THE_WATCHERS

H

Hunnter

Guest
This is a very important posting, take time to read it guys.....About the LOW LIFE on the net........


Take a few minutes and have a look for the files mentioned! I would
suggest if you have any of the software products listed,and you have
anything illegal or cracked or copied, get them the hell of your hard
drive and make arrangements to format and either reload or change your
operating system!(try linux)Your registry still records that the files are
there whether you erase or uninstall them. So dig out your system disks
and do a format or you will be going to jail when they get around to
linking you. Part two will be sent out after this one.

---------------------
Anyway, here is the letter in it's entirety for you minus the names.
---------------------------

XXX, this is something you might want to forward on to your readers
somehow.
The following is a listing of all software known to install the Aureate
spy on your system. The Aureate spy keeps track of your Internet
activities and sends a report to Aureate every time you open your
browser. The Aureate spy places the following files on a Windows
machine. [It is not known, yet, to affect Macintosh or Linux machines.]
Heaps of mail today - nearly all of it about Acid Burn's revelations
regarding advert.dll. You'll remember that I mentioned yesterday that Acid
Burn had sent me some information about how this dll is installed and what
it does. If you didn't catch up with it yesterday, then read his info here.

Plenty of comment today about this. All writers had some of these Dlls on
their system, with one person saying "I found 3 of the files on my system.
I had been having LOT'S of problems[slow down-loads,net apps that would
freez all the time,dropped connections ect,ect.] Now with them gone I have
a decent connection for the first time in week's!! Big thanks to you and
aCiD buRn!!!!!!!"

Ah, but are they REALLY gone? Another reader said "I've long been aware
that, when I remove advert.dll from my win/sys directory, the scrolling ad
banner on Aureates' Go!zilla is removed. The banner (and advert.dll) then
returns inexplicably and irregularly in a way that I have yet to figure
out. I always thought the advertising was the only reason for the DLL
until I read aCiD buRn's observations. Damn!!!!!"

And Nightfshing posted on the board "apart from the security concerns,
this little .dll created a world of pain on my system. It installs w/ Cute
FTP, but is only needed for the ad banners in the free version. Once you
reg the prog, advert.dll is no longer necessary - BUT, it still is there."

"IE 5.01 will hang upon closing if this file is active in your System
folder (at least on my 98se config). Needless to say, it took some serious
t.s.ing to find the connection and solve the problem."

"It's one thing to plant these devices on consumer's machines, but it
seems ridiculous that these companies are crippling their own progs."

Well we've got the official reply now. Aureate has replied to the
questions that Acid Burn has raised. Read what they have to say here. As
Acid Burn says, he doesn't know whether this makes him feel better or
worse!!

This is certainly not the final word on this. I hope that people who know
more about this subject than I do can give me their thoughts on the
Aureate reply. As far as I'm concerned, all the 'this is completely
normal' stuff smells a bit! The headline on the Aureate site of "privacy
hoax" seems far from the truth - "revelations of computer crippling" would
be more accurate.

Acid Burn said that straight after he'd received the email from Aureate he
checked his settings and sure enough, as soon as he opened his browser he
checked netstat and found this connection established:

Connection Information
IP:216.37.13.140
Hostname:ad2-1.aureate.com
Local Port:2651
Remote Port: 1975
Protocol:TCP
Status Code:Established
Status Description: Connection has been established, connection is
active

Many people today were keen to get more information on this subject, so
please send me any comments you have about it. I think Badgurl's opinion
of the team at Aureate summed up people's feelings: "they should be
smacked on the hands repeatedly."


> The installed files are some or all of:
do a search for these files and TRASH the ones that do all the dirty work...

