allentech.net

Home > Browser Parasites > Parasite Database > NetPal

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: NetPal

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

NetPal is an adware Explorer Browser Helper Object (BHO) in the System32 folder.

NetPal is operated by Vista Interactive Media (vistainteractivemedia.com), who also operate the FavoriteMan and VistaBar parasites. Vista were previously Mindset Interactive (mindseti.com), who used to control the Transponder parasite.

Variants

NetPal/NP was the original variant, released around January 2002 by Mindset. Program filename netpal.dll, data filename boot0k.dll, controlling server 207.182.237.231.

NetPal/N2 and NetPal/N3 are new versions released around December 2003 by Vista. Program filesnames netpal2.dll and n3tpa1.dll respectively, data filename still boot0k.dll, controlling server 638725.net.

Also known as

PrizePopper (internal DLL name); TrackIExplore (BHO name).

The NetPal name has also been used by Vista/Mindset to refer to Transponder and its variants of the FavoriteMan parasite.

Distribution

Silently installed by the FavoriteMan trojan and bundled with other third-party software.

What it does

Advertising

At most every five minutes (or other period specified by the controlling server), opens one or more pop-under adverts.

Privacy violation

Yes. Occasionally sends full URLs being browsed, together with a unique ID that could be used to track web usage, to a server nominated by the controlling server (eg. 207.182.237.253, nethighlights.net).

Also reads the user e-mail address found from the settings of Outlook or Outlook Express and stores it in its registry key; it is suspected but not yet observed that this is later passed back to the controlling server.

Security issues

Yes. Can silently download and execute arbitrary unsigned software as directed by the controlling server.

Stability problems

Yes. Internet Explorer hung up for random periods of time during testing.

Removal

Before you can delete the program file you will need to deregister it. Open a Command Prompt window (from the Accessories submenu of [All] Programs on the Start button) and enter the following commands, for the NP variant:

cd "%WinDir%\System"
regsvr32.exe /u netpal.dll

Or, for the N2 variant:

cd "%WinDir%\System"
regsvr32.exe /u netpal2.dll

Or, for the N3 variant:

cd "%WinDir%\System"
regsvr32.exe /u n3tpa1.dll

Restart the computer and you can delete the DLL file from the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me), along with the data file kernellos.dll (NP variant) or boot0k.dll (N2, N3 variants).

To clean up, you can also open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and delete the key HKEY_LOCAL_MACHINE\Software\Destiny.

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top