 Description
FavoriteMan is an IE Browser Helper Object. Every so often
it connects to its controlling servers, which may direct it
to download and install other programs and add entries to
the IE Favorites menu or background Desktop.
At the time of writing, unsolicited commercial software known
to be installed by the many different variants of FavoriteMan
includes:
Variants
FavoriteMan/Ofrg's program file is called ofrg.dll.
It stores its data in a file called favboot.dll. Its controlling
server is www.yourspecialoffers.com.
FavoriteMan/Favorite installs favorite.dll. Data
file is FavMan.dll. Controlling server is also www.yourspecialoffers.com.
FavoriteMan/Lwz installs lwz.dll. Data file is SysLdr.dll.
Controlling server is www.f1organizer.com.
FavoriteMan/F1 installs F1.dll. Data file is SysLdr.dll.
Controlling server is www.prize4all.com.
FavoriteMan/FOne is a replacement for the Lwz variant.
Filename is FOne.dll, data file is SysLdr.dll. Controlling
server is www.f1organizer.com.
FavoriteMan/ZZ installs ZZ.dll. Data file is SysLdr.dll.
Controlling server is www.f1organizer.com.
FavoriteMan/IMZ is installed with a pseudo-random
filename. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Mpz installs mpz300.dll. Data file is
mbr32.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Gig installs gig.dll. Data file is mbr32.dll.
Controlling server is www.f1organizer.com.
FavoriteMan/Trk installs trk.dll. Controlling server
is www.f1organizer.com.
FavoriteMan/Td1 installs td1.dll. Controlling server
is www.f1organizer.com.
FavoriteMan/Ss32 installs Ss32.dll. Controlling
server is www.r-vision.org.
FavoriteMan/EMesX installs emesx.dll. Data file
is dlh0st.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Gr02 installs Gr02.dll. Data file is
im64.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Aess installs Aess.dll. Data file is
im64.dll. Controlling server is www.f1organizer.com.
FavoriteMan/YsUp installs ysup01.dll. Data file
is im64.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Int installs IAint.dll, but generally
in the Windows directory instead of the system directory.
Data file is im64.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Gnt installs GrlNt0i.dll. Data file
is im64.dll. Controlling server is www.f1organizer.com.
FavoriteMan/RTV installs ATPartners.dll. Data file
is im64.dll. Controlling server is www.f1organizer.com.
Also known as
In the newest Grokster and iMesh bundles there is a section
in the small print referring to the FavoriteMan software as
NetPal. Mindset Interactive, the producers, seem
to use the name "NetPal" to refer to any of their unsolicited
commercial software, including FavoriteMan, NetPal and Transponder.
Distribution
The Favorite, F1 and Mpz variants have been bundled with
iMesh.
The FOne variant is installed by the Lwz variant.
The ZZ variant is bunded with Grokster as of January 2003.
The Gr02 variant is bundled with Grokster as of June 2003.
The IMZ variant is installed by the lop/IMZ parasite.
The Gig variant is installed by software from TwistedHumor.com.
('Gig' refers to Gigatech Software, producers of the SuperBar parasite.)
The Ss32 variant is installed by SpyAssault, a supposed spyware
scanner from Razor Media LLC (who control this variant).
The YsUp variant is installed by ActiveX drive-by download
in pop-up adverts served by yesup.net.
The Int variant is installed by games from free-windows-games.com.
The origin of the Ofrg, Lwz and Trk variants is currently
unknown.
What it does
Advertising
Yes. Adds advertisers' web sites to the Favorites menu.
Privacy violation
Some of the installation wrappers used to run third-party
software also report back to the FavoriteMan controlling server
with information about the operating system and all applications
installed.
Security issues
Yes. The software can and does execute any arbitrary code
which the controlling servers points it to. FavoriteMan's
aim is to install as much unsolicited commercial software
as possible in order to gain its makers the commission fees
from other adware companies.
Stability problems
Yes. FavoriteMan sometimes causes IE to lock up for a variable
period of time, occasionally indefinitely, when a new browser
process is started. This may be something to do with its trying
to contact its servers on startup. Also crashes may occur
when very long URLs are used.
Removal
FavoriteMan/F1 and FavoriteMan/ZZ offer a removal feature:
go to Add/Remove Programs in the Control Panel, choose 'F1'
or 'ZZ' and click 'Remove'.
Manual removal
The software can be found in the System folder. On Windows
95/98/Me this is the folder called 'System' in the Windows
folder; on Windows NT, 2000 and XP it is called 'System32'.
Look for one of the filenames listed above.
Before you can delete the program file, you must deregister
it. Open a DOS command prompt window (under Accessories in
the Programs menu from 'Start') and enter the commands:
cd "%WinDir%\System"
regsvr32 /u favorite.dll
Change the filename 'favorite.dll' to match the variant you
have. This can be ofrg.dll, favorite.dll, lwz.dll, F1.dll,
ZZ.dll, mpz300.dll, trk.dll, Gr02.dll, Aess.dll, Ss32.dll,
IAint.dll, GrlNt0i.dll, ysup01.dll or emesx.dll; in in the
case of the IMZ variant it will have a random eleven-letter
filename. (eg. troallystbr.dll). You can usually find the
culprit by opening the System folder choosing View->Arrange
icons by->Modified, then looking near the bottom of the
window.
After doing this and restarting the computer you can delete
the file. You can also delete the data file favboot.dll, FavMan.dll,
SysLdr.dll, mbr32.dll, im64.dll or dlh0st.dll in the same
folder (it isn't a DLL at all), and the settings in the registry
in the entries 'Counter', 'Server' and 'Object', hiding in
HKEY_CURRENT_USER\Software\Microsoft\Windows.
|
