Transponder/VX2
  • NetPal
  • ClickTheButton
  • ezCyberSearch toolbar
  • SideStep
  • BargainBuddy/Adp
  • NewDotNet
  • IGetNet
  • HotBar
  • n-Case (180solutions)
  • Mail.com Alerts (which also comes bundled with BargainBuddy/Apuc)
  • various homepage hijackers
    • ">


    FavoriteMan

    · Overview ·
    · Origins ·
    · Distribution ·
    · Operation ·
    · Risks ·
    · Detection and Removal ·
    · Research ·

    Overview

    Summary:

    FavoriteMan is an IE Browser Helper Object. Every so often it connects to its controlling servers, which may direct it to download and install other programs and add entries to the IE Favorites menu.

    Unsolicited commercial software installed by this pest may include:

    Alias:

    		 [default], Adware/NetPals [Panda], ofrg (the name of the DLL program file)., TrojanDownloader.Win32.BHO [Kaspersky], TrojanDownloader.Win32.Rameh, Windows Help 4 Smart Browsing

    See Also:

    		 ClientMan · nCase

    Category:

    Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

    Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

    Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

    Variants:
  • FavoriteMan/Lwz installs lwz.dll. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.
  • FavoriteMan.FOne
  • FavoriteMan.SpyAssault
  • FavoriteMan/F1 installs F1.dll. Data file is SysLdr.dll. Controlling server is www.prize4all.com.
  • FavoriteMan/FOne is a replacement for the Lwz variant. Filename is FOne.dll, data file is SysLdr.dll. Controlling server is www.f1organizer.com.
    		•

    Similar Pests:

    		 Browser Helper Object · Browser Helper Object · Downloader

    Origins

    Group:

    		 Mindset Interactive

    Vendor:

    		 FavoriteMan is written and controlled by Mindset Interactive, the firm behind Transponder and NetPal.

    By This Group:

    		 FavoriteMan.FOne ·

    URL:

    		 http://www.netpaloffers.net/NetpalOffers/DMO1/Ud3rT0n4.cab

    Date of Origin:

    		 Variants from March, 2003 to March, 2005

    Distribution

    Distribution:

    		 FavoriteMan/Favorite and FavoriteMan/F1 have been bundled with iMesh 3. The origin of the Ofrg and Lwz variants is currently unknown. The FOne variant is installed by the Lwz variant.

    Prevalence:
  • FavoriteMan: 56.9%
  • FavoriteMan.FOne: 0.8%
  • FavoriteMan.SpyAssault: 1.6%
    • More Info

    Clot Factor:
  • FavoriteMan: 6

    • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Growth:
  • FavoriteMan: Insufficient data to report growth
  • FavoriteMan.FOne: Insufficient data to report growth
  • FavoriteMan.SpyAssault: Insufficient data to report growth
    		•

    Operation

    Advertising:

    		 Yes. Adds advertisers' web sites to the Favorites menu.

    Storage Required:
  • FavoriteMan: at least 1245 KB
  • FavoriteMan.FOne: at least 213 KB
  • FavoriteMan.SpyAssault: at least 97 KB
    		•

    Browser Performance:

    		 Likely to slow performance of Internet Explorer.

    Risks

    Privacy Issues:

    		 Suspected. FavoriteMan seems to try to find your e-mail address on installation to send to its controlling servers. This may not work.

    Security Issues:

    		 Yes. The software executes any arbitrary code which the controlling servers (such as yourspecialoffers.com) points it to. FavoriteMan's aim is to install as much unsolicited commercial software as possible in order to gain its makers the commission fees from other adware companies.

    Stability Issues:

    		 Yes. FavoriteMan sometimes causes IE to lock up for a variable period of time, occasionally indefinitely, when a new browser process is started. This may be something to do with its trying to contact its servers on startup. Also crashes may occur when very long URLs are used.

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    FavoriteMan/F1 is the only variant to offer a removal feature: go to Add/Remove Programs in the Control Panel, choose 'F1' and click 'Remove'.

    The software can be found in the System folder. On Windows 95/98/Me this is the folder called 'System' in the Windows folder; on Windows NT, 2000 and XP it is called 'System32'. Look for one of the filenames listed above.

    Before you can delete the program file, you must deregister it. Open a DOS command prompt window (under Accessories in the Programs menu from 'Start'). On Windows NT, 2000 or XP, enter:

    regsvr32 /u "%WinDir%\System32\favorite.dll"
    On Windows 95, 98 or Me, instead enter:

    cd "%WinDir%\System"
    regsvr32 /u favorite.dll
    Change the filename 'favorite.dll' to match the variant you have: ofrg.dll, favorite.dll, lwz.dll or F1.dll.

    After doing this and restarting the computer you can delete the file. You can also delete the data file favboot.dll, FavMan.dll or SysLdr.dll in the same folder (it isn't a DLL at all), and the settings in the registry in the entries 'Counter', 'Server' and 'Object', hiding in HKEY_CURRENT_USER\Software\Microsoft\Windows.

    Unregister DLLs:

    Unregister these DLLs with Regsvr32, then reboot:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • Andrew Clover
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 April 03, 2005