> adimage.dll
> advert.dll
> advpack.dll
> amcis.dll
> amcis2.dll
> amcompat.tlb
> amstream.dll
> anadsc.ocx
> anadscb.ocx
> htmdeng.exe
> ipcclient.dll
> msipcsv.exe
> tfde.dll
>
> Here is a review of the contents and
> code contained in the DLL's that Aureate makes use of. Here are a few of
my findings up to this point:
>
> advert.dll
> =======
>
> This DLL creates a hidden window every time you open your browser. It
> creates and sends 4 pages of information to the Aureate servers using
> port 1749 on your system, these pages include:
>
> 1. Your name as listed in the system registry ( not the name you
> installed one of the programs with )
> 2. Your IP address
> 3. The reverse DNS match of your address. ( tells them what ISP and
> area of country you are in )
> 4. A listing of ALL software that is shown in your registry as being
> installed. ( Not just the companies they work with )
> 5. This DLL sends the following information to their server on all
> URL's you visit:
> A.) ad banners you may click on
> B.) all downloads you do showing the filename/file
> size/date/time/type of file(image, zip,executable, etc)
> C.) full time and date stamps of all your actions while
> using your
> browser
> D.) the remote dialup number you are dialing in on (taken out of
> your dialer configuration)
> E.) dialup password if saved, does not "appear" at first glance
> to send this through to them.
> 6. Contains programmers note: "Show me the money! I want to
> be Mike!"
>
>
> advpack.dll
> =========
>
> Used during the installation only to check for other needed files.
> amcis.dll
> =======
>
> This DLL modifies the following registry keys:
> 1. HKEY_CURRENT_CONFIG
> 2. HKEY_DYN_DATA
> 3. HKEY_PERFORMANCE_DATA
> 4. HKEY_USERS
> 5. HKEY_LOCAL_MACHINE
> 6. HKEY_CURRENT_USER
> 7. HKEY_CLASSES_ROOT
>
> Unregisterss oleaut32.dll from memory as provided by M$oft and
> replaces with its own calls. Switches back to M$oft's when browser is
> closed. Creates stub processes to be started anytime your browser is
> opened.
>
>
> amcompat.tlb
> ===========
>
> This guy tracks any multimedia clips ( video/pictures/sound ) that
> you view It tracks the rating level on the video/picture/sound and
> title / location Contains references to DblClick ( still digging on
> this one! )
>
>
> amstream.dll
> ==========
>
> Setups TWO way communications between your system and theirs.
> Used to send info and receive update commands/files
> Open port 1749 for communications
>
> ==================================================
>
> The programs that are known to install the Aureate spy are:
>
> 123Search
> 3d Anarchy
> 3D-FTP
> 3rd block
> Abe's FTP Client
> Abe's Image Viewer
> Abe's MP3 Finder
> Abe's Picture Finder
> Abe's SMB Client
> Access Diver III
> Acorn Email
> AcqURL
> ActionOutline Light 1.6
> Active 'Net
> Add URL
> Add/Remove Plus!
> Address Rover 98
> Admiral VirusScanner
> Advanced Call Center
> Advanced Maillist Verify
> AdWizard
> Alive and Kicking
> alphaScape QuickPaste
> ASP1-A3
> Auction Explorer
> Aureate Group Mail
> Aureate SpamKiller
> AutoFTP PRO
> AutoWeb
> AxelCD
> Beatle
> Binary Boy
> BinaryVortex
> Blue Engine
> BookSmith : Original
> buddyPhone 2
> Calypso E-mail
> CamGrab
> Capture Express 2000
> Cascoly Screensaver
> CDDB-Reader
> CDMaster32
> ChanStat
> Charity Banner
> Cheat Machine
> Check4New
> ChinMail
> Clabra clipboard viewer
> Classic Peg Solitaire
> ComTry Music Downloader
> Crystal FTP
> CSE HTML Validator Lite
> CuteFTP 3.0
> CuteFTP 3.0
> CuteFTP/Tripod
> CuteMX
> CutePage
> Danzig Pref Engine
> DateTime
> Delphi Component Test
> Delphi Tester
> Dialer 2000
> DigiBand NewsWatch
> DigiCams - The WebCam Viewer
> Digital Postman
> DirectUpdate
> DL-Mail Pro 2000
> DNScape
> Doorbell 1.18
> Download Minder 1.5
> Download Wonder
> DownLoader v.1.1
> Dwyco Video Conferencing
> EasySeeker
> EmmaSoft ChatCat
> EmmaSoft dBrow
> EmmaSoft KeepLan
> EmmaSoft Soundz
> EnvoyMail
> EZ-Forms FREE
> File Mag-Net
> FileSplit
> Folder Guard Jr.
> FourTimes
> Free Picture Harvester
> Free Solitaire
> Free Spades
> Free Submitter Pro
> FreeImageEditor
> FreeIRC
> FreeNotePad
> FreeSite
> FreeWebBrowser
> FreeWebMail
> FreeZip!
> FTPEditor
> GetRight
> Go!Zilla
> Go!Zilla WebAttack
> GovernMail
> Grafula
> Gunther's PasswordSentry
> HangWeb
> hesci Private Label
> HTML Translator
> HTTP Proxy-Spy
> Huey v1.8 Color Picker
> Iban Technologies IP Tools 3.1
> Idyle GimmIP
> Idyle GimmIP
> iFind Graphics
> imageN
> Infinite Patience
> InfoBlast
> InnovaClub
> InstallZIP
> Internet Tree
> Internetrix
> InterWebWord Companion
> JetCar
> JFK Research
> jIRC
> JOC Email Checker
> JOC Web Finder
> JOC Web Spider
> KVT Diplom
> LapLink FTP
> LineSoft Download
> LOL Chat
> LOL Chat
> Mail Them
> Meracl FontMap
> Meracl ImageMap Generator
> Midnight Oil Solitaire
> MirNik Internet Finder
> More Space 99
> MouseAssist
> MP3 Album Finder
> MP3 Fiend
> MP3 Grouppie
> MP3 Mag-Net
> MP3 Renamer
> Mp3 Stream Recorder
> MP3INFO-Editor
> MultiSender
> Music Genie
> MX Inspector BIG AD
> My Genie Patriots
I WILL SEND PART TWO OUT WITH THE REST OF THE LIST BECAUSE IT IS TOO LONG
FOR THIS EMAIL.
----------------------------------
part two should be sent after this one;;;;

