Description

FavoriteMan is an IE Browser Helper Object. Every so often it connects to its controlling servers, which may direct it to download and install other programs and add entries to the IE Favorites menu or background Desktop.

At the time of writing, unsolicited commercial software known to be installed by the many different variants of FavoriteMan includes:

• Transponder/VX2
• Transponder/MSView
• NetPal
• ClickTheButton
• ClientMan
• ezCyberSearch toolbar
• TopText
• SideStep
• MySearch/MySearch
• BargainBuddy/Adp
• eXactSearch
• NewDotNet
• IGetNet/v5
• IGetNet/ClearSearch
• HotBar
• BrowserAid/BrowserPal
• CometCursor/Toolbar
• ShopAtHomeSelect
• ISTbar/AUpdate
• DailyWinner
• nCase
• KeenValue/v1
• Mail.com Alerts (which also comes bundled with BargainBuddy/Apuc)
• Weatherbug (which also comes bundled with MySearch/MySearch)
• Freeze.com Living Waterfalls screensaver (which may also come bundled with Weatherbug, NewDotNet, SaveNow and Forbes.com Business Alerts.
• A1Tech AdsGone popup-killer
• various homepage hijackers

Variants

FavoriteMan/Ofrg's program file is called ofrg.dll. It stores its data in a file called favboot.dll. Its controlling server is www.yourspecialoffers.com.

FavoriteMan/Favorite installs favorite.dll. Data file is FavMan.dll. Controlling server is also www.yourspecialoffers.com.

FavoriteMan/Lwz installs lwz.dll. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.

FavoriteMan/F1 installs F1.dll. Data file is SysLdr.dll. Controlling server is www.prize4all.com.

FavoriteMan/FOne is a replacement for the Lwz variant. Filename is FOne.dll, data file is SysLdr.dll. Controlling server is www.f1organizer.com.

FavoriteMan/ZZ installs ZZ.dll. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.

FavoriteMan/IMZ is installed with a pseudo-random filename. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Mpz installs mpz300.dll. Data file is mbr32.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Gig installs gig.dll. Data file is mbr32.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Trk installs trk.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Td1 installs td1.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Gr02 installs Gr02.dll. Data file is im64.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Aess installs Aess.dll. Data file is im64.dll. Controlling server is www.f1organizer.com.

FavoriteMan/Ss32 installs Ss32.dll. Controlling server is www.r-vision.org.

FavoriteMan/EMesX installs emesx.dll. Data file is dlh0st.dll. Controlling server is www.f1organizer.com.

Also known as

In the newest Grokster and iMesh bundles there is a section in the small print referring to the FavoriteMan software as NetPal. Mindset Interactive, the producers, seem to use the name "NetPal" to refer to any of their unsolicited commercial software, including FavoriteMan, NetPal and Transponder.

Distribution

The Favorite, F1 and Mpz variants have been bundled with iMesh.

The FOne variant is installed by the Lwz variant.

The ZZ variant is bunded with Grokster as of January 2003. The Gr02 variant is bundled with Grokster as of June 2003.

The IMZ variant is installed by the lop/IMZ parasite.

The Gig variant is installed by software from TwistedHumor.com. ('Gig' refers to Gigatech Software, producers of the SuperBar parasite.)

The Ss32 variant is installed by SpyAssault, a supposed spyware scanner from Razor Media LLC (who control this variant).

The origin of the Ofrg, Lwz and Trk variants is currently unknown.

What it does

Advertising

Yes. Adds advertisers' web sites to the Favorites menu.

Privacy violation

None known.

Security issues

Yes. The software can and does execute any arbitrary code which the controlling servers points it to. FavoriteMan's aim is to install as much unsolicited commercial software as possible in order to gain its makers the commission fees from other adware companies.

Stability problems

Yes. FavoriteMan sometimes causes IE to lock up for a variable period of time, occasionally indefinitely, when a new browser process is started. This may be something to do with its trying to contact its servers on startup. Also crashes may occur when very long URLs are used.

Removal

FavoriteMan/F1 and FavoriteMan/ZZ offer a removal feature: go to Add/Remove Programs in the Control Panel, choose 'F1' or 'ZZ' and click 'Remove'.

Spybot S&D and Ad-Aware can remove FavoriteMan/Ofrg and FavoriteMan/Favorite.

Manual removal

The software can be found in the System folder. On Windows 95/98/Me this is the folder called 'System' in the Windows folder; on Windows NT, 2000 and XP it is called 'System32'. Look for one of the filenames listed above.

Before you can delete the program file, you must deregister it. Open a DOS command prompt window (under Accessories in the Programs menu from 'Start') and enter the commands:

cd "%WinDir%\System"
regsvr32 /u favorite.dll

Change the filename 'favorite.dll' to match the variant you have. This can be ofrg.dll, favorite.dll, lwz.dll, F1.dll, ZZ.dll, mpz300.dll, trk.dll, Gr02.dll, Aess.dll, Ss32.dll or emesx.dll; in in the case of the IMZ variant it will have a random eleven-letter filename. (eg. troallystbr.dll). You can usually find the culprit by opening the System folder choosing View->Arrange icons by->Modified, then looking near the bottom of the window.

After doing this and restarting the computer you can delete the file. You can also delete the data file favboot.dll, FavMan.dll, SysLdr.dll, mbr32.dll, im64.dll or dlh0st.dll in the same folder (it isn't a DLL at all), and the settings in the registry in the entries 'Counter', 'Server' and 'Object', hiding in HKEY_CURRENT_USER\Software\Microsoft\Windows.