Re: 030 ignkeywords igetnet follow up

[Ryan Yagatich <ryany () pantek com>]

It appears that the uninstaller does the following (at first glance)


Removes the following files:
        c:\Program Files\Internet Explorer\winstart.exe
        c:\program files\internet explorer\bho.dll
        c:\progra~1\intern~1\bho.dll
        c:\WinIE\winstart.exe
        c:\WinIE\bho.dll
        c:\WinIe\bho.dll

        %windir%\system\winstart.exe
        %windir%\system32\shell322.exe
        %windir%\system32\IGNinstaller.exe
        %windir%\system32\winstart.exe
        %windir%\winfile2.dat
        %windir%\system\rsp.dl
        %windir%\system\bho.dll
        %windir%\system32\bho.dll

Removes the following registry keys:
        
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978}
        
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{AA76C2D7-15A9-4E80-A942-191F02BDCA91}
        
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{0740576F-730B-11D6-8A8B-0050BA8452C0}
        
HKEY_(LOCALMACHINE|CURRENT_USER)\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\{E6B67CDC-81F8-11D6-8A8C-0050BA8452C0}

It then appears to modify:
        %windir%\hosts or %windir%\system32\drivers\etc\hosts
        to remove the lines:
                ieautosearch
                search.netscape.com
                auto.search.msn.com


and finally, creates an uninstall log in %systemdrive%


Like I mentioned, this is only a first glance, of it, and more is 
possible.

<OPINION>
In my experience, people that have these things installed on their systems 
are always 'i never installed it...'. Thats how some of these companies 
get their stuff on the target systems. Now, my theory is that everyone is 
so used to windows popping up on their screen that says 'are you sure you 
would like to save this' or 'are you really certain you would like to 
delete this file' or 'i know ive already popped up to ask you this 
question, but are you REALLY sure?', and while browsing figure 'Hey, its 
just one of those' and subconsciously click the yes button, or sometimes 
the OK button. This in turn allows certain vendors to use the MS ActiveX 
questions to their advantage because there are many people who "just click 
yes, even though they don't know what they are clicking". and by God, I'd 
even bet that they know that most of the people using their software don't 
really know about it, just for that same purpose.
This clicking yes thing, the only real way to avoid it is to not have it 
pop up to begin with, which in that case can take away the functionality 
of legit traffic. In the meantime, I usually tell my clients to install 
zone alarm (or other personal firewall) to aide in protecting them. I also 
inform them about the whole clicking yes thing too. Zone Alarm kind of 
does the same thing 'internet access requested by "foo".., Yes/No'. What 
happens? people just click yes and say 'Yeah, i didnt know what it was 
talking about, so i just clicked on yes and hoped for the best. It then 
kept comming up with the same message, so i clicked on the 'dont ask me 
anymore' thingie...This just defeats the purpose of installing the 
personal firewall to begin with, which makes it almost a waste of my time 
to recommend it.
So, we're back at square one again with 'how can i keep these people from 
clicking buttons'. You could take away all input devices and leave them 
with a monitor that is blinking 'don't touch that' in the corner, or you 
can take the approach of getting rid of the material so you don't have to 
trust them any further. Things like Zone Alarm, just do the same thing 
which can render them useless, which in turn puts you back to performing 
the suggestions previously mentioned in earlier posts.

</OPINION>


Thanks,
Ryan Yagatich  <support () pantek com>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
9C 80 D8 81 D4 D3 79 05 85 37 BE 21
F5 2F 14 FA 63 54 C1 1A C5 77 34 FB
===================================
 If builders built buildings they
way programmers wrote programs, the
 first woodpecker that comes along
   would destroy civilization


On 11 Nov 2002, Waitman C. Gobble wrote:

> Hello all, 
>
> Below is the response I received from igetnet.com regarding their
> spyware.  (Caution I wouldn't touch their download file for nothing). 
>
> Interesting thing, apparently you can install their spyware directly
> from their web site. 
>
> HOWEVER nobody here has heard of them, and does not recall previously
> visiting the site. 
>
> Did any of you people with the ign spyware infestation install it on
> purpose? The consensus here is "No". 
>
> At first glance I don't see anything strange in the event logs on the
> machine.... 
>
>
> Best, 
>
> Waitman Gobble 
> EMK Design 
> Buena Park California 
> +1.7145222528 
> http://emkdesign.com
>
>
>
>
>
> Return-Path: <mark () igetnet com> 
> Received: from htsvr01.hightower.com (mail.igetnet.com [216.41.184.80]) 
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 
> content-class: urn:content-classes:message 
> Subject: uninstall 
> MIME-Version: 1.0 
> Date: 11 Nov 2002 11:44:33 -0800 
> Message-ID:
> <D01F0DCA5F1F0E4785A301199E299C512B5797 () htsvr01 hightower com> 
> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 
> From: Mark LeGault <mark () igetnet com> 
> To: waitman () emkdesign com
>
>
> Hello  Waitman          - 
>
> To uninstall our search program, just save this file to your desktop,
> close all windows, and double-click the file. You can also download this
> same file here if you prefer: 
>
> http://www.igetnet.com/iGetNet_IGNDownloads.html
>
> Be sure all windows are closed when you run it. 
>
> Thanks, 
>
> iGetNet Customer Support 
>
>
> -----Original Message----- 
> From: Waitman C. Gobble [mailto:waitman () emkdesign com] 
> Sent: Saturday, November 09, 2002 12:04 PM 
> To: Support 
> Subject: help 
>
>
>
> Hello 
>
> Someone or some program has illegally tampered with one of my computers.
>
> Opening Internet Explorer sends me directly to ignkeywords.com, which is
> then redirected to the msn search. I did not request or authorize this
> change to my system. 
>
> When I open Internet Explorer I expect for it to go to the home page I
> have placed in the configuration settings. However, it automatically
> goes to ignkeywords.com as if the url for the home page does not exist,
> which is completely incorrect - the url does indeed exist. 
>
> I expect an explanation of why my machine was changed, how it was
> changed and how to revert my machine to its original state. 
>
> If you prefer to meet in person to discuss this matter, I am within very
> short driving distance to Irvine. 
>
> Sincerely, 
>
> Waitman Gobble 
> Buena Park California 
> 714-522-2528 
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com