My Genie SE
> My GetRight
> NeatFTP
> Net CB
> Net Scan 2000
> Net Vampire
> Net-A-Car Feature Car Screensaver
> NetAnts
> NetBoard
> Netbus Pro 2.10
> NetCaptor 5.0
> Netman Downloader
> NetNak
> NetSuck 3.10.5
> NetTime Thingy
> Network Assistant
> NeuroStock
> NewsBin
> NewsShark
> NewsWire
> NfoNak
> NotePads+
> Notificator 1.0b
> Octopus
> Pattern Book
> People Seek 98
> Personal Search Agent
> Photocopier
> PicPluck
> Pictures In News
> Ping Thingy
> PingMaster
> Planet.Billboard
> Planet.MP3Find
> PMS
> ProtectX 3
> ProxyChecker
> QuadSucker/Web
> Quadzle Puzzles
> QuikLink Autobot
> QuikLink Explorer
> QuikLink Explorer Gold Edition
> QuoteWatch
> QWallet
> Real Estate Web Site Creator
> Recipe Review
> ReGet 1.6
> Resume Detective
> RingSurf
> RoboCam 1.10
> Rosemary's Weird Web World
> SaberQuest Page Burner
> SBJV
> SBWcc
> Scout's Game
> ScreenFIRE
> ScreenFIRE - FileKing
> ScreenFlavors
> Sea Battle
> Shizzam
> Simple Submit
> SimpleFind
> SimpleSubmit v1.0
> SK-111
> Smart 'n Sticky
> SmartBoard 200 FREE Edition
> SmartSum calculator
> SonicMail
> Sound Agent
> Space Central Screen Saver
> Splash! Siterave
> StartDrive
> Static FTP
> StockBrowser
> Subscriber
> SunEdit 2K
> SuperIDE
> Sweep
> SweepsWinner
> Text Transmogrifier
> The Mapper
> TheNet
> TI-FindMail
> TIFNY
> Total Finger
> Total Whois
> Tracking The Eye
> Trade Site Creator
> TWinExplorer Standard
> TypeWriter 1.0
> UK Phone Codes
> Vagabond's Realm
> VeriMP3
> Vertigo QSearch
> Virtual Access
> Visual Cyberadio
> Visual Surfer
> VOG Backgammon Main
> VOG Backgammon Table
> VOG Chess Main
> VOG Chess Table
> VOG Reversi Main
> VOG Reversi Table
> VOG Shell
> VOG Shell
> VOG Shell History
> W3Filer
> Web Coupon
> Web Page Authoring Software
> Web Registrant PRO
> Web Resume
> Web SurfACE
> WEB2SMS
> WebCamVCR
> WebCopier
> Web-N-Force
> WebSaver
> Website Manager
> WebStripper
> WebType
> WhoIs Thingy
> Win A Lotto
> WinEdit 2000
> Word+
> Wordwright
> WorldChat Client
> Worm
> www.devgames.com
> xBlock
> Your ESP Test
> Zion
> Zip Express 2000
----------------------------------

