Net Pal is the worst yet of these spyware Trojans. It will load onto any machine that has any form of ActiveX at all enabled. (This can happen silently, without your realizing that you're downloading anything.) Use Tools->Internet Options ... from the IE menu and click the Security tab; click Custom Level and disable anything containing the word "ActiveX." (If you plan to use Shockwave, you may want to select Prompt instead of Disable, but it's time all these software developers wised up and scrapped this ill-conceived Microsoft hack called ActiveX!)
Net Pal will slow IE down to a crawl and make your system unstable. It's called a "Browser Helper Object," but the only people it's helping are those at Mindset Interactive who want to record every keystroke you make. This presumably includes passwords, account numbers, etc., so it really amounts to outright theft!
BTW, where I wrote "HKLRoot" below, I meant "HKCRoot"!
I originally posted this topic and its followup (I "lied" too!) to the
articles form, but I can't find any link to display them, assuming they've
been posted. Anyway, this may help anyone who's been frustrated with the
bogus removal instructions they provide on their site ...
Initial article text:
The instructions for removing Netpal (some "pal"!), both here and on
netpalnow.com, are the same as those for Blackstone Transponder. However,
they are useless - there is no IEHelper.dll, but there are the following:
\WINDOWS\SYSTEM\netpal.dll
\WINDOWS\SYSTEM\favboot.dll
\WINDOWS\SYSTEM\kernellos.dll
Do NOT try to remove these without editing the registry. Don't bother looking
for the registry key they give in their instructions, because it won't be
there, at least in the incarnation I got - apparently WITHOUT downloading
anything!
Ad-Aware, usually excellent at spotting these Trojans, was still not able to
detect this one, even after I updated the reference DB. (Of course, Ad-Aware
is also lax about the similarly insidious new.net, which it does not consider
to be spyware, despite the trouble it can cause and the surreptitious nature
of installing itself. New.net is, however, somewhat responsive to complaints
and does provide removal instructions, even if they do have an arrogant
attitude toward those who "tamper" with their software - as if they are
innocent of "tampering"!)
I backed up (exported) my registry and then removed the following folders from it:
HKLM\Software\CLASSES\CLSID\{C7ADE150-743D-11D4-8141-00E029626F6A}
HKLM\Software\CLASSES\TypeLib\{09533F03-264D-45D6-92B0-E80F52890F92}
HKLM\Software\Microsoft\Windows\Current Version\explorer\Browser Helper Objects\{C7ADE150-743D-11D4-8141-00E029626F6A}
I then rebooted and renamed the files, respectively, to:
\WINDOWS\SYSTEM\netpal.dll_disable
\WINDOWS\SYSTEM\favboot.dll_disable
\WINDOWS\SYSTEM\kernellos.dll_disable
just to be on the safe side. IE now responds normally, instead of at least 10
times slower!
I've notified Lavasoft, makers of Ad-Aware, about this procedure and have
asked for their comments regarding the wisdom and completeness of my method.
I'll ask for the same kind of feedback here.
Thanks.
Followup revision:
My previous article mentioned the steps in what turned out to be a futilely
incomplete removal of "Net Prick" (as I call Net Pal) from the registry.
It kept coming back, even after 5 or 6 tries, and even after I remembered to
run scanreg /fix afterward!
After writing a program to scan my entire disk for recent files, regardless
of their attributes, and searching them for the case-insensitive string
"netpal", I was reasonably convinced that the 3 DLL files I had reported were
the only ones involved.
What finally succeeded in keeping my system netpal-free for 18 hours (as
opposed to as little as a few minutes or as much as 8 hours on previous
attempts) was the discovery of 3 key folders I had overlooked before:
HKLRoot\CLSID\{C7ADE150-743D-11D4-8141-00E029626F6A}
HKLMachine\Software\Classes\TrackIExplore
HKLMachine\Software\Classes\TrackIExplore.1
(Note that these are in addition to all the keys I had mentioned in my prior
article. It bears repeating that you should always perform an Export before
messing with the registry!)
