It appears that the uninstaller does the following (at first glance)
Removes the following files:
c:\Program Files\Internet Explorer\winstart.exe
c:\program files\internet explorer\bho.dll
c:\progra~1\intern~1\bho.dll
c:\WinIE\winstart.exe
c:\WinIE\bho.dll
c:\WinIe\bho.dll
%windir%\system\winstart.exe
%windir%\system32\shell322.exe
%windir%\system32\IGNinstaller.exe
%windir%\system32\winstart.exe
%windir%\winfile2.dat
%windir%\system\rsp.dl
%windir%\system\bho.dll
%windir%\system32\bho.dll
Removes the following registry keys:
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978}
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{AA76C2D7-15A9-4E80-A942-191F02BDCA91}
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{0740576F-730B-11D6-8A8B-0050BA8452C0}
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{E6B67CDC-81F8-11D6-8A8C-0050BA8452C0}
It then appears to modify:
%windir%\hosts or %windir%\system32\drivers\etc\hosts
to remove the lines:
ieautosearch
search.netscape.com
auto.search.msn.com
and finally, creates an uninstall log in %systemdrive%
Like I mentioned, this is only a first glance, of it, and more is
possible.
<OPINION>
In my experience, people that have these things installed on their systems
are always 'i never installed it...'. Thats how some of these companies
get their stuff on the target systems. Now, my theory is that everyone is
so used to windows popping up on their screen that says 'are you sure you
would like to save this' or 'are you really certain you would like to
delete this file' or 'i know ive already popped up to ask you this
question, but are you REALLY sure?', and while browsing figure 'Hey, its
just one of those' and subconsciously click the yes button, or sometimes
the OK button. This in turn allows certain vendors to use the MS ActiveX
questions to their advantage because there are many people who "just click
yes, even though they don't know what they are clicking". and by God, I'd
even bet that they know that most of the people using their software don't
really know about it, just for that same purpose.
This clicking yes thing, the only real way to avoid it is to not have it
pop up to begin with, which in that case can take away the functionality
of legit traffic. In the meantime, I usually tell my clients to install
zone alarm (or other personal firewall) to aide in protecting them. I also
inform them about the whole clicking yes thing too. Zone Alarm kind of
does the same thing 'internet access requested by "foo".., Yes/No'. What
happens? people just click yes and say 'Yeah, i didnt know what it was
talking about, so i just clicked on yes and hoped for the best. It then
kept comming up with the same message, so i clicked on the 'dont ask me
anymore' thingie...This just defeats the purpose of installing the
personal firewall to begin with, which makes it almost a waste of my time
to recommend it.
So, we're back at square one again with 'how can i keep these people from
clicking buttons'. You could take away all input devices and leave them
with a monitor that is blinking 'don't touch that' in the corner, or you
can take the approach of getting rid of the material so you don't have to
trust them any further. Things like Zone Alarm, just do the same thing
which can render them useless, which in turn puts you back to performing
the suggestions previously mentioned in earlier posts.
</OPINION>
Thanks,
Ryan Yagatich <supportat_private>
Pantek, Incorporated
(877) LINUX-FIX - (440) 519-1802
===================================
9C 80 D8 81 D4 D3 79 05 85 37 BE 21
F5 2F 14 FA 63 54 C1 1A C5 77 34 FB
===================================
If builders built buildings they
way programmers wrote programs, the
first woodpecker that comes along
would destroy civilization
On 11 Nov 2002, Waitman C. Gobble wrote:
>
>Hello all,
>
>Below is the response I received from igetnet.com regarding their
>spyware. (Caution I wouldn't touch their download file for nothing).
>
>Interesting thing, apparently you can install their spyware directly
>from their web site.
>
>HOWEVER nobody here has heard of them, and does not recall previously
>visiting the site.
>
>Did any of you people with the ign spyware infestation install it on
>purpose? The consensus here is "No".
>
>At first glance I don't see anything strange in the event logs on the
>machine....
>
>
>Best,
>
>Waitman Gobble
>EMK Design
>Buena Park California
>+1.7145222528
>http://emkdesign.com
>
>
>
>
>
>Return-Path: <markat_private>
>Received: from htsvr01.hightower.com (mail.igetnet.com [216.41.184.80])
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
>content-class: urn:content-classes:message
>Subject: uninstall
>MIME-Version: 1.0
>Date: 11 Nov 2002 11:44:33 -0800
>Message-ID:
><D01F0DCA5F1F0E4785A301199E299C512B5797at_private>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>From: Mark LeGault <markat_private>
>To: waitmanat_private
>
>
>Hello Waitman -
>
>To uninstall our search program, just save this file to your desktop,
>close all windows, and double-click the file. You can also download this
>same file here if you prefer:
>
>http://www.igetnet.com/iGetNet_IGNDownloads.html
>
>Be sure all windows are closed when you run it.
>
>Thanks,
>
>iGetNet Customer Support
>
>
>-----Original Message-----
>From: Waitman C. Gobble [mailto:waitmanat_private]
>Sent: Saturday, November 09, 2002 12:04 PM
>To: Support
>Subject: help
>
>
>
>Hello
>
>Someone or some program has illegally tampered with one of my computers.
>
>Opening Internet Explorer sends me directly to ignkeywords.com, which is
>then redirected to the msn search. I did not request or authorize this
>change to my system.
>
>When I open Internet Explorer I expect for it to go to the home page I
>have placed in the configuration settings. However, it automatically
>goes to ignkeywords.com as if the url for the home page does not exist,
>which is completely incorrect - the url does indeed exist.
>
>I expect an explanation of why my machine was changed, how it was
>changed and how to revert my machine to its original state.
>
>If you prefer to meet in person to discuss this matter, I am within very
>short driving distance to Irvine.
>
>Sincerely,
>
>Waitman Gobble
>Buena Park California
>714-522-2528
>
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 15 2002 - 21:18:22 PST