Limited Time!
Totally FREE Web Design!
Click here!

Parasite: InetSpeak

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

InetSpeak is a Browser Helper Object that adds a non-removable band of advertising and/or links below the standard IE toolbars.

Variants

• InetSpeak/BHO42602, first version;
• InetSpeak/WindowsIE, updated version with different names (by ‘ESD Technologies’);
• InetSpeak/Iexplorr, as WindowsIE but different filename and class ID. (There are at least three different subvariants, /A, /B and /C, which differ only in class ID.)
• InetSpeak/Iexplorr2, InetSpeak/Iexplorr23: as before but a new filename as well as class ID.
• InetSpeak/eBoom, version showing a search box and links to eboom.com.

Also known as

JaypeeSysBHO, by Ad-Aware, as the author given in the BHO42602 variant is ‘Jaypee Systems’. boombar, filename of eBoom variant.

Distribution

BHO42602 was included in Music Magnet, a free file-sharing program which appears to be a copy of Gnucleus. Installs just before the setup program is run.

The WindowsIE variant is known to have been distributed under the name ‘Free Morpheus Upgrade Suite’ as well as being bundled with later versions of Music Magnet and other software by the same authors.

The eBoom variant is an ActiveX drive-by-download on pages purporting to offer services like free e-mail and phone calls.

Other variants are typically installed under the guise of ‘accelerators’ or ‘spyware removers’ for the file-sharing software Kazaa.

What it does

Advertising

Yes. Advertising and link content is fetched from the controlling servers (eg. musicmagnet.com, eboom.com) when a new page is loaded, and displayed on newly-opened IE windows.

Privacy violation

No. The servers currently do not attempt to track users (through cookies etc.), and the only targeting the adware has been observed to do is fetching a different ad page when it thinks porn sites are being browsed or searched for.

Security issues

None known.

Stability problems

None known.

Removal

There is no uninstall feature. Ad-Aware 5.81 and up, and Spybot S&D 0.95b6 and up can remove the BHO42602 variant.

Manual removal

The DLL responsible for InetSpeak is located in different places depending on variant. In installs from Music Magnet (BHO42602, WindowsIE), it is in the folder you chose to install the software from: by default this is ‘C:\Program Files\mm(some numeric date)’.

In the ‘Morpheus Upgrade’ release of InetSpeak/WindowsIE, the file is in C:\Windows instead. In the eBoom variant, the file is in the Internet Explorer folder (in C:\Program Files, regardless of whether that is the drive/folder you are using).

Before you can delete the file you must deregister it using the ‘regsvr32 /u’ command. Open up a DOS/command prompt window (Start -> Programs -> Accessories), and enter (for the BHO42602 variant):

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\mm050102\BHO42602.dll"

For the WindowsIE variant, the commands are:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\mm052202\WindowsIE.dll"

Or, if you have the version that installs into the Windows folder:

cd "%WinDir%\System"
regsvr32 /u "C:\Windows\WindowsIE.dll"

For the Iexplorr variant:

cd "%WinDir%\System"
regsvr32 /u "..\iexplorr11.dll"

For the Iexplorr2 variant:

cd "%WinDir%\System"
regsvr32 /u "..\iexplorr22.dll"

For the Iexplorr23 variant:

cd "%WinDir%\System"
regsvr32 /u "..\iexplorr23.dll"

For the eBoom variant:

cd "%WinDir%\System"
regsvr32 /u "C:\Program Files\Internet Explorer\boombar.dll"

Reset the machine and you should be able to delete the DLL, and the whole mm(number) folder if you have one. You can also delete ‘winietoolbar.ini’ in the Windows folder to clean up.