As soon as you've deleted all of these keys and exited, you should restart in
MS-DOS mode and enter the command SCANREG /FIX from the command line. It can
be a time-consuming process - worse than SCANDISK - but it's necessary for
rebuilding the binary version of the registry, as stored in the hidden file
C:\WINDOWS\SYSTEM.DAT.
When scanreg completes, you can safely reboot normally into Windows and
rename the 3 DLL files (which is preferable to outright deletion in terms
of recoverability, in case anything goes wrong). Actually, as long as you're
still in DOS mode, you might as well rename them there from the command line.
I'm assuming that anyone brave enough to use regedit is also literate enough
to know DOS!
Here's some additional information: apparently, from what I've read on the Lavasoft/Ad-Aware IkonBoard, \WINDOWS\SYSTEM\ofrg.dll may also be related to netpal. It's a BHO called FavoriteMan. I removed it as follows:
I've removed ofrg by deleting the following keys:
HKCR\CLSID\{139D88E5-C372-469D-B4C5-1FE00852AB9B}
HKCR\CLSID\{DA5E961F-F519-403C-9744-0D4376B1B0B5}
HKCR\Favorite.FavoriteMan
HKCR\Favorite.FavoriteMan.1
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{139D88E5-C372-469D-B4C5-1FE00852AB9B}
While I was at it, I also deleted some remaining keys to FTAPP that were
missed by Ad-Aware, including BRedObj, so that I now have no BHO's.
However, deleting that one was just an educated guess. Does anybody
know whether it was a mistake? My system is still somewhat unstable,
but with a Microsoft OS (Win 98), it's often hard to tell what's a
Trojan and what's a bug in the OS itself!
:P
I later added the following discovery:
*** THE PLOT THICKENS! ***
After reading rOD's post referring to "exe_in_dll", I checked my registry
once again, and Voila!
HCLR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
HKLM\Software\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Both of these refer to \WINDOWS\SYSTEM\CTB2.DLL. There is also a CTBHOOKS.DLL
in the same directory. (In case you don't recognize "CTB", it stands for
clickthebutton.)
(I should have called it "prickthebutton"!)
When I tried to remove the second key (HKLM), I was told that there was an
error reading and deleting it, but when I exited and returned, it was gone
anyway. (What more can I expect from software written by Microsoft?!?!
Their crummy OS - and ActiveX - is a big part of the problem in the first
place!
Finally, I did a search for CTB and came up with
HKLM\Software\CTB_BrandedClient\54
which contains the following entries:
OfferTS_Campaign://pc.offer.popup/54/amazon/1
OfferTS_Campaign://pc.offer.popup/54/fastclick/1
OfferTS_Campaign://pc.offer.popup/54/FuzzyPhone/2334
OfferTS_Campaign://pc.offer.popup/54/FuzzyPhoneFlash/2335
OfferTS_Campaign://pc.offer.popup/54/LastChance/4567
OfferTS_Campaign://pc.offer.popup/54/LowerMyBills/3445
OfferTS_Campaign://pc.offer.popup/54/Orbitz/1789
OfferTS_Campaign://pc.offer.popup/54/popuptraffic/1
OfferTS_Campaign://pc.offer.popup/54/revenuelink/1
There's also a GUID there.
I've already written amazon.com to let them know what I think of their
association with scumbags and threatened to take my business elsewhere.
I guess the next step I take should be to generalize the programs I've
written to search for likely spyware components and post both the source
and the binary on my website, as a public service! (I can't promise how
soon this will occur.)
Jerry
Please do *not* delete any files merely on the basis of being flagged by this program!
I've also included the source code, so that those who have their own compilers may modify the program, if necessary, to suit their own needs; there's also a sample input file.
Please read the information on the page before downloading. The page is at http://hspost.com/scanall-download.