Parasites are programs running on your system that you don't need, don't want, and probably don't even know you have. Normally, these are intentional parts of larger applications. I use the term parasite because they use memory, CPU time, and other resources which reduce the performance of your machine.

Normally, you don't know about these because they are loaded at boot time either via the registry (a part of the operating system that Microsoft warns all users not to read or modify), via Start / Programs / Startup, or by some other method.

In general, when you press Alt-Ctrl-Del (Win 95) you can see those non-operating system programs which are currently running and consuming system resources. Some of these, such as Explorer - the program that displays the Windows desktop, are required by the operating system even though they are not a part of it. You should also see your virus protection software here. However others, such as the advertising parasite TSADBOT.EXE, are not wanted or needed. (At least I don't want it! :)

Rather than delete these entries, I simply comment them out and annotate them with the date and reason. For those in the registry, you can place a few garbage characters (xx) at the beginning of the entry followed by the date; in config.sys and autoexec.bat, use the standard rem statement; and for those in the StartUp directory, move them to another directory created for that purpose.

Comet Cursor | Loadwc.exe | PKWARE Parasite | Find Fast | XP Indexing
Registration Parasites - HP Borland
SpyWare | mdm.exe | AOL | RealAudio

Comet Cursor

I inherited my work machine with all kinds of crap installed - including several parasites. Well Comet Cursor was one of them.

Of course, I've heard of this before, but the write-ups seemed pretty innocuous - no one ever hinted at how bad this thing really is.

This discussion is not about privacy or security (though they are both issues). Instead, it is about system performance. With Comet Cursor, system performance is significantly reduced.


The best I can figure (based on the references and my own trouble shooting), the Comet Cursor parasite is loaded by Windows Explorer when you boot. It then proceeds to contact its masters via the internet. Then every few minutes, it hijacks your machine for 5 seconds (doing who knows what). (You've snuck up on the enemy, but before you can shoot, the parasite grabs your computer. While you stand there helplessly, the enemy turns and shoots. That's what I call a harmless parasite. Yea, Right!)

In 4 hours with this disabled (via ZoneAlarm), MS Access and the Kernel grabbed my machine only twice (that I noticed). On the previous day, with it running, MS Access and the Kernel grabbed the machine about every 10 minutes. It is hard to prove cause and effect ... but for my money, my machine runs MUCH better with it disabled.

Whatever, you do, don't simply delete COMET.DLL. There are so many registry hooks, you really should uninstall it. This can be done via Control Panel / Add/Remove Programs.

Once it is "removed", then you should run Ad-Aware to verify that it is actually gone.

More: After a re-boot, the Kernel is grabbing the machine again. Using the All Open Files of Taskinfo 2000, 6 copies of Comet.dll are currently running on my machine - one is attached to Windows Explorer, one is attached to IE, and four are not accounted for. Also, Zone Alarm did NOT prompt me if it was ok for this parasite to access the internet.

Troubleshooting a Performance Problem

Every so often the mouse would quit working. I moved the mouse and nothing would happen - the cursor would just move in random, uncontrolled jumps. A new mouse did NOT fix the problem.

Using the Microsoft System Monitor (Start / Programs / Accessories / System Monitor - it is on your Windows CD, but you must install it), I noticed that the cpu kept going to 100% utilization. Hum. Well, I wanted to know why - which application was crashing my system.

At this point, I loaded and configured Taskinfo 2000 to run every time the system booted. Well, it turned out to be 2 "applications" - MS Access and the Kernel. Pretty weird. I'm sitting there, not doing anything, and one of these 2 programs would simply hog the computer for several seconds.

Well, that was not a very satisfactory answer. So I loaded ZoneAlarm - a free firewall which blocks and/or reports both incomming and outgoing TCP/IP traffic. By default, you get prompted each time an application tries to access the network.

Well, it turns out that this gets me to Searching the registry for came up blank
Searching for "comet" located an HKCR\CLSID of "CometCursor Class" and C:\WIN98\SYSTEM\COMET.DLL

A search of all the files on the hard drive for "198.65" came up blank.

Based on the registry info

What really bothers me is that I can't find out why its running. Its not in the registry, autoexec.bat, win.ini, or the like. I guess that Windows Explorer is doing the dirty work. It also appears that the ip address is hidden in some manner.

Removed Using the Control Panel

Using Control Panel / Add/Remove Programs, I "removed" Comet Cursor ... except that the main dll was not deleted and 3 copies of it are still running in memory.

After a re-boot, the dll was still there, but it was no longer running.

