 Description
IGetNet is a keyword-search service implemented as an IE
Browser Helper Object and a process run at Windows start-up.
When you enter something into the address bar, IGetNet checks
to see whether it includes keyword they have sold to one of
their advertisers. If so, it redirects you to that site; if
not it forwards you to a search engine using an IGetNet affiliate
code. searchresult.net, qcksearch.com (which is apps.webservicehost.com)
and overture.com have been seen to be used.
Variants
IGetNet/v4: original variant, installs files 'BHO.DLL',
'rsp.dll' and 'Winstart.exe' into the 'System' folder in the
Windows folder. 'Winstart.exe', run at start-up, writes entries
to the Hosts file to redirect all access to MSN or Netscape
search sites through to IGetNet's servers instead. (ignkeywords.com,
rspsearch.com.)
IGetNet/v5: works the same as v4, but the files
are now called 'BHO001.DLL', 'rsp001.dll' and 'Winstart001.exe'
and they use new class IDs internally. You can tell if you
have v5 as new IE windows will show the text 'Enter Keyword
or Web Address here' in the address bar.
IGetNet/v6: same as v5 but has extra files.
Distribution
Bundled with P2P apps and software downloaded from 'Blue
Haven Media', also installed by vCatch KazBlock and the FavoriteMan parasite.
May also be installed by ActiveX drive-by-download on pop-up
adverts.
IGetNet run an affiliate scheme at plugusin4cash.com to get
third parties to install the software.
What it does
Advertising
No, other than unexpected redirects to advertiser sites when
searching from the address bar.
Privacy violation
No.
Security issues
Yes. Can silently download and execute arbitrary code from
its controlling server, as a self-updating feature. This was
used to install ClearSearch/IECS.
Stability problems
In v4-v6, may cause IEXPLORE.EXE to hang whilst shutting
down. You will also be unable to contact the real auto.search.msn.com
and search.netscape.com directly whilst IGetNet is installed
due to the Hosts file alterations.
Removal
There is no uninstall option.
Manual removal
Before you can delete the software you must deregister its
DLLs and stop it running at startup. Open a DOS command window
(from Start->Programs->Accessories) and enter the commands
(v4 variant):
cd "%WinDir%\System"
regsvr32 /u BHO.DLL
regsvr32 /u rsp.dll
Or for the v5 or v6 variants:
cd "%WinDir%\System"
regsvr32 /u BHO001.DLL
regsvr32 /u rsp001.dll
Then open the registry (Start->Run->regedit), find
the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the 'WinStart' (v4), 'WinStart002' (v5) or 'WinStart001.exe'
(v6) entry.
Reboot the machine and you can delete the BHO, rsp and Winstart
files from the Windows\System folder.
v5 may also leave behind an installer called Install_All.dll
in this folder, which you can delete. This attempts to remove
the v4 variant of IGetNet before installing, but also disables
the address-bar-search features of other programs, including
NewDotNet, Xupiter and TargetWord.
v6 may also leave behind files Update_Hosts.DLL, Update_com.DLL,
Update_BHO.DLL, Update_RSP.DLL, Update_RemoveOld.DLL and rules.dat,
which can also be deleted.
You can also delete the registry key HKEY_CURRENT_USER\Software\VB
and VBA Program Settings\Ie Rsp to clean up if you like.
Next, find the Hosts file. This is called 'HOSTS' without
a file extension (not Hosts.SAM); it is in the Windows folder
on Windows 95/98/Me, or Windows\System32\drivers\etc\ on Windows
NT/2000/XP. Open the file with a text editor (such as Notepad);
if you have, or have previously had the v4-v6 variants, you
will have these entries, which should be removed:
216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch
then save. (Sometimes the IP address on the left may be slightly
different.)
|
