privacy violations that are alleged by Haag. Other violations that
include what Haag alleges to be unauthorized, and possibly illegal, access of
your system, include altering your Web browser software such that Aureate's
software runs anytime the browser is opened, and performing unauthorized
communications with and updating from the Aureate servers.
Haag is of the opinion that the actions performed on behalf of Aureate in these
programs may be found to be in violation of many, if not all, State Computer
Crime Statutes, including those in Texas. An example of the software programs
that are known to contain the above Aureate Media files include: Acorn Email
Add/Remove Plus! Auction Explorer Aureate SpamKiller CuteFTP 3.0 DigiBand
NewsWatch DigiCams - The WebCam Viewer Go!Zilla JOC Email Checker JOC Web
Spider; LapLink FTP Aureate Media publicly claims to have over 365 software
programs that currently make use of and install their software.
What laws that may be violated by the functions of the software used by Aureate
Media have yet to be determined. Analysis is currently underway by a group of
approximately sixty technical and legal professionals around the nation to
determine whether the practices of Aureate Media may be in violation of Federal
or State Computer Crime Laws. Attorney Jeff Wilens, a California based Attorney
who has been working on privacy related issues, believes that a federal claim
against such practices may be problematic due to the existing limited Federal
Computer Crime Laws. State laws regarding actions such as those allegedly taking
place with the Aureate Media software have yet to be applied in situations such
as this.
Users who download software products from the Internet are often receiving a
"demo" or Evaluation version of the product. These versions generally
have limited functionality, or have many of the full functioning features turned
off until such time as the user purchases the product or otherwise agrees to
continued use under specified conditions. CuteFTP, developed by GlobalScape, a
popular file transfer protocol package that enables users to upload and
download, or transfer files over networks, is an example of a product that
provides an evaluation version for download. GlobalScape authorizes unlicensed
use of its CuteFTP product during an evaluation period of 30 days. GlobalScape
has also contracted with Aureate Media to include banner advertising displays in
its product while launched on a user's desktop during the 30-day evaluation
period.
Although CuteFTP is a well respected product with a great following of users,
what is of concern regarding the CuteFTP and Aureate Media alliance (as well as
Aureate Media's practices with other software developers) is that while users
are transferring files using CuteFTP, in the background Aureate Media is
transferring information from the user's computer, (see previous information
provided above), and uploading that information to its servers.
Haag's allegations were observed and documented first hand here at
FederalCourts.com while we uploaded the website files of FederalCourts.com to
our servers using CuteFTP, and observed the network traffic from our machine
using a network monitoring program called "Netmon", developed by a
Swedish programmer, Johan Samuelson. Samuelson developed Netmon to allow a user
to monitor network traffic while connected to the Internet. Netmon augments the
functionality of a utility included with the Windows operating system called
"netstat" and provides a graphical conversion of the utility
displaying the IP, or Internet Protocol addresses, of all network traffic going
in and out of a user's connection to the Internet. While uploading our files to
FederalCourts.com, it was observed through Netmon that network traffic was being
sent to Aureate Media's servers. However, network traffic wasn't just being sent
to Aureate Media's servers. Traffic patterns observed included traffic to IP
addresses of the banner advertisers whose banners were displayed on CuteFTP, as
well as IP addresses of companies whose advertisements were not being displayed.
Thus, given Haag's allegations, it appears that Aureate Media is not only
gathering more information than what they admit to on their website or through
investigative reporting, but that they are also generating network traffic to
other advertisers servers. Haag also expressed concerns over the fact that
Aureate's software continued to run after the evaluation copy of the software
was properly registered, or even removed from the system.
Haag explained his concerns to this reporter "Users are accustomed to
advertisers using Cookies to gather marketing data, and are aware of how to
disable or block these Cookies from being sent to their systems. However, the
Aureate software does not utilize Cookies as it is installed to and actually
running on the users system. Aureate has found a way around the users ability to
effectively and knowingly disable the collection of marketing data". Haag
additionally commented, "My concerns are that by introducing this software
onto a users computer without the effective consent or knowledge of the user,
security risks are also being introduced to the end users machine. Because
Aureate has the ability to update their software remotely, a knowledgeable
hacker may exploit this functionality and subvert it to their own uses".
