Cytron

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected.

Alias:

 Burnaby, the internal object name, TargetingSource, the name used to describe the control in Downloaded Program Files., Troj/Ortyc by VS antivirus.

Category:

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Variants:
  • Cytron/potd installs potd.dll into Downloaded Program Files; with Cytron/sec the filename is sec.dll instead.
    		•

    Similar Pests:

    		 Browser Helper Object

    Origins

    Group:

    		 Cytron Communications Ltd

    Vendor:

    		 Cytron Communications Ltd.

    URL:

    		 http://www.cytron.com/

    Date of Origin:

    		 December, 2002

    Distribution

    Distribution:

    		 Installed by ActiveX drive-by download on a page pointed to by junk e-mail claiming you have received an 'e-card' (from domains such as surprisecards.net, cardwish.com). The ActiveX control purports to be a viewer for e-cards.

    Operation

    Advertising:

    		 Yes. When IE is started for the first time it attempts to connect to Cytron's servers to download a list of keywords to look for, and URLs of pop-ups to open.

    Browser Performance:

    		 Likely to slow performance of Internet Explorer.

    Risks

    Privacy Issues:

    		 No.

    Security Issues:

    		 No.

    Stability Issues:

    		 None known.

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    There is no uninstall feature.

    First deregister the Cytron BHO. Open a DOS command prompt (Start->Programs->Accessories) and enter the following commands:

    cd "%WinDir%\System"
    regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll"
    (Change potd.dll to sec.dll if you have Cytron/sec variant.)

    You should then be able to delete the 'TargetingSource' entry in Downloaded Program Files (in the Windows folder), and the registry key HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit).

    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • Andrew Clover
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 January 26, 2005