F-One/Favoriteman

2old4this

Honorary Admin
Messages
1,658
Likes
0
My Location
Cloud Cuckoo Land
#1
Forumula-1/Favoriteman (sic) is a truly insidious bit of adware (perhaps better classified as a parasite) that hijacks your browser and can install & execute software on your PC without any further interaction or permission. It comes in under ActiveX control, or packaged with other software.

I have just managed to rid myself of this and thought I would share this info with others.

I already employ a fair range of protective measures - ZoneAlarm Pro, ad-blockers, pop-up blockers, virus checkers and suchlike. But this still crept in. Ad-Aware, widely held to be the best adware cleaner, failed to completely remove it. It took some investigation and manual cleanup to finally do the trick.

The thing manifested itself on my PC by triggering at intervals the placement of a URL on the desktop (ironically entitled "stop spyware now!"...). I'd also get screens popping up while browsing, declaring I had won a prize and bearing no relationship to the page I was at.

The cause turned out to be the FavoriteMan parasite. It propogates by hijacking the browser, and placing a file in the windows system32 directory that is called SysLdr.dll. However it is not a DLL at all. It is a list of URLS and other control information that the parasite uses. While you are browsing, a background "helper" application periodically connects to the URLs in the control file and presents ads/etc. It can also download other programs/adware and generally wreak havoc with your privacy.

Running Ad-aware found various bits and pieces relating to Favoriteman, including some registry keys. However, the very next time I used my browser, the sysldr.dll file appeared again. Clearly Ad-aware was not completely cleaning up. I also had a program (an exe!) appear as if by magic - called Exacct-something-or-other.exe, and the program was executed without my permission (imagine if this had contained malicious code rather than just adware...)

In the end I found a number of other registry keys including those of browser-helper objects that I had no idea were (*ahem*) helping me to browse. I found them by searching on "Fone" (= F1). Only when I had deleted all those classes was I able to use the browser without triggering the creation of the SysLdr file.

When I cleaned-up, I went looking for more info. Seems that this product is a derivative of (or component of) one of the most apalling bits of spyware ever deployed - the Blackstone Data Transponder (or VX2/Sputnik/Netpal). If you want to worry yourself, read this: http://www.cexx.org/vx2.htm

Other resources:
http://www.safersite.com/pestinfo/F/FavoriteMan.asp
http://hspost.com/netprick.html
http://www.spywareinfo.com/bhos/
Vendor: http://www.mindsetinteractive.com/ (mailbomb their sorry arses)
http://www.f1organizer.com (and they seem so proud of this technology too)


2old
 
Top