In an email response received by an end user, and forwarded to this reporter, by
Jeremy J. Newton, VP Sales Aureate Media Corporation, regarding the allegations
that the Aureate software alters and modifies the users browser in such as
manner that Aureate's software will run when the browser is opened, and does so
using a hidden window, Newton explained, "This is true, but this happens
because of the way that Microsoft Windows networking works. You will find that
in running almost any windows program that hidden windows are created as this is
how the OS was designed".
We have not yet been able to substantiate this claim with Microsoft.
More information from other sources:
forwarded information-------------
As soon as i got this email I checked it on my system.I have installed 3 of the
offending applications (calypso email,cuteftp,3d-ftp) and I have found some of
the .dll´s installed on my system too. I started checking and sure enough,as
soon as I opened my browser I checked netstat and I got this connection
establiushed:
Connection Information
IP:216.37.13.140
Hostname:ad2-1.aureate.com
Local Port:2651
Remote Port: 1975
Protocol:TCP
Status Code:Established
Status Description: Connection has been established, connection is active
What got my attention was that the port changes from the one especified on
Dale Haag´s original email.
===============================================
||
Tito_C
||
||
www.hven.com.ve
||
||
tito_c@hven.com.ve
||
|| PGP Key ID: 0x6DD1A00F
||
===============================================
*********** REPLY SEPARATOR ***********
>> -----Original Message-----
>> From: Edward (Ted) Burton [mailto:egburton@CONSULTBURTON.COM]
>> Sent: Monday, February 21, 2000 2:02 PM
>> To: Lawyers and the Internet
>> Cc: Craighead, Paula
>> Subject: [NET-LAWYERS] Aureate Spy
>>
>>
>> While I am not a Windows user, the following information has popped
>> up on the LawTech list and is of some interest to attorneys who wish
>> to not leave a paper trail out there on the Internet for commercial
>> use by others.
>>
>> According to Dale Haag, <dhaag@NOL.NET>
>>
>> The following is a listing of all software known to install the
>> Aureate spy on your system. The Aureate spy keeps track of your
>> Internet activities and sends a report to Aureate every time you open
>> your browser. The Aureate spy places the following files on a Windows
>> machine. [It is not known, yet, to affect Macintosh or Linux
>> machines.]
>>
>> The installed files are some or all of:
>>
>> adimage.dll
>> advert.dll
>> advpack.dll
>> amcis.dll
>> amcis2.dll
>> amcompat.tlb
>> amstream.dll
>> anadsc.ocx
>> anadscb.ocx
>> htmdeng.exe
>> ipcclient.dll
>> msipcsv.exe
>> tfde.dll
>>
>>
>> ========== ========== ========== ==========
>> Dale said:
>>
>> OK folks, living up to my reputation as a "bulldog" when I
get my
>> teeth into something, I have been busy "reviewing" the
contents and
>> code contained in the DLL's that Aureate makes use of. Here are a
>> few of my findings up to this point:
>>
>> advert.dll
>> =======
>>
>> This DLL creates a hidden window every time you open your browser. It
>> creates and sends 4 pages of information to the Aureate servers using
>> port 1749 on your system, these pages include:
>>
>> 1. Your name as listed in the system registry ( not the name you
>> installed one of the programs with )
>> 2. Your IP address
>> 3. The reverse DNS match of your address. ( tells them what ISP and
>> area of country you are in )
>> 4. A listing of ALL software that is shown in your registry as being
>> installed. ( Not just the companies they work with )
>> 5. This DLL sends the following information to their server on all
>> URL's you visit:
>> A.) ad banners you may click on
>> B.) all downloads you do showing the
filename/file
>> size/date/time/type of file(image, zip,executable, etc)
>> C.) full time and date stamps of all your
actions while
>> using your
>> browser
>> D.) the remote dialup number you are
dialing in on (taken out of
>> your dialer configuration)
>> E.) dialup password if saved, does not
"appear" at first glance
>> to send this through to them.
>> 6. Contains programmers note: "Show me the money! I
want to
>> be Mike!"