Ad-Aware 5.0 found

In addition, I found the following in the registry So much for Microsoft's "uninstall" program. The parasite is still present, even if it is not running.

I decided to leave this on the system to see if it would automatically start again. I have fairly tight security, but you never know. If RealAudio ever runs, this parasite will fully re-install itself.



According to Microsoft, Load WebCheck (Loadwc.exe 17 K, webcheck.dll 269 K) manages subscriptions and user profiles for IE 4 and IE 5. Well, I don't use subscriptions and I don't see any reason to continuously run a program to do anything with a user profile.

This parasite is executed via the following registry key

Starting with IE 5.0 under Windows 98, you can not simply disable webcheck because it gets called by Windows Explorer even if loadwc.exe is never run.

The IE 4 version of webcheck is not compatible with IE 5. If it isn't updated (or perhaps Windows is reloaded) there will be continuous errors (I've seen about once an hour) similar to

  Explorer caused an exception 6d007fh in module Webcheck.dll
This error occurs whether you are running Internet Explorer or not. (I've personally seen it both ways.) Since msinfo indicates that webcheck is a part of IE 5, and since Windows Explorer causes a webcheck error about once an hour, it appears that IE 5 is more tightly integrated with the operating system than IE 4.72 was.

To check the version, use msinfo, or in Windows Explorer, right click the file, select Properties and click the Version tab. 5.00.2919.6304 is ok for IE 5; 4.72.3110.0 is not.

Related reference

PKWARE Parasite

Did you know that pkzip used to come with an advertising parasite.

As of 02-15-2001, the shareware version of pkzip no longer comes with the TSADBOT parasite. Apparently, Conducent (the maker of TSADBOT) has gone out of business.

On July 7, 1998, PKWARE announced that the shareware version of pkzip for windows would ship with special advertisement software. Always running on your system, this parasite allows advertisements to be download from an ad server. The ads are displayed whenever pkzip is running.

Don't get me wrong, PKWARE can do anything it wants to its products, it's always loading a premanently resident program at boot time that I take exception to. In addition, it appears that the program uses the internet even though pkzip is not running.

This parasite is executed via the following registry key

   TimeSink Ad Client="C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
The new version of pkzip is able to uninstall the parasite.

Find Fast

Find Fast is installed as a part of Microsoft Office. Starting with Office 2000, the default is not enabled, however, with previous versions, it is enabled.

On a brand new, never before used NT 4.0 SP3 system with an empty D-drive, FastFind placed the following files

And after copying about 12,200 files (~350Mb) to the D-drive and waiting over night Find Fast is run via Start / Programs / Startup.

This parasite causes lots of disk activity whenever no one is using the machine. While it may speed up some searches, there is little documentation explaining what it does. (See Overview of Find Fast Indexer for some details.) It is my observation that it frequently activates the hard drive and slows down overall system performance.

When you first boot your system, this parasite is dorment, merely consuming memory but not using a lot of CPU time. After a while, it wakes up using about 50% of the availble processor capacity. (So far, this is not unlike a screen saver which stays in the background until the timer triggers.) However, unlike the screen saver which goes back to sleep, once this parasite is active, it stays active until you re-boot the system.

On an NT 4 system, right click the Task Bar and select Task Manager. On my NT 4 system, under Processes there are 2 instances of FindFast.exe! Currently, my processor indicates that it has been 27 hours since the last re-boot, and 1.5 hours have been used by FindFast.exe! This means that 5.5% of the computer's bandwidth is being wasted by this parasite. In addition, the hard drive is being accessed a little faster than once a second.

I killed it with the End Process button. Now the hard drive is quite.

Some additional data - I booted the NT 4 system on Friday and left it running all weekend. The following Monday and Wednesday morning numbers are from the Task Manager. Yes, there are 2 instances of findfast. Together, they consume about 6.3 Meg of memory!

This system currently has 64 Meg of memory and is using about 40 Meg. Imagine if I had only 32 Meg of RAM how much thrashing there would be.

Over several days of observation, 2 of which are shown above, the findfast CPU Time stayed approximately 2 hours behind the System Idle Process. I assume that this is approximately how long the system was on before findfast activated and that afterwards findfast consumed about 50% of the available CPU time.

Some notes from Microsoft on the correct way to disable Find Fast. Simply commenting it out can cause severe performance problems because the indices are left on your hard drive and they will quickly get out of date.

Microsoft's Indexing Service

Starting with Office XP, Microsoft has included a new "fast searching" feature (parasite) which may cause your computer's hard disk to run continuously.

