Limited Time!
Totally FREE Web Design!
Click here!

Parasite: NetworkEssentials

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Network Essentials is an IE Browser Helper Object which monitors URLs being viewed in the web browser, and a process which updates the list of targeted sites and downloads and displays pop-up adverts when directed to do so by the BHO.

Variants

NetworkEssentials/NE is the first variant, storing its files in ‘Program Files\Network Essentials’. The pop-up process is a separate task which can be killed from the task manager but is respawned by the BHO periodically. Controlling server download.smartpops.com.

NetworkEssentials/ME is a newer variant using ‘Program Files\MediaLoads Enhanced’ to store a single DLL (with the process’s previous functions built-in). Controlling server is mp.medialoads.com.

NetworkEssentials/RH misleadingly describes itself as a Windows hotfix, living in ‘Program Files\Recommended Hotfix - 421701D’. Controlling server is download.smartpops.com.

NetworkEssentials/SCBar builds a search toolbar and search-/error-page-hijacker into the DLL, targeted at search.searchenhancement.com, controlling server adserv.searchenhancement.com, stored in ‘Program Files\scbar’.

NetworkEssentials/Winex is an update to SCBar targeted at search.windowenhancer.com, controlling server adserv.windowenhancer.com, stored in ‘Program Files\winex’.

NetworkEssentials/SearchExe is another SCBar update targeted at search.search-exe.com, controlling server adserv.search-exe.com, stored in ‘Program Files\se’.

NetworkEssentials/MS is a simple hijacker EXE targeted at search.media-search.net, stored in ‘Program Files\msnet’. (Note: a file called msnet.exe stored in the System folder instead of here is not NetworkEssentials/MS, but most likely a sign of infection by the Boa keylogger trojan.)

Also known as

Hopper (the internal name of the process), SmartPops (the object name of the BHO in the NE variant), MediaPops (the object name in the ME variant), MediaLoads Enhanced (folder name of the ME variant, referring to an alias of DownloadWare).

The SCBar, Winex and SearchExe variants are also known as the family SCBar/SearchEnhancement, SCBar/Winex and SCBar/SearchExe.

Distribution

The NE, ME and RH variants are installed by the DownloadWare parasite.

What it does

Advertising

Yes. Opens both period non-targeted pop-up adverts, as directed to do so by its controlling servers, and targetted keyword-triggered pop-ups during browsing.

Privacy violation

None known.

Security issues

Yes, in the SCBar, Winex, SearchExe and MS variants. These can connect to their controlling servers to download and execute arbitrary unsigned code, as a self-updating mechanism.

Stability problems

None known.

Removal

Please check your system for DownloadWare and remove it before removing Network Essentials. Otherwise it is possible DownloadWare could re-install it, along with much other questionable software.

There may be an entry in the Control Panel’s Add/Remove Programs list to remove NetworkEssentials, called ‘NetworkEssentials’ (NE variant), ‘MediaLoads Enhanced’ (ME variant), ‘Recommended Hotfix - 421701D’ (RH variant), or - sometimes - ‘WebEnh’ (SCBar variant). Other variants will need to be removed manually.

You may also like to delete the registry keys ‘Updater’ and ‘Hopper’ or ‘MediaLoads Enhanced’ in HKEY_CURRENT_USER\Software after the reset to clean up.

Finally there is a ‘Digital Signature’ HTML file which Network Essentials puts in your Windows directory when it gets installed, which claims you have agreed to some terms and conditions you will never have seen! You can delete this.

Manual removal

The software installs itself into a folder inside Program Files. Before you can delete it you must ensure the BHO and/or process stored in the folder are no longer running.

ME variant

The filename of the DLL can vary depending on version of the software installed. To find out which you have, open the ‘MediaLoads Enhanced’ folder inside Program Files. So far, ‘ME1.DLL’ and ‘ME2.DLL’ have been seen.

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\MediaLoads Enhanced\ME1.DLL"

Change the number in ‘ME1’ if necessary to match the filename you found.

NE, RH, SCBar, Winex, SearchExe, MSNet variants

Inside the relevant Program Files folder there will be a folder whose number varies depending on the version of the software installed. To find out which version you have, open the folder ‘Network Essentials’ (NE variant), ‘Recommended Hotfix - 421701D’ (RH variant), ‘scbar’ (SCBar variant), ‘winex’ (Winex variant), ‘SE’ (SearchExe variant) or ‘msnet’ (MS variant) inside the Program Files folder.

You should see a folder whose name begins with ‘v’. ‘v8’, ‘v11’, ‘v15’ and ‘v16’ have been seen for the NE variant; ‘v14’ and ‘v15’ have been seen for RH; ‘v1’, ‘v2’ and ‘v9’ have been seen for SCBar; ‘v2’ and ‘v9’ for Winex; ‘v2’, ‘v9’ and ‘v11’ for SearchExe; ‘v9’ for MSNet.

NE, RH, SCBar, Winex, SearchExe variants

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands, for the NE variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Network Essentials\vN\NE.DLL"

Or for the RH variant:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Recommended Hotfix - 421701D\vN\RH.DLL"

Or for SCbar:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\scbar\vN\scbar.dll"

Or for Winex:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\winex\vN\winex.dll"

Or for SearchExe:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\se\vN\se.dll"

In whichever above command was used, substitute the number you found for ‘vN’.

SCBar, Winex, SearchExe, MSNet variants

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. In the list on the right, right-click-and-Delete the entry ‘SearchEnhancement’ (SCBar variant), ‘WindowEnhancer’ (Winex variant), ‘Search-Exe’ (SearchExe variant) or ‘Media-Search’ (MS variant).

All variants

Reboot the computer and you should be able to delete the folder ‘Network Essentials’ (NE variant), ‘MediaLoads Enhanced’ (ME variant), ‘Recommended Hotfix - 421701D’ (RH variant), ‘scbar’ (SCBar variant), ‘winex’ (Winex variant), ‘SE’ (SearchExe variant) or ‘msnet’ (MS variant) inside the Program Files folder.