>>
>>
>> advpack.dll
>> =========
>>
>> Used during the installation only to check for other needed files.
>> amcis.dll
>> =======
>>
>> This DLL modifies the following registry keys:
>> 1. HKEY_CURRENT_CONFIG
>> 2. HKEY_DYN_DATA
>> 3. HKEY_PERFORMANCE_DATA
>> 4. HKEY_USERS
>> 5. HKEY_LOCAL_MACHINE
>> 6. HKEY_CURRENT_USER
>> 7. HKEY_CLASSES_ROOT
>>
>> Unregisterss oleaut32.dll from memory as provided by M$oft and
>> replaces with its own calls. Switches back to M$oft's when browser is
>> closed. Creates stub processes to be started anytime your browser is
>> opened.
>>
>>
>> amcompat.tlb
>> ===========
>>
>> This guy tracks any multimedia clips ( video/pictures/sound ) that
>> you view It tracks the rating level on the video/picture/sound and
>> title / location Contains references to DblClick ( still digging on
>> this one! )
>>
>>
>> amstream.dll
>> ==========
>>
>> Setups TWO way communications between your system and theirs.
>> Used to send info and receive update commands/files
>> Open port 1749 for communications
>>
>> ==================================================
>>
>> The programs that are known to install the Aureate spy are:
>>
>> 123Search
>> 3d Anarchy
>> 3D-FTP
>> 3rd block
>> Abe's FTP Client
>> Abe's Image Viewer
>> Abe's MP3 Finder
>> Abe's Picture Finder
>> Abe's SMB Client
>> Access Diver III
>> Acorn Email
>> AcqURL
>> ActionOutline Light 1.6
>> Active 'Net
>> Add URL
>> Add/Remove Plus!
>> Address Rover 98
>> Admiral VirusScanner
>> Advanced Call Center
>> Advanced Maillist Verify
>> AdWizard
>> Alive and Kicking
>> alphaScape QuickPaste
>> ASP1-A3
>> Auction Explorer
>> Aureate Group Mail
>> Aureate SpamKiller
>> AutoFTP PRO
>> AutoWeb
>> AxelCD
>> Beatle
>> Binary Boy
>> BinaryVortex
>> Blue Engine
>> BookSmith : Original
>> buddyPhone 2
>> Calypso E-mail
>> CamGrab
>> Capture Express 2000
>> Cascoly Screensaver
>> CDDB-Reader
>> CDMaster32
>> ChanStat
>> Charity Banner
>> Cheat Machine
>> Check4New
>> ChinMail
>> Clabra clipboard viewer
>> Classic Peg Solitaire
>> ComTry Music Downloader
>> Crystal FTP
>> CSE HTML Validator Lite
>> CuteFTP 3.0
>> CuteFTP 3.0
>> CuteFTP/Tripod
>> CuteMX
>> CutePage
>> Danzig Pref Engine
>> DateTime
>> Delphi Component Test
>> Delphi Tester
>> Dialer 2000
>> DigiBand NewsWatch
>> DigiCams - The WebCam Viewer
>> Digital Postman
>> DirectUpdate
>> DL-Mail Pro 2000
>> DNScape
>> Doorbell 1.18
>> Download Minder 1.5
>> Download Wonder
>> DownLoader v.1.1
>> Dwyco Video Conferencing
>> EasySeeker
>> EmmaSoft ChatCat
>> EmmaSoft dBrow
>> EmmaSoft KeepLan
>> EmmaSoft Soundz
>> EnvoyMail
>> EZ-Forms FREE
>> File Mag-Net
>> FileSplit
>> Folder Guard Jr.
>> FourTimes
>> Free Picture Harvester
>> Free Solitaire
>> Free Spades
>> Free Submitter Pro
>> FreeImageEditor
>> FreeIRC
>> FreeNotePad
>> FreeSite
>> FreeWebBrowser
>> FreeWebMail
>> FreeZip!