I guess this is the straw that broke the camels back for me as far as
windows is concerned so i will be shifting all my stuff over to unix and
linux this week. (I used windows stuff only to answer questions for
members but now it is just too invasive when you add the bull**** dll's on
top of the hidden system files and REGWiz and others. i dont want it
anywhere near my machine!)

Oh yea, while i am at it. Terry blount from cracktalk newsletter turned me
on to this one;

DO NOT GO TO "GOHIP.COM" This is the first of a legion of websites that
have decided to take advantage of Billy's ActiveX and Java. They install
and change your system files, then attach an ad to every mail you send
with their Internet address on it. On the surface it would seem it that
something like that would be illegal but apparently it is not. This is a
virus! Pure and simple. They are infecting you with a virus everytime you
go to their site with Java and javascript turned on in your browser)

(Where is Norton on this one? You bet..their commercial buddies can infect
your machine with viruses and trojans. That doesn't count)

Well folks, it turns out that 2000 did mark the end of the world as we
knew it! I am making plans to get out of this entire mess by next year at
the latest. Im kicking around the idea of opening a BSS by telephone like
the old days again..oops, echelon has my phone lines tapped..Like Homer
Simpson says "Doooo"

later..
tom-

Try to send this warning to your friends! If you don't they will go down
like the rest of us!
PART TWO
........

Here is a quote from Aureate;
"The Aureate Network brings an enormous amount of demographic targeting
capability to advertisers."
The minute you purchase any software using the spy you have opened up
their profiling mchanism. They will then be able to match your personal
name and profile with their logs information. I noticed that a lot of the
“experts’ said that although they potentially could use the information
gathered by the spy for evil purposes, they don’t belive that it is in
fact being used. Hahahahahahahahah.

Here is a second concern Steve Gibson has;
More concerns:
Apparently, foreign advertiser servers are sourcing their ads directly
to the user's machine through the advertising server that's created by
the Aureate DLL's. This is a concern for two reasons: First,
suddenly there's a HOLE through our firewalls which anyone can see,
and which may have known vulnerabilities. Second, any foreign
advertising server contacted is establishing a connection to our
machines and, unless we're behind a caching proxy or NAT router, knows our
IP.
http://grc.com/aureate.htm



[This message has been edited by Hunnter (edited 03-17-2000).]
 
H

Hunnter

Guest
You have got me with Mulder....
i thought that people should be made aware of the tricks and traps involved while using the net..and i honestly believe that this is only the start of it all..from here on it will grow its own head...nasty and dangerous.....
mmm..Mulder 'x-files'....i never even thought of that one...

sorry for the misunderstanding, i don't watch much tv, apart from Football matches...
[This message has been edited by Hunnter (edited 03-17-2000).]

[This message has been edited by Hunnter (edited 03-17-2000).]
 
D

Drinky UKSN

Guest
This is no joke btw - I've seen several comments on PC Gamer UK's forum about it - I think this URL goes to the same place as the one you mentioned:

http://www.grc.com/optout.htm

Sounds extremely dangerous.
 
P

Paul

Guest
I have had most of these files on my computer. Now they're gone, that is to say most of them. Some of them wouldn't delete since they were in use. I will delete them through other means though.

Thanks for the help.
 
H

Hunnter

Guest
http://canadiantom.com/
http://canadiantom.com/bruteforce/default.htm

This is the URL that i have subscribed to for almost one year, TOM is a GEM, he keeps us all informed on what is happening on the net and the safety precautions that we all have to use to try to avoid the "spies" that lurk across the bandwidths, you should find all the info that you require when you check out the above site. you will certainly be surprised and shocked by some of the info that you receive in his newsletters.....
 


Top