Apparently, this feature is implemented via Mosearch.exe and Mosdmn.exe, neither of which shows up in the task manager. As with findfast, don't just delete these files. Instead, follow the (very confusing) instructions provided in OFFXP: Hard Disk Runs Continuously After You Install Office XP (Q282106) to disable it. Unfortunately, this feature must be disabled for each installed Office XP application.

Registration Parasites

It seems that Registration Parasites are coming with lots of hardware and software. Though I personally don't like on-line registration, I think that it is great that many products provide this capability. However, I have 2 complaints In my opinion, any registration software which satisfies either of these criteria is a parasite.

Well behaved registration software should run only when you start the associated product. (This is how the standard shareware nag windows work. Irritating, but not a parasite.) In addition, it must remove itself from the hard drive when its task is completed.

HP Registration Parasite

When you install some HP products (e.g. an HP 8x CD-Writer, or a printer), you will get a Registration Parasite if you don't register the product. This parasite consumes at least 6.5 megs (20 meg estimated max with a 64K block size) on your hard drive and runs a program (Remind32.exe) designed to nag you until you register the product. Remind32 is executed via Start / Programs / StartUp.

When you eventually say that the product is registered, the registration program is not removed from your hard disk. In my opinion, this is completely unacceptable and supports my position that this program should be considered as a parasite.

Borland Registration Parasite

Borland C++ 5.0 (DOS), comes with a 646 K (1 M used) registration parasite which is run via the following win.ini line.
According to InControl (InCtrl 3), when you indicate that you have already registered, the program simply removes that line and leaves the parasite on your hard drive.


Big Brother IS watching you! Not just your friendly, benevolent government ... but many major (and minor) corporations.


Mdm.exe (Machine Debug Manager) can be installed via Office 2000 Microsoft Script Editor, or it is a part of DCOM (yeh, I don't use that either).

It is loaded at boot time via

In addition to running every time you boot, it creates temporary files each time you boot ... but NEVER deletes them. (Go MS, like I need another 1,000 extra unused temporary files.)

You know that you have a problem when you start to see files who's names start with fff, such as


I see this as a border-line parasite. It is definitely a nuisance, and it is very badly behaved, but, perhaps it is useful.

This Microsoft reference states that the extra files accumulate in Windows 95 and 98, but not in NT 4.

Possible Spyware: RPCSS.EXE, mdm.exe provides additional information - specifically that multiple copies of mdm.exe will run concurrently.


Do not confuse AOL with standard internet connectivity - it's not really the same thing. But that's not the problem here. The problem is software modifying your system in such a way that other programs are broken. It appears that AOL 5.0 replaces dlls on your system with older versions. This is a very serious problem. According to a quote in AOL 5.0: The Upgrade of Death?,
I provide support for an application that uses VBScript, and AOL overwrites the VBSCRIPT.DLL file without asking or checking. Since it ALWAYS puts an old version there in place of the existing one, my apps STOP WORKING! We have advised all our users NOT to install AOL under ANY CONDITIONS. I HATE IT.
The article states that most of the bad (old) dlls are in a private directory, and as I understand it, this practice is acceptable. However, the article claims that this is the cause of the problem.

To quote another article by the same person, the following is presented as AOL's view

AOL's own tech support admits that--- oops!---installing AOL may make your system unable to connect to other ISPs, and that--- oops!--- your internet-sharing software (such as Win98's ICS) may no longer work. But these aren't bugs. It's the software installing itself in exactly the way AOL intends. You simply have to do things the AOL way, period.
I don't know what the truth is.

Be careful!

RealAudio / RealPlayer

Loading Netscape 4.72 loads RealAudio/RealPlayer and other related crap on your system without even telling you. (Another good reason to stop using Netscape.)

Many people like RealAudio, it may even be good software. However,

If you configure it so that it does not run every time you start your machine (this requires hacking the registry), the next time you run the software it will reconfigure itself so that, once again, it automatically starts at boot.


Counterexploitation discusses many Parasite type problems, including TSADBOT and mdm.exe. has nothing nice to say about the ScumLords that add advertising links to other peoples pages. (He refers to this as "traffic theft" and "pirated traffic".) This site even has javascript that "will tell you if your computer is infected with either the TopText or the Surf+ ScumWare infection".

Ad-Aware detects, and optionally removes, advertising programs that "call home" and exchange statistical data.

SpywareInfo - the name says it all.

Author: Robert Clemenzi
URL: http:// / Parasites / Parasites.html