>> FTPEditor
>> GetRight
>> Go!Zilla
>> Go!Zilla WebAttack
>> GovernMail
>> Grafula
>> Gunther's PasswordSentry
>> HangWeb
>> hesci Private Label
>> HTML Translator
>> HTTP Proxy-Spy
>> Huey v1.8 Color Picker
>> Iban Technologies IP Tools 3.1
>> Idyle GimmIP
>> Idyle GimmIP
>> iFind Graphics
>> imageN
>> Infinite Patience
>> InfoBlast
>> InnovaClub
>> InstallZIP
>> Internet Tree
>> Internetrix
>> InterWebWord Companion
>> JetCar
>> JFK Research
>> jIRC
>> JOC Email Checker
>> JOC Web Finder
>> JOC Web Spider
>> KVT Diplom
>> LapLink FTP
>> LineSoft Download
>> LOL Chat
>> LOL Chat
>> Mail Them
>> Meracl FontMap
>> Meracl ImageMap Generator
>> Midnight Oil Solitaire
>> MirNik Internet Finder
>> More Space 99
>> MouseAssist
>> MP3 Album Finder
>> MP3 Fiend
>> MP3 Grouppie
>> MP3 Mag-Net
>> MP3 Renamer
>> Mp3 Stream Recorder
>> MP3INFO-Editor
>> MultiSender
>> Music Genie
>> MX Inspector BIG AD
>> My Genie Patriots
>> My Genie SE
>> My GetRight
>> NeatFTP
>> Net CB
>> Net Scan 2000
>> Net Vampire
>> Net-A-Car Feature Car Screensaver
>> NetAnts
>> NetBoard
>> Netbus Pro 2.10
>> NetCaptor 5.0
>> Netman Downloader
>> NetNak
>> NetSuck 3.10.5
>> NetTime Thingy
>> Network Assistant
>> NeuroStock
>> NewsBin
>> NewsShark
>> NewsWire
>> NfoNak
>> NotePads+
>> Notificator 1.0b
>> Octopus
>> Pattern Book
>> People Seek 98
>> Personal Search Agent
>> Photocopier
>> PicPluck
>> Pictures In News
>> Ping Thingy
>> PingMaster
>> Planet.Billboard
>> Planet.MP3Find
>> PMS
>> ProtectX 3
>> ProxyChecker
>> QuadSucker/Web
>> Quadzle Puzzles
>> QuikLink Autobot
>> QuikLink Explorer
>> QuikLink Explorer Gold Edition
>> QuoteWatch
>> QWallet
>> Real Estate Web Site Creator
>> Recipe Review
>> ReGet 1.6
>> Resume Detective
>> RingSurf
>> RoboCam 1.10
>> Rosemary's Weird Web World
>> SaberQuest Page Burner
>> SBJV
>> SBWcc
>> Scout's Game
>> ScreenFIRE
>> ScreenFIRE - FileKing
>> ScreenFlavors
>> Sea Battle
>> Shizzam
>> Simple Submit
>> SimpleFind
>> SimpleSubmit v1.0
>> SK-111
>> Smart 'n Sticky
>> SmartBoard 200 FREE Edition
>> SmartSum calculator
>> SonicMail
>> Sound Agent
>> Space Central Screen Saver
>> Splash! Siterave
>> StartDrive
>> Static FTP
>> StockBrowser
>> Subscriber
>> SunEdit 2K
>> SuperIDE
>> Sweep
>> SweepsWinner
>> Text Transmogrifier
>> The Mapper
>> TheNet
>> TI-FindMail
>> TIFNY
>> Total Finger
>> Total Whois
>> Tracking The Eye
>> Trade Site Creator
>> TWinExplorer Standard
>> TypeWriter 1.0
>> UK Phone Codes
>> Vagabond's Realm
>> VeriMP3
>> Vertigo QSearch
>> Virtual Access
>> Visual Cyberadio
>> Visual Surfer
>> VOG Backgammon Main
>> VOG Backgammon Table
>> VOG Chess Main
>> VOG Chess Table
>> VOG Reversi Main
>> VOG Reversi Table
>> VOG Shell
>> VOG Shell
>> VOG Shell History
>> W3Filer
>> Web Coupon
>> Web Page Authoring Software
>> Web Registrant PRO
>> Web Resume
>> Web SurfACE
>> WEB2SMS
>> WebCamVCR
>> WebCopier
>> Web-N-Force
>> WebSaver
>> Website Manager
>> WebStripper
>> WebType
>> WhoIs Thingy
>> Win A Lotto
>> WinEdit 2000
>> Word+
>> Wordwright
>> WorldChat Client
>> Worm
>> www.devgames.com
>> xBlock
>> Your ESP Test
>> Zion
>> Zip Express 2000
Further analysis of advert.dll from VULN-DEV mailing list:
Exploring advert.dll version 2.0 (build 12) (the one on Go!Zilla 3.5)
I found that:
- advert.dll *DOES NOT* collects current system user name as listed on
Software\Microsoft\Windows\CurrentVersion\RegisteredOwner
and RegisteredOrganization.
