Parasite: IGetNet

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

IGetNet is a keyword-search service implemented as an IE Browser Helper Object and a process run at Windows start-up.

When you enter something into the address bar, IGetNet checks to see whether it includes keyword they have sold to one of their advertisers. If so, it redirects you to that site; if not it forwards you to a search engine using an IGetNet affiliate code. searchresult.net, qcksearch.com (which is apps.webservicehost.com) and overture.com have been seen to be used.

Variants

IGetNet/v4: original variant, installs files ‘BHO.DLL’, ‘rsp.dll’ and ‘Winstart.exe’ into the ‘System’ folder in the Windows folder. ‘Winstart.exe’, run at start-up, writes entries to the Hosts file to redirect all access to MSN or Netscape search sites through to IGetNet’s servers instead. (ignkeywords.com, rspsearch.com.)

IGetNet/v5: works the same as v4, but the files are now called ‘BHO001.DLL’, ‘rsp001.dll’ and ‘Winstart001.exe’ and they use new class IDs internally. You can tell if you have v5 as new IE windows will show the text ‘Enter Keyword or Web Address here’ in the address bar.

IGetNet/v6: same as v5 but has extra files.

Distribution

Bundled with P2P apps and software downloaded from ‘Blue Haven Media’, also installed by vCatch KazBlock and the FavoriteMan parasite. May also be installed by ActiveX drive-by-download on pop-up adverts.

IGetNet run an affiliate scheme at plugusin4cash.com to get third parties to install the software.

What it does

Advertising

No, other than unexpected redirects to advertiser sites when searching from the address bar.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary code from its controlling server, as a self-updating feature. This was used to install ClearSearch/IECS.

Stability problems

In v4-v6, may cause IEXPLORE.EXE to hang whilst shutting down. You will also be unable to contact the real auto.search.msn.com and search.netscape.com directly whilst IGetNet is installed due to the Hosts file alterations.

Removal

There is no uninstall option. Ad-Aware 5 can remove the v4 variant of the software, though you will still need to do edit the Hosts file manually as below. Spybot S&D update 2003-01-05 can remove both variants.

Manual removal

Before you can delete the software you must deregister its DLLs and stop it running at startup. Open a DOS command window (from Start->Programs->Accessories) and enter the commands (v4 variant):

cd "%WinDir%\System"
regsvr32 /u BHO.DLL
regsvr32 /u rsp.dll

Or for the v5 or v6 variants:

cd "%WinDir%\System"
regsvr32 /u BHO001.DLL
regsvr32 /u rsp001.dll

Then open the registry (Start->Run->regedit), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the ‘WinStart’ (v4), ‘WinStart002’ (v5) or ‘WinStart001.exe’ (v6) entry.

Reboot the machine and you can delete the BHO, rsp and Winstart files from the Windows\System folder.

v5 may also leave behind an installer called Install_All.dll in this folder, which you can delete. This attempts to remove the v4 variant of IGetNet before installing, but also disables the address-bar-search features of other programs, including NewDotNet, Xupiter and TargetWord.

v6 may also leave behind files Update_Hosts.DLL, Update_com.DLL, Update_BHO.DLL, Update_RSP.DLL, Update_RemoveOld.DLL and rules.dat, which can also be deleted.

You can also delete the registry key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Ie Rsp to clean up if you like.

Next, find the Hosts file. This is called ‘HOSTS’ without a file extension (not Hosts.SAM); it is in the Windows folder on Windows 95/98/Me, or Windows\System32\drivers\etc\ on Windows NT/2000/XP. Open the file with a text editor (such as Notepad); if you have, or have previously had the v4-v6 variants, you will have these entries, which should be removed:

216.177.73.139 auto.search.msn.com
216.177.73.139 search.netscape.com
216.177.73.139 ieautosearch

then save. (Sometimes the IP address on the left may be slightly different.)