Parasite: DownloadWare

This record last updated Tue Sep 20 2005 03:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers.

It may be installed through an ActiveX control called ActiveInstall, which decodes and runs a built-in executable and then (tries to) remove itself. This executable can include DownloadWare and often a ‘MediaCharger’ dialler from Movie Networks, Movie Place, SwimSuitNetworks, Popcorn.net, MVPNetworks or Real-Tens [sic].

The parasite detection script on this site can only detect the ActiveInstall control. When DownloadWare is loaded and running, this site cannot detect it. If you have ActiveInstall, DownloadWare is probably not yet fully installed; see ‘Partial removal’ to deal with this case.

Variants

DownloadWare/DW: original version, stored in ‘Program Files\DownloadWare’, filename dw.exe, controlling server fordaleltd.com.

DownloadWare/SED: version associated with NetworkEssentials/RH, around 2004. Stored in ‘Program Files\SED’, filename SED.exe.

Also known as

MediaLoads or ClipGenie. This is actually an application loaded by DownloadWare which shows any videos or pictures DW has downloaded. However DownloadWare is also now being marketed under both these names as well as its own.

Distribution

Installed by ActiveX drive-by-download using the ActiveInstall control on web pages, usually pop-up advertisements displayed through internetfuel.

Is also distributed without the ActiveInstall control, bundled with programs such as Kazaa and Grokster. Also installed by the Look2Me/Notify parasite. There is no ActiveInstall control in these cases.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. The software is designed to execute arbitrary code from advertisers. There is no code-signing so systems are vulnerable to DNS poisoning attacks and attacks on the controlling servers, but the code it deliberately installs is so disreputable anyway that this probably isn’t too big a deal.

Stability problems

Many users have reported crashes on Windows start-up caused by Dw.exe.

The EULA, when found, claims that it may clash with various other software and so if it finds any it will remove it. (!)

Removal

There is an Add/Remove Programs entry, for ‘DownloadWare’, but it may sometimes not work (at least it failed for me in Windows 2000).

As well as removing DownloadWare you should check your system for other things it has installed and get rid of them too. This may include:

• NetworkEssentials

• PAgent - scans your hard drive for the popular P2P file-sharing applications bearshare.exe, grokster.exe, kazaa.exe, limewire.exe and morpheus.exe. After searching the entire local filesystem for any files with those names it connects to the DownloadWare servers and tells it what, if anything, it found. To remove, run regedit and go to:

  HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  and remove the "PAgent" value. Open the Task Manager (Ctrl-Alt-Delete) and kill PAgent if it is still running. You can now delete the ‘PAgent’ folder in your Program Files directory. You can also clean up the key HKEY_CURRENT_USER\Software\PAgent if you like.

• Casino games (Vegas Palms, Royal Vegas) - large installation of gambling games. Use Add/Remove Programs to remove it. A key will be left in the registry under HKLM\Software\MicroGaming which you can remove if you wish.
• KFH or MLH - lurks in the background and every so often launches a very large Flash advert, for Vegas Palms, Royal Vegas or Five Roses casinos. Go to Add/Remove Programs and get rid of the entry with the name of the casino followed by ‘- Launcher’. Kill the task (Task Manager) and you can delete the ‘KFH’ or ‘MLH’ folder in your Program Files directory. You can also clean up the ‘KFH’ or ‘MLH’ subkey of HKEY_LOCAL_MACHINE\Software in the registry if you like.
• MediaLoads - downloads various pointless pictures and videos in the background if you ask it to, otherwise harmless. Remove from Add/Remove Programs. An empty Program Files folder and an entry in your Start menu will be left which you can delete if you want, along with the HKEY_CURRENT_USER\Software\MediaLoads registry key.
• WinEME - purpose unknown. It has mail-sending capability, and can send through any mail server set up in Outlook Express, but what it sends and when is so far a mystery.

Finally, check for a folder called ‘MedCh’, along with ‘MovieNetworks’, ‘Popcorn.net’ and ‘Real-Tens’ folders in Program Files - one of these or others may have come with the original ActiveInstall. If you find one of these, delete it and check your Dial-up Networking connections for a ‘dialer’ entry. Remove it - if you dial it it will cost you a lot of money.

Manual removal

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. In the right-hand side list, right-click and delete the entry ‘DownloadWare’ (DW variant) or ‘SESync’ (SED variant).

You can also clean up the ‘DownloadWare’ and ‘WebInstall’ keys in HKEY_CURRENT_USER\Software\ to clean up if you like.

Reboot the computer and you should be able to delete the ‘DownloadWare’ (DW variant) or ‘SED’ (SED variant) folder in Program Files.

Partial installs

On Windows NT/2000/XP the ActiveInstall executable may get stuck trying to remove itself. If this happens there will be an entry called something like ‘insNNNN.tmp’ (NNNN being a number) in the registry ‘Run’ key above. You should delete this, and the temporary file it points to.

On Windows 95/98/Me, the removal is instead done by adding a ‘rename’ section to ‘WININIT.INI’ in the Windows directory - try checking for and removing this section if you have a partial install. Again, the insNNNN.tmp file it mentions will be sitting in the Temp directory which you can clean out whilst you’re there.