- advert.dll *DOES NOT* opens a listen() socket to accept commands from
a remote machine.
- advert.dll creates a hidden window with "advert.dll hidden window"
ClassName:
:0040B926 C745E074A44600
mov [ebp-20], 0046A474
:0040B92D 51
push ecx
(USER32.RegisterClassA)
:0040B92E E8D9B60500
Call 0046700C
:0040B933 6A00
push 00000000
:0040B935 8B432E
mov eax, dword ptr [ebx+2E]
:0040B938 50
push eax
:0040B939 6A00
push 00000000
:0040B93B 6A00
push 00000000
:0040B93D 6A10
push 00000010
:0040B93F 6A10
push 00000010
:0040B941 6A00
push 00000000
:0040B943 6A00
push 00000000
:0040B945 6A00
push 00000000
and caption: "[hidden window]":
:0040B947 68A6A44600
push 0046A4A6
:0040B94C 688DA44600
push 0046A48D
:0040B951 6A00
push 00000000
(USER32.CreateWindowExA)
:0040B953 E8A4B40500
Call 00466DFC
:0040B958 8BF0
mov esi, eax
:0040B95A 89732A
mov dword ptr [ebx+2A], esi
:0040B95D 53
push ebx
- advert.dll calls from "Rasapi32.dll" the following functions:
RasEnumConnectionsA
RasGetConnectStatusA
RasHangUpA
RasEnumEntriesA
RasDialA
RasGetErrorStringA
and enums all dialup sessions and collects information such
as ISP Name, Dialup Number (incl. area code) and Username (only
username without the password).
See what MSDN Microsoft says about:
* RasEnumConnections: This function lists all active RAS connections.
It returns each connections handle and phone book entry name.
* RasHangUpA: The RasHangUp function terminates a remote access
connection. The connection is specified with a RAS connection
handle.
RasHangUpA ? ;-)
- advert.dll communicates with http://www.adsoftware.com/
- advert.dll collects information for all installed applications from:
"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
:0040A944 689DA14600
push 0046A19D
:0040A949 6802000080
push 80000002
:0040A94E 8D4DDC
lea ecx, dword ptr [ebp-24]
:0040A951 51
push ecx
:0040A952 E871F3FFFF
call 00409CC8
:0040A957 83C40C
add esp, 0000000C
:0040A95A FF859CFDFFFF
inc dword ptr [ebp+FFFFFD9C]
:0040A960 66C78590FDFFFF5000 mov word ptr
[ebp+FFFFFD90], 0050
:0040A969 66C78590FDFFFF5C00 mov word ptr
[ebp+FFFFFD90], 005C
- advert.dll beyond other, imports the following DLL and functions:
ADVAPI32.dll:
-------------
RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA,
RegEnumKeyExA,
RegEnumValueA, RegQueryInfoKeyA, RegQueryValueExA, RegSetValueExA
KERNEL32.dll:
-------------
CloseHandle, CreateDirectoryA, CreateFileA, CreateFileW, CreateMutexA
CreateThread, DeleteCriticalSection, DeleteFileA, DeleteFileW
DosDateTimeToFileTime, DuplicateHandle, EnterCriticalSection
ExitProcess, ExitThread, FileTimeToDosDateTime
FileTimeToLocalFileTime, FindClose, FindFirstFileA, FindNextFileA
FindResourceA, FreeEnvironmentStringsA, FreeLibrary FreeResource,
GetACP, GetCPInfo, GetCurrentProcess, GetCurrentProcessId
GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetDriveTypeA
GetEnvironmentStrings, GetExitCodeThread, GetFileAttributesA
GetFileAttributesW, GetFileSize, GetFileTime, GetFileType
GetFullPathNameA, GetLastError, GetLocalTime, GetModuleFileNameA,
GetModuleHandleA, GetPrivateProfileStringA, GetProcAddress,
