Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.IGetNet

Adware.IGetNet

Updated:
February 13, 2007
Version:
4.0
Publisher:
IGetNet
Risk Impact:
High
File Names:
Bho001.dll Rsp001.dll Winstart001.exe
Systems Affected:
Windows

Behavior


Adware.IGetNet is an adware program that redirects certain Web pages to www.igetnet.com.

Symptoms


  • The files are detected as Adware.IGetNet.
  • When you go to auto.search.msn.com, search.netscape.com, or ieautosearch, you are redirected to www.igetnet.com.


Behavior


This adware program must be manually installed. However, there are several known programs that have Adware.IGetNet within them, and that install it as the program itself is installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version May 17, 2017 revision 023
  • Initial Daily Certified version August 18, 2003
  • Latest Daily Certified version May 18, 2017 revision 002
  • Initial Weekly Certified release date August 20, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Adware.IGetNet is an adware program that has two components: One executable file and one Browser Helper Object. When this adware is executed, it does the following:
  1. Inserts the following files:

    • %System%\BHO001.dll
    • %System%\RSP001.dll
    • %System%\Winstart001.exe
    • %System%\Update_Com.DLL
    • %System%\NLNP13.exe
    • %Temp%\etherXXXXa01400

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Creates the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
    Browser Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}
    HKEY_LOCAL_MACHINE\software\Classes\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clsUrlSearch
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clsDockWindow
    HKEY_LOCAL_MACHINE\software\Classes\BHO.clslnetSpeak
    HKEY_LOCAL_MACHINE\software\Classes\Rsp.BizLgk

  3. Adds the value:

    "Winstart001.exe" = "%system%\Winstart001.exe –boot"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when you start Windows.

  4. May create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    HKEY_CLASSES_ROOT\Interface\{18333387-5082-4710-94DF-9600CF6B2D5B}
    HKEY_CLASSES_ROOT\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}
    HKEY_CLASSES_ROOT\Interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
    HKEY_CLASSES_ROOT\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}
    HKEY_CLASSES_ROOT\TypeLib\{ACBA087F-1547-41DE-8E9E-3F0963CE4BEF}

  5. Modifies the Hosts file with the following text:

    216.177.73.139 auto.search.msn.com
    216.177.73.139 search.netscape.com
    216.177.73.139 Ieautosearch

  6. Causes the browser to go to the IP address, 216.177.73.139, when any of the following domain names are entered:

    • auto.search.msn.com
    • search.netscape.com
    • Ieautosearch

      Note: The IP address, 216.177.73.139, belongs to the server for www.igetnet.com.

  7. Checks IGetNet.com when a search is entered in Web browser to see if the keyword has been paid for by an advertiser.

  8. Redirects the browser to the advertiser that paid for the keyword. If the keyword entered is not a paid for keyword, the browser will be redirected to the search page to which it initially tried to go.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended.
  1. Update the definitions.
  2. Reverse the changes that the adware made to the registry.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete all the files detected as Adware.IGetNet.
  5. Delete the text that was added to the Hosts file.

For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. Reversing the changes that the adware made to the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run.
  2. Type regedit

    Then click OK.

  3. Browse to and delete the following keys if they exist:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
    Browser Helper Objects\{730F2451-A3FE-4A72-938C-FC8A74F15978
    HKEY_CLASSES_ROOT\BHO.clsUrlSearch
    HKEY_CLASSES_ROOT\Rsp.BizLgk
    HKEY_CLASSES_ROOT\CLSID\{60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    HKEY_CLASSES_ROOT\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}
    HKEY_CLASSES_ROOT\CLSID\{730F2451-A3FE-4A72-938C-FC8A74F15978}
    HKEY_CLASSES_ROOT\CLSID\{676058E4-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\Interface\{18333387-5082-4710-94DF-9600CF6B2D5B}
    HKEY_CLASSES_ROOT\Interface\{676058E3-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\Interface\{F94C0089-9394-4E44-B4EA-58DBA1F7B84E}
    HKEY_CLASSES_ROOT\Interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
    HKEY_CLASSES_ROOT\TypeLib\{676058DB-89BD-11D6-8A8C-0050BA8452C0}
    HKEY_CLASSES_ROOT\TypeLib\{974CC25E-D62C-4278-84E6-A806726E37BC}
    HKEY_CLASSES_ROOT\TypeLib\{ACBA087F-1547-41DE-8E9E-3F0963CE4BEF}

  4. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value if it exists:

    "Winstart001.exe" = "%system%\Winstart001.exe –boot"

  6. Exit the Registry Editor.


3. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • For Windows NT 4 users, restart the computer in VGA mode.


4. Scanning for and deleting the infected files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Adware.IGetNet, click Delete.

5. Deleting the text that was added to the Hosts file
All the computers will not have this file, and the location can vary. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and in Windows 2000, it is in the C:\WINNT\SYSTEM32\DRIVERS\ETC folder. Also, there may be multiple copies of this file in different locations.

The most efficient way to locate the file is to search for it.

Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      hosts

    4. Click Find Now or Search Now.
    5. For each one that you find, right-click it, and then click "Open With."
    6. Deselect the "Always use this program to open this program" check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. Look for the following lines and delete them, if found:

      216.177.73.139 auto.search.msn.com
      216.177.73.139 search.netscape.com
      216.177.73.139 Ieautosearch

    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start, and then click Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      hosts

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click "More advanced options."
    6. Check "Search system folders."
    7. Check "Search subfolders."
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each one that you find, right-click it, and then click "Open With."
    11. Deselect the "Always use this program to open this program" check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. Look for the following lines and delete them, if found:

      216.177.73.139 auto.search.msn.com
      216.177.73.139 search.netscape.com
      216.177.73.139 Ieautosearch

    14. Close Notepad and save your changes when prompted.