GetStartupInfoA, GetStdHandle, GetStringTypeW, GetSystemInfo
GetTempFileNameA, GetTempPathAGetTimeZoneInformation, GetVersion
GetVersionExA, GetVolumeInformationA, GetWindowsDirectoryA, GlobalAlloc
GlobalFree, GlobalLock, GlobalMemoryStatus, GlobalUnlock,
InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA
LoadResource, LocalAlloc, LocalFileTimeToFileTime, LocalFree, LocalHandle
LocalLock, LocalReAlloc, LocalUnlock, LockResource, MoveFileExA, MulDiv
MultiByteToWideChar, RaiseException, ReadFile, ReleaseMutex
ReleaseSemaphore, ResumeThread, RtlUnwind, SetConsoleCtrlHandler
SetEndOfFile, SetErrorMode, SetFileAttributesA, SetFilePointer
SetFileTime, SetHandleCount, SetThreadPriority, SizeofResource, Sleep
SleepEx, SuspendThread, TerminateThread, TlsAlloc, TlsFree, TlsGetValue
TlsSetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualFree
VirtualQuery, WaitForMultipleObjectsEx, WaitForSingleObject,
WaitForSingleObjectEx, WideCharToMultiByte, WinExec, WriteFile, lstrcmpA
lstrcmpiA
WSOCK32.dll:
------------
WSAAsyncGetHostByName, WSAAsyncSelect, WSACancelAsyncRequest, WSACleanup
WSAGetLastError, WSAStartup, closesocket, connect, htonl, htons
inet_addr, ioctlsocket, ntohl, ntohs, recv, select, send, shutdown
socket
- advert.dll exports:
__stdcall SocketWndProc(HWND__ *, unsigned int, unsigned int, long)
__lockDebuggerData(), __unlockDebuggerData(), _GetStatus
_IsConnectOkay, _OnClick, _Paint, _RetryConnect, _SetAdRecordedCallback
_SetBandwidthThrottle, _SetCallback, _SetMinimumAdDisplayTime
_SetNetworkCallback, _SetNetworkState, _SetProxy, _Shutdown, _StartOffline
_Startup, _StopOffline, _UseDefaultAd, __DebuggerHookData, _adler32
_compress, _debugTriggerEvent, _deflate, _deflateCopy, _deflateEnd
_deflateInit2_, _deflateInit_, _deflateParams, _deflateReset,
_deflateSetDictionary, _inflate, _inflateEnd, _inflateInit2_
_inflateInit_, _inflateReset, _inflateSetDictionary, _inflateSync
_zlibVersion, std_GetStatus, std_IsConnectOkay, std_OnClick, std_Paint,
std_RetryConnect, std_SetAdRecordedCallback, std_SetBandwidthThrottle
std_SetCallback, std_SetMinimumAdDisplayTime, std_SetNetworkCallback
std_SetNetworkState, std_SetProxy, std_Shutdown, std_Startup
std_UseDefaultAd, std_debugTriggerEvent
- advert.dll contains the following resources:
1 Bitmap (company logo)
1 Icon
6 Dialogs (that prompts for user information)
24 RCData, GIF files of 57k
Version Information
- advert.dll contains the following messages ;-) :
* The quick brown fox jumped over the moon.
* The eagle has landed on the lazy dog.
* The buzzard flies at one.
* The truth is out there.
Visit http://egnatia.ee.auth.gr/~gkar/wintask
and download WinTask 9x/NT.
This utility allows you to list and stop any process that runs on your
computers. Stop that hidden window and you will not receive and send
information. Mail me for suggestions and bugs.
If someone has an advert.dll older than version 2.0 (build 12) please
contact me asap.
More information on advert.dll on a future post.
George Karatsiolis
gkar@ee.auth.gr
